T1219 Remote Access Tools Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let RATProcessNames = dynamic([
  "teamviewer.exe", "teamviewer_service.exe",
  "anydesk.exe", "anydesk_service.exe",
  "screenconnect.exe", "screenconnectclient.exe", "connectwisecontrol.client.exe",
  "logmein.exe", "lmi_rescue.exe", "logmeinrescue.exe",
  "ammyyadmin.exe", "aa_v3.exe",
  "supremo.exe", "supremoservice.exe",
  "rustdesk.exe", "splashtop.exe", "splashtopremote.exe",
  "ateraagent.exe", "ninjaone.exe", "ninjaremote.exe",
  "simplehelp.exe", "dwrcs.exe", "dwrcst.exe",
  "tmate", "vnc.exe", "tvnserver.exe", "vncviewer.exe",
  "uvnc_service.exe", "winvnc.exe",
  "remotedesktopmanager.exe", "mstsc.exe",
  "chrome_remote_desktop.exe", "remote_assistance_host.exe"
]);
let RATNetworkDomains = dynamic([
  "teamviewer.com", "anydesk.com", "screenconnect.com", "connectwise.com",
  "logmein.com", "logmeinrescue.com", "ammyy.com",
  "supremo.com", "rustdesk.com", "splashtop.com",
  "atera.com", "ninjarmm.com", "simplehelp.com"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (RATProcessNames)
| extend IsService = InitiatingProcessFileName in~ ("services.exe", "svchost.exe")
| extend IsUserLaunched = InitiatingProcessFileName in~ ("explorer.exe", "cmd.exe", "powershell.exe")
| extend RATCategory = case(
    FileName has_any ("teamviewer", "anydesk", "screenconnect", "connectwise"), "Commercial RMM",
    FileName has_any ("vnc", "tvnserver", "winvnc", "uvnc"), "VNC",
    FileName has_any ("logmein", "lmi_rescue"), "LogMeIn",
    FileName has_any ("ammyy", "aa_v3"), "AmmyyAdmin",
    FileName has_any ("rustdesk", "splashtop", "supremo"), "Other RMM",
    FileName has_any ("atera", "ninja", "simplehelp", "dwrcs"), "MSP Tool",
    "Unknown")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RATCategory, IsService, IsUserLaunched
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT helpdesk staff using approved RMM tools (TeamViewer, ScreenConnect) for legitimate remote support sessions during business hours
Managed Service Providers (MSPs) running Atera, NinjaOne, or ConnectWise agents as part of contracted IT management services
Software developers using VNC or RustDesk for legitimate remote access to lab environments or build servers
System administrators using DameWare Mini Remote Control for server management across data centers

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\teamviewer.exe" OR Image="*\\teamviewer_service.exe"
   OR Image="*\\anydesk.exe" OR Image="*\\anydesk_service.exe"
   OR Image="*\\screenconnect*.exe" OR Image="*\\connectwisecontrol*.exe"
   OR Image="*\\logmein.exe" OR Image="*\\lmi_rescue.exe"
   OR Image="*\\ammyyadmin.exe" OR Image="*\\aa_v3.exe"
   OR Image="*\\supremo.exe" OR Image="*\\supremoservice.exe"
   OR Image="*\\rustdesk.exe" OR Image="*\\splashtop*.exe"
   OR Image="*\\atera*.exe" OR Image="*\\ninja*.exe"
   OR Image="*\\simplehelp*.exe" OR Image="*\\dwrcs.exe" OR Image="*\\dwrcst.exe"
   OR Image="*\\vnc*.exe" OR Image="*\\tvnserver.exe" OR Image="*\\winvnc.exe"
   OR Image="*\\uvnc_service.exe" OR Image="*\\tmate")
| eval RATCategory=case(
    match(Image, "(?i)(teamviewer|anydesk|screenconnect|connectwise)"), "Commercial RMM",
    match(Image, "(?i)(vnc|tvnserver|winvnc|uvnc)"), "VNC",
    match(Image, "(?i)(logmein|lmi_rescue)"), "LogMeIn",
    match(Image, "(?i)(ammyy|aa_v3)"), "AmmyyAdmin",
    match(Image, "(?i)(rustdesk|splashtop|supremo)"), "Other RMM",
    match(Image, "(?i)(atera|ninja|simplehelp|dwrcs)"), "MSP Tool",
    1=1, "Unknown")
| eval IsService=if(match(ParentImage, "(?i)(services\.exe|svchost\.exe)"), "Yes", "No")
| eval IsUserLaunched=if(match(ParentImage, "(?i)(explorer\.exe|cmd\.exe|powershell\.exe)"), "Yes", "No")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, RATCategory, IsService, IsUserLaunched
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT helpdesk staff using approved RMM tools for legitimate remote support sessions during business hours
Managed Service Providers running authorized RMM agents as part of contracted IT management
Software developers using VNC for remote access to development or lab environments
System administrators using DameWare for routine server management tasks

