T1219.002

Remote Desktop Software

An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome's Remote Desktop.

Microsoft Sentinel / Defender

kusto

let RMMTools = dynamic([
  "teamviewer.exe", "teamviewer_service.exe", "tv_w32.exe", "tv_x64.exe",
  "anydesk.exe", "anydesk_service.exe",
  "screenconnect.exe", "screenconnectclient.exe", "connectwisecontrol.client.exe",
  "logmein.exe", "lmi_rescue.exe", "logmeinrescue.exe", "logmeinrescueworkstation.exe",
  "ammyyadmin.exe", "aa_v3.exe",
  "vnc.exe", "vncviewer.exe", "tvnserver.exe", "winvnc.exe", "uvnc_service.exe", "vncserver.exe",
  "splashtop.exe", "splashtopremote.exe", "splashtop_streamer.exe",
  "rustdesk.exe", "supremo.exe", "supremoservice.exe",
  "netsupportmanager.exe", "client32.exe",
  "chrome_remote_desktop.exe", "remoting_host.exe",
  "zoommtg.exe"
]);
let SuspiciousParents = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
  "cscript.exe", "mshta.exe", "rundll32.exe", "msiexec.exe",
  "taskeng.exe", "taskhostw.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (RMMTools)
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend FromTempPath = FolderPath has_any ("\\Temp\\", "\\tmp\\", "\\AppData\\Local\\Temp", "\\Downloads\\")
| extend IsPortable = FolderPath !startswith "C:\\Program Files" and FolderPath !startswith "C:\\Program Files (x86)"
| extend ToolFamily = case(
    FileName has_any ("teamviewer", "tv_w32", "tv_x64"), "TeamViewer",
    FileName has_any ("anydesk"), "AnyDesk",
    FileName has_any ("screenconnect", "connectwise"), "ScreenConnect",
    FileName has_any ("logmein", "lmi_rescue"), "LogMeIn",
    FileName has_any ("ammyy", "aa_v3"), "AmmyyAdmin",
    FileName has_any ("vnc", "tvnserver", "winvnc", "uvnc"), "VNC",
    FileName has_any ("splashtop"), "Splashtop",
    FileName has_any ("rustdesk"), "RustDesk",
    FileName has_any ("supremo"), "Supremo",
    FileName has_any ("netsupport", "client32"), "NetSupport",
    FileName has_any ("chrome_remote", "remoting_host"), "ChromeRD",
    "Other")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ToolFamily, SuspiciousParent, FromTempPath, IsPortable
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT helpdesk technicians using approved RMM tools (TeamViewer, ScreenConnect, LogMeIn) for employee support sessions with active support tickets
Managed Service Providers (MSPs) running authorized RMM agents (ConnectWise, Splashtop) as part of contracted endpoint management
End users launching pre-installed remote desktop tools from standard paths for legitimate personal use (Chrome Remote Desktop)
Software deployment systems (SCCM, PDQ Deploy) installing or updating approved RMM agents across the fleet

