SplashTop Process

Detects use of SplashTop

Sigma rule (View on GitHub)

 1title: SplashTop Process
 2id: 20b92a34-13d8-4bf0-a6d6-8c4ea8fedd40
 3status: experimental
 4description: Detects use of SplashTop
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-
 8  - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
 9date: 2022/05/06
10modified: 2022/05/06
11logsource:
12  category: process_creation
13  product: windows
14detection:
15  selection:
16    Product|contains:
17      - 'SplashTop'
18    Description|contains:
19      - 'SplashTop'
20  condition: selection
21falsepositives:
22  - Legitimate SplashTop installation
23level: high
24tags:
25  - attack.lateral_movement
26  - attack.t1133
27  - attack.command_and_control
28  - attack.t1219

References

Related rules

to-top