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.name : (
    "teamviewer.exe", "teamviewer_service.exe",
    "anydesk.exe", "anydesk_service.exe",
    "screenconnect.exe", "screenconnectclient.exe", "connectwisecontrol.client.exe",
    "logmein.exe", "lmi_rescue.exe", "logmeinrescue.exe",
    "ammyyadmin.exe", "aa_v3.exe",
    "supremo.exe", "supremoservice.exe",
    "rustdesk.exe", "splashtop.exe", "splashtopremote.exe",
    "ateraagent.exe", "ninjaone.exe", "ninjaremote.exe",
    "simplehelp.exe", "dwrcs.exe", "dwrcst.exe",
    "tmate", "vnc.exe", "tvnserver.exe", "vncviewer.exe",
    "uvnc_service.exe", "winvnc.exe",
    "remotedesktopmanager.exe",
    "chrome_remote_desktop.exe", "remote_assistance_host.exe"
  )

medium severity high confidence

Data Sources

Windows endpoint logs via Elastic Agent or Winlogbeat Elastic Endpoint Security (ECS process events)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate IT helpdesk or MSP-managed endpoints where RMM tools like Atera, NinjaRMM, or ScreenConnect are deployed as standard management tooling
Employees using TeamViewer or AnyDesk for authorized personal or business remote support sessions
Security team members using RMM tools for authorized internal incident response or asset management

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name",
  "Command Line",
  "Parent Process Name",
  CATEGORYNAME(category) AS event_category,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*?(teamviewer|anydesk|screenconnect|connectwise).*?' THEN 'Commercial RMM'
    WHEN LOWER("Process Name") MATCHES '.*?(vnc|tvnserver|winvnc|uvnc).*?' THEN 'VNC'
    WHEN LOWER("Process Name") MATCHES '.*?(logmein|lmi_rescue).*?' THEN 'LogMeIn'
    WHEN LOWER("Process Name") MATCHES '.*?(ammyy|aa_v3).*?' THEN 'AmmyyAdmin'
    WHEN LOWER("Process Name") MATCHES '.*?(rustdesk|splashtop|supremo).*?' THEN 'Other RMM'
    WHEN LOWER("Process Name") MATCHES '.*?(atera|ninja|simplehelp|dwrcs).*?' THEN 'MSP Tool'
    ELSE 'Unknown'
  END AS rat_category,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*?(services\.exe|svchost\.exe).*?' THEN 'Yes'
    ELSE 'No'
  END AS is_service_launched,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*?(explorer\.exe|cmd\.exe|powershell\.exe).*?' THEN 'Yes'
    ELSE 'No'
  END AS is_user_launched
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 101, 143)
  AND QIDNAME(qid) ILIKE '%process%'
  AND (
    LOWER("Process Name") MATCHES '.*?teamviewer.*?'
    OR LOWER("Process Name") MATCHES '.*?anydesk.*?'
    OR LOWER("Process Name") MATCHES '.*?screenconnect.*?'
    OR LOWER("Process Name") MATCHES '.*?connectwisecontrol.*?'
    OR LOWER("Process Name") MATCHES '.*?logmein.*?'
    OR LOWER("Process Name") MATCHES '.*?lmi_rescue.*?'
    OR LOWER("Process Name") MATCHES '.*?ammyyadmin.*?'
    OR LOWER("Process Name") MATCHES '.*?aa_v3\.exe.*?'
    OR LOWER("Process Name") MATCHES '.*?supremo.*?'
    OR LOWER("Process Name") MATCHES '.*?rustdesk.*?'
    OR LOWER("Process Name") MATCHES '.*?splashtop.*?'
    OR LOWER("Process Name") MATCHES '.*?ateraagent.*?'
    OR LOWER("Process Name") MATCHES '.*?ninjaone.*?'
    OR LOWER("Process Name") MATCHES '.*?ninjaremote.*?'
    OR LOWER("Process Name") MATCHES '.*?simplehelp.*?'
    OR LOWER("Process Name") MATCHES '.*?dwrcs.*?'
    OR LOWER("Process Name") MATCHES '.*?dwrcst.*?'
    OR LOWER("Process Name") MATCHES '.*?tmate.*?'
    OR LOWER("Process Name") MATCHES '.*?tvnserver.*?'
    OR LOWER("Process Name") MATCHES '.*?winvnc.*?'
    OR LOWER("Process Name") MATCHES '.*?uvnc_service.*?'
    OR LOWER("Process Name") IN ('vnc.exe', 'vncviewer.exe')
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log (via QRadar DSM) Sysmon event log forwarded to QRadar Carbon Black or CrowdStrike DSM process events