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\teamviewer*.exe" OR Image="*\\tv_w32.exe" OR Image="*\\tv_x64.exe"
   OR Image="*\\anydesk*.exe"
   OR Image="*\\screenconnect*.exe" OR Image="*\\connectwisecontrol*.exe"
   OR Image="*\\logmein*.exe" OR Image="*\\lmi_rescue*.exe"
   OR Image="*\\ammyyadmin.exe" OR Image="*\\aa_v3.exe"
   OR Image="*\\*vnc*.exe" OR Image="*\\tvnserver.exe" OR Image="*\\winvnc.exe"
   OR Image="*\\splashtop*.exe"
   OR Image="*\\rustdesk.exe" OR Image="*\\supremo*.exe"
   OR Image="*\\netsupportmanager.exe" OR Image="*\\client32.exe"
   OR Image="*\\chrome_remote_desktop*.exe" OR Image="*\\remoting_host.exe")
| eval ToolFamily=case(
    match(Image, "(?i)(teamviewer|tv_w32|tv_x64)"), "TeamViewer",
    match(Image, "(?i)anydesk"), "AnyDesk",
    match(Image, "(?i)(screenconnect|connectwise)"), "ScreenConnect",
    match(Image, "(?i)(logmein|lmi_rescue)"), "LogMeIn",
    match(Image, "(?i)(ammyy|aa_v3)"), "AmmyyAdmin",
    match(Image, "(?i)(vnc|tvnserver|winvnc|uvnc)"), "VNC",
    match(Image, "(?i)splashtop"), "Splashtop",
    match(Image, "(?i)rustdesk"), "RustDesk",
    match(Image, "(?i)supremo"), "Supremo",
    match(Image, "(?i)(netsupport|client32)"), "NetSupport",
    match(Image, "(?i)(chrome_remote|remoting_host)"), "ChromeRD",
    1=1, "Other")
| eval SuspiciousParent=if(match(ParentImage, "(?i)(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|msiexec|taskeng|taskhostw)"), "Yes", "No")
| eval FromTempPath=if(match(Image, "(?i)(\\Temp\\|\\tmp\\|\\Downloads\\|\\AppData\\Local\\Temp)"), "Yes", "No")
| eval IsPortable=if(NOT match(Image, "(?i)C:\\Program Files"), "Yes", "No")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ToolFamily, SuspiciousParent, FromTempPath, IsPortable
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT helpdesk using approved tools for legitimate remote support with active tickets
MSPs running contracted RMM agents for endpoint management
End users with pre-installed Chrome Remote Desktop or similar tools
Software deployment systems updating approved RMM agents across the fleet

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.name : (
    "teamviewer.exe", "teamviewer_service.exe", "tv_w32.exe", "tv_x64.exe",
    "anydesk.exe", "anydesk_service.exe",
    "screenconnect.exe", "screenconnectclient.exe", "connectwisecontrol.client.exe",
    "logmein.exe", "lmi_rescue.exe", "logmeinrescue.exe", "logmeinrescueworkstation.exe",
    "ammyyadmin.exe", "aa_v3.exe",
    "vnc.exe", "vncviewer.exe", "tvnserver.exe", "winvnc.exe", "uvnc_service.exe", "vncserver.exe",
    "splashtop.exe", "splashtopremote.exe", "splashtop_streamer.exe",
    "rustdesk.exe", "supremo.exe", "supremoservice.exe",
    "netsupportmanager.exe", "client32.exe",
    "chrome_remote_desktop.exe", "remoting_host.exe",
    "zoommtg.exe"
  ) and (
    process.parent.name : (
      "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
      "cscript.exe", "mshta.exe", "rundll32.exe", "msiexec.exe",
      "taskeng.exe", "taskhostw.exe"
    ) or
    process.executable : (
      "*\\Temp\\*", "*\\tmp\\*",
      "*\\AppData\\Local\\Temp\\*", "*\\Downloads\\*"
    ) or
    (
      not process.executable : "C:\\Program Files*" and
      not process.executable : "C:\\Program Files (x86)*"
    )
  )

medium severity high confidence

Data Sources

Elastic Endpoint Security (elastic-agent) Winlogbeat with Sysmon module logs-endpoint.events.process-*

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.sysmon_operational-*

False Positives

Legitimate IT helpdesk staff launching approved RMM clients (e.g., TeamViewer, AnyDesk) from administrative consoles or via scripted deployment tools during approved support sessions
Software packaging and deployment pipelines (e.g., SCCM, Intune, PDQ Deploy) that extract and execute RMM installers from TEMP directories as part of managed rollouts
Managed service providers (MSPs) whose remote agents are legitimately installed outside Program Files due to vendor design choices (e.g., RustDesk, Supremo portable editions)

