Detection of CMD Execution via AnyViewer RMM

 1title: Detection of CMD Execution via AnyViewer RMM
 2id: bc533330-fc29-44c0-b245-7dc6e5939c87
 3status: experimental
 4description: Detects cmd shell execution via AnyViewer RMM agent on remote management sessions.
 5references:
 6  - https://www.anyviewer.com/help/remote-technical-support.html
 7author: '@kostastsale'
 8date: 2024/08/03
 9tags:
10  - attack.execution
11  - attack.persistence
12logsource:
13  category: process_creation
14  product: windows
15detection:
16  selection:
17    Image|endswith:
18      - '\cmd.exe'
19    ParentImage|endswith:
20      - '\AVCore.exe'
21    ParentCommandLine|contains|all:
22      - 'AVCore.exe" -d'
23  condition: selection
24falsepositives:
25  - Legitimate use for admin activity.
26level: medium```

References

• AnyViewer: Offer Remote Technical Support Quickly

  

  The post tells how to offer remote support over AnyViewer in different conditions.

  
  Read More

Related rules

• ChromeLoader Malware Detection
• Detecting Ammy Admin RMM Agent Execution
• Detection of Suspicious triggering of ErrorHandler.cmd Execution
• Scheduled task executing powershell encoded payload from registry
• Remote Service Creation