Required Tables

events

False Positives

Sanctioned MSP agents (Atera, NinjaRMM, ScreenConnect) deployed to managed endpoints as part of a formal IT contract
Internal IT staff using TeamViewer or AnyDesk for routine remote support tickets
Developer workstations running tmate for collaborative terminal sharing during code review

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint*process*
| where EventID = "1" OR EventCode = "1"
| parse field=Image "*\\*" as image_dir, image_file nodrop
| where image_file matches /(?i)(teamviewer|teamviewer_service|anydesk|anydesk_service|screenconnect|connectwisecontrol|logmein|lmi_rescue|logmeinrescue|ammyyadmin|aa_v3|supremo|supremoservice|rustdesk|splashtop|ateraagent|ninjaone|ninjaremote|simplehelp|dwrcs|dwrcst|tmate|tvnserver|vncviewer|uvnc_service|winvnc|chrome_remote_desktop|remote_assistance_host)\.exe$/
| eval rat_category = if(image_file matches /(?i)(teamviewer|anydesk|screenconnect|connectwise)/, "Commercial RMM",
    if(image_file matches /(?i)(vnc|tvnserver|winvnc|uvnc)/, "VNC",
    if(image_file matches /(?i)(logmein|lmi_rescue)/, "LogMeIn",
    if(image_file matches /(?i)(ammyy|aa_v3)/, "AmmyyAdmin",
    if(image_file matches /(?i)(rustdesk|splashtop|supremo)/, "Other RMM",
    if(image_file matches /(?i)(atera|ninja|simplehelp|dwrcs)/, "MSP Tool",
    "Unknown"))))))
| eval is_service_launched = if(ParentImage matches /(?i)(services\.exe|svchost\.exe)/, "Yes", "No")
| eval is_user_launched = if(ParentImage matches /(?i)(explorer\.exe|cmd\.exe|powershell\.exe)/, "Yes", "No")
| count by _time, Computer, User, image_file, CommandLine, ParentImage, rat_category, is_service_launched, is_user_launched
| sort by _time desc

medium severity high confidence

Data Sources

Sysmon logs forwarded to Sumo Logic via installed collector Windows endpoint agent with process telemetry

Required Tables

Windows Sysmon Event ID 1 (Process Create)

False Positives

Corporate endpoints where RMM agents like NinjaRMM or Atera are deployed under a formal managed services agreement
Help desk technicians initiating ad hoc TeamViewer or AnyDesk sessions to assist end users
Developers or QA engineers using RustDesk or tmate for cross-team terminal or desktop sharing