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username AS username,
  sourceip AS source_ip,
  "Process Name" AS process_name,
  "Parent Process Name" AS parent_process_name,
  "Command" AS command_line,
  CASE
    WHEN LOWER("Process Name") LIKE '%teamviewer%' OR LOWER("Process Name") LIKE '%tv_w32%' OR LOWER("Process Name") LIKE '%tv_x64%' THEN 'TeamViewer'
    WHEN LOWER("Process Name") LIKE '%anydesk%' THEN 'AnyDesk'
    WHEN LOWER("Process Name") LIKE '%screenconnect%' OR LOWER("Process Name") LIKE '%connectwise%' THEN 'ScreenConnect'
    WHEN LOWER("Process Name") LIKE '%logmein%' OR LOWER("Process Name") LIKE '%lmi_rescue%' THEN 'LogMeIn'
    WHEN LOWER("Process Name") LIKE '%ammyy%' OR LOWER("Process Name") LIKE '%aa_v3%' THEN 'AmmyyAdmin'
    WHEN LOWER("Process Name") LIKE '%vnc%' OR LOWER("Process Name") LIKE '%tvnserver%' OR LOWER("Process Name") LIKE '%winvnc%' THEN 'VNC'
    WHEN LOWER("Process Name") LIKE '%splashtop%' THEN 'Splashtop'
    WHEN LOWER("Process Name") LIKE '%rustdesk%' THEN 'RustDesk'
    WHEN LOWER("Process Name") LIKE '%supremo%' THEN 'Supremo'
    WHEN LOWER("Process Name") LIKE '%netsupport%' OR LOWER("Process Name") LIKE '%client32%' THEN 'NetSupport'
    WHEN LOWER("Process Name") LIKE '%chrome_remote%' OR LOWER("Process Name") LIKE '%remoting_host%' THEN 'ChromeRD'
    ELSE 'Other'
  END AS tool_family,
  CASE
    WHEN LOWER("Parent Process Name") LIKE '%powershell%'
      OR LOWER("Parent Process Name") LIKE '%pwsh%'
      OR LOWER("Parent Process Name") LIKE '%cmd.exe%'
      OR LOWER("Parent Process Name") LIKE '%wscript%'
      OR LOWER("Parent Process Name") LIKE '%cscript%'
      OR LOWER("Parent Process Name") LIKE '%mshta%'
      OR LOWER("Parent Process Name") LIKE '%rundll32%'
      OR LOWER("Parent Process Name") LIKE '%msiexec%'
      OR LOWER("Parent Process Name") LIKE '%taskeng%'
      OR LOWER("Parent Process Name") LIKE '%taskhostw%'
    THEN 'Yes' ELSE 'No'
  END AS suspicious_parent,
  CASE
    WHEN LOWER("Process Name") LIKE '%\\temp\\%'
      OR LOWER("Process Name") LIKE '%\\tmp\\%'
      OR LOWER("Process Name") LIKE '%\\downloads\\%'
      OR LOWER("Process Name") LIKE '%appdata%local%temp%'
    THEN 'Yes' ELSE 'No'
  END AS from_temp_path,
  CASE
    WHEN LOWER("Process Name") NOT LIKE '%program files%' THEN 'Yes'
    ELSE 'No'
  END AS is_portable
FROM events
WHERE
  starttime > (CURRENT_TIMESTAMP - 86400000)
  AND LOGSOURCETYPEID IN (12, 433)
  AND (
    LOWER("Process Name") LIKE '%teamviewer%'
    OR LOWER("Process Name") LIKE '%tv_w32.exe%'
    OR LOWER("Process Name") LIKE '%tv_x64.exe%'
    OR LOWER("Process Name") LIKE '%anydesk%'
    OR LOWER("Process Name") LIKE '%screenconnect%'
    OR LOWER("Process Name") LIKE '%connectwisecontrol%'
    OR LOWER("Process Name") LIKE '%logmein%'
    OR LOWER("Process Name") LIKE '%lmi_rescue%'
    OR LOWER("Process Name") LIKE '%ammyyadmin%'
    OR LOWER("Process Name") LIKE '%aa_v3.exe%'
    OR LOWER("Process Name") LIKE '%tvnserver%'
    OR LOWER("Process Name") LIKE '%winvnc%'
    OR LOWER("Process Name") LIKE '%uvnc%'
    OR LOWER("Process Name") LIKE '%vncviewer%'
    OR LOWER("Process Name") LIKE '%splashtop%'
    OR LOWER("Process Name") LIKE '%rustdesk%'
    OR LOWER("Process Name") LIKE '%supremo%'
    OR LOWER("Process Name") LIKE '%netsupportmanager%'
    OR LOWER("Process Name") LIKE '%client32.exe%'
    OR LOWER("Process Name") LIKE '%chrome_remote_desktop%'
    OR LOWER("Process Name") LIKE '%remoting_host%'
    OR LOWER("Process Name") LIKE '%zoommtg%'
  )
ORDER BY starttime DESC

medium severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log via WinCollect (LOGSOURCETYPEID 12) Microsoft Windows Sysmon via WinCollect (LOGSOURCETYPEID 433)

Required Tables

events (QRadar normalized event store)

False Positives

Authorized IT support personnel using approved RMM tools during scheduled maintenance windows, particularly when agents are managed by endpoint management platforms like SCCM or Intune
Software asset discovery tools that enumerate running processes including RMM binaries as part of inventory scans, producing high-volume benign matches
Security operations personnel using NetSupport or similar tools during incident response for forensic acquisition from remote endpoints

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon" OR _sourceCategory="*sysmon*")
| where EventID = "1"
| parse regex field=Image "(?<process_path>.+)"
| parse regex field=Image "(?:[^\\\\]+\\\\)*(?<process_name>[^\\\\]+\.exe)" nodrop
| parse regex field=ParentImage "(?:[^\\\\]+\\\\)*(?<parent_process_name>[^\\\\]+\.exe)" nodrop
| where process_name matches /(?i)^(teamviewer|teamviewer_service|tv_w32|tv_x64|anydesk|anydesk_service|screenconnect|screenconnectclient|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|logmeinrescueworkstation|ammyyadmin|aa_v3|vnc|vncviewer|tvnserver|winvnc|uvnc_service|vncserver|splashtop|splashtopremote|splashtop_streamer|rustdesk|supremo|supremoservice|netsupportmanager|client32|chrome_remote_desktop|remoting_host|zoommtg)\.exe$/
| if(process_name matches /(?i)(teamviewer|tv_w32|tv_x64)/, "TeamViewer",
  if(process_name matches /(?i)anydesk/, "AnyDesk",
  if(process_name matches /(?i)(screenconnect|connectwise)/, "ScreenConnect",
  if(process_name matches /(?i)(logmein|lmi_rescue)/, "LogMeIn",
  if(process_name matches /(?i)(ammyy|aa_v3)/, "AmmyyAdmin",
  if(process_name matches /(?i)(vnc|tvnserver|winvnc|uvnc)/, "VNC",
  if(process_name matches /(?i)splashtop/, "Splashtop",
  if(process_name matches /(?i)rustdesk/, "RustDesk",
  if(process_name matches /(?i)supremo/, "Supremo",
  if(process_name matches /(?i)(netsupport|client32)/, "NetSupport",
  if(process_name matches /(?i)(chrome_remote|remoting_host)/, "ChromeRD",
  "Other"))))))))))) as tool_family
| if(parent_process_name matches /(?i)(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|msiexec|taskeng|taskhostw)/, "Yes", "No") as suspicious_parent
| if(Image matches /(?i)(\\Temp\\|\\tmp\\|\\Downloads\\|AppData.Local.Temp)/, "Yes", "No") as from_temp_path
| if(!(Image matches /(?i)C:\\Program Files/), "Yes", "No") as is_portable
| todate(_messageTime) as event_time
| fields event_time, Computer, User, process_name, Image, CommandLine, parent_process_name, ParentCommandLine, tool_family, suspicious_parent, from_temp_path, is_portable
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows Event Log source) Sysmon EventID 1 via _sourceCategory=windows/sysmon Sumo Logic Cloud SIEM Enterprise (normalized process events)