Google Chronicle / SecOps

yaral

rule t1219_remote_access_tools {
  meta:
    author = "df00tech"
    description = "Detects execution of known Remote Access Tools and RMM software (MITRE ATT&CK T1219). Identifies commercial RMM tools, VNC variants, MSP management agents, and open-source remote access utilities launched on Windows endpoints."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1219"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""
    (
      re.regex($e.target.process.file.full_path, `(?i)(teamviewer|teamviewer_service|anydesk|anydesk_service|screenconnect|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|ammyyadmin|aa_v3|supremo|supremoservice|rustdesk|splashtop|ateraagent|ninjaone|ninjaremote|simplehelp|dwrcs|dwrcst|tmate|tvnserver|vncviewer|uvnc_service|winvnc|chrome_remote_desktop|remote_assistance_host)\.exe$`)
    )

  match:
    $e.principal.hostname over 15m

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_name = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $rat_category = if(
      re.regex($e.target.process.file.full_path, `(?i)(teamviewer|anydesk|screenconnect|connectwise)`), "Commercial RMM",
      if(
        re.regex($e.target.process.file.full_path, `(?i)(vnc|tvnserver|winvnc|uvnc)`), "VNC",
        if(
          re.regex($e.target.process.file.full_path, `(?i)(logmein|lmi_rescue)`), "LogMeIn",
          if(
            re.regex($e.target.process.file.full_path, `(?i)(ammyy|aa_v3)`), "AmmyyAdmin",
            if(
              re.regex($e.target.process.file.full_path, `(?i)(rustdesk|splashtop|supremo)`), "Other RMM",
              if(
                re.regex($e.target.process.file.full_path, `(?i)(atera|ninja|simplehelp|dwrcs)`), "MSP Tool",
                "Unknown"
              )
            )
          )
        )
      )
    )
    $is_service_launched = if(
      re.regex($e.principal.process.file.full_path, `(?i)(services\.exe|svchost\.exe)`), "Yes", "No"
    )
    $is_user_launched = if(
      re.regex($e.principal.process.file.full_path, `(?i)(explorer\.exe|cmd\.exe|powershell\.exe)`), "Yes", "No"
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Chronicle UDM PROCESS_LAUNCH events from Windows endpoint telemetry Sysmon or EDR forwarded to Chronicle via ingestion pipeline

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Enterprise environments where ScreenConnect or Atera is centrally deployed and whitelisted for IT operations
End users with personal copies of AnyDesk or TeamViewer installed for home-to-office remote access
Security red team exercises using RustDesk or SimpleHelp to simulate adversary remote access

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(teamviewer|teamviewer_service|anydesk|anydesk_service|screenconnect|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|ammyyadmin|aa_v3|supremo|supremoservice|rustdesk|splashtop|ateraagent|ninjaone|ninjaremote|simplehelp|dwrcs|dwrcst|tmate|tvnserver|vncviewer|uvnc_service|winvnc|chrome_remote_desktop|remote_assistance_host)\.exe$/i
| eval rat_category = case(
    ImageFileName = /(?i)(teamviewer|anydesk|screenconnect|connectwise)/, "Commercial RMM",
    ImageFileName = /(?i)(vnc|tvnserver|winvnc|uvnc)/, "VNC",
    ImageFileName = /(?i)(logmein|lmi_rescue)/, "LogMeIn",
    ImageFileName = /(?i)(ammyy|aa_v3)/, "AmmyyAdmin",
    ImageFileName = /(?i)(rustdesk|splashtop|supremo)/, "Other RMM",
    ImageFileName = /(?i)(atera|ninja|simplehelp|dwrcs)/, "MSP Tool",
    *,  "Unknown"
  )
| eval is_service_launched = if(ParentBaseFileName = /(?i)(services\.exe|svchost\.exe)/, "Yes", "No")
| eval is_user_launched = if(ParentBaseFileName = /(?i)(explorer\.exe|cmd\.exe|powershell\.exe)/, "Yes", "No")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, rat_category, is_service_launched, is_user_launched])
| sort(timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon sensor ProcessRollup2 events Falcon Data Replicator (FDR) process telemetry

Required Tables

ProcessRollup2

False Positives

CrowdStrike-managed endpoints in organizations with contracted MSP support running NinjaRMM, Atera, or ScreenConnect as approved tools
IT administrators using AnyDesk or TeamViewer to remotely support endpoints outside business hours
Vendor-provided software bundles that include embedded RMM agents for hardware or software warranty support

Remote Access Tools

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Command and Control

Popular Detections