Required Tables

Sysmon EventID 1 events accessible via _sourceCategory matching sysmon

False Positives

Help desk and IT support teams using approved remote access tools (TeamViewer, AnyDesk, ScreenConnect) during normal business hours for legitimate end-user support sessions
Automated endpoint provisioning or onboarding workflows that download and execute RMM agents from temporary directories as part of first-run setup scripts
Security red team or penetration testing exercises that use RMM tools as C2 channels against targets in authorized engagement scopes

Google Chronicle / SecOps

yaral

rule t1219_002_remote_desktop_software_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of Remote Desktop Software and RMM tools (MITRE ATT&CK T1219.002). Identifies known RMM tool executables and enriches with suspicious parent process, temp-path execution, and portable installation indicators."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1219.002"
    mitre_attack_technique_name = "Remote Desktop Software"
    reference = "https://attack.mitre.org/techniques/T1219/002/"
    severity = "MEDIUM"
    priority = "MEDIUM"
    version = "1.0"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex(
      $proc.principal.process.file.basename,
      `(?i)^(teamviewer|teamviewer_service|tv_w32|tv_x64|anydesk|anydesk_service|screenconnect|screenconnectclient|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|logmeinrescueworkstation|ammyyadmin|aa_v3|vnc|vncviewer|tvnserver|winvnc|uvnc_service|vncserver|splashtop|splashtopremote|splashtop_streamer|rustdesk|supremo|supremoservice|netsupportmanager|client32|chrome_remote_desktop|remoting_host|zoommtg)\.exe$`
    )

  match:
    $proc.principal.hostname over 5m

  outcome:
    $hostname = $proc.principal.hostname
    $username = $proc.principal.user.userid
    $process_name = $proc.principal.process.file.basename
    $process_path = $proc.principal.process.file.full_path
    $command_line = $proc.principal.process.command_line
    $parent_process_name = $proc.principal.process.parent_process.file.basename
    $parent_command_line = $proc.principal.process.parent_process.command_line
    $tool_family = if(
      re.regex($proc.principal.process.file.basename, `(?i)(teamviewer|tv_w32|tv_x64)`), "TeamViewer",
      if(re.regex($proc.principal.process.file.basename, `(?i)anydesk`), "AnyDesk",
      if(re.regex($proc.principal.process.file.basename, `(?i)(screenconnect|connectwise)`), "ScreenConnect",
      if(re.regex($proc.principal.process.file.basename, `(?i)(logmein|lmi_rescue)`), "LogMeIn",
      if(re.regex($proc.principal.process.file.basename, `(?i)(ammyy|aa_v3)`), "AmmyyAdmin",
      if(re.regex($proc.principal.process.file.basename, `(?i)(vnc|tvnserver|winvnc|uvnc)`), "VNC",
      if(re.regex($proc.principal.process.file.basename, `(?i)splashtop`), "Splashtop",
      if(re.regex($proc.principal.process.file.basename, `(?i)rustdesk`), "RustDesk",
      if(re.regex($proc.principal.process.file.basename, `(?i)supremo`), "Supremo",
      if(re.regex($proc.principal.process.file.basename, `(?i)(netsupport|client32)`), "NetSupport",
      if(re.regex($proc.principal.process.file.basename, `(?i)(chrome_remote|remoting_host)`), "ChromeRD",
      "Other")))))))))))
    )
    $suspicious_parent = if(
      re.regex($proc.principal.process.parent_process.file.basename,
        `(?i)(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|msiexec|taskeng|taskhostw)`),
      "Yes", "No"
    )
    $from_temp_path = if(
      re.regex($proc.principal.process.file.full_path,
        `(?i)(\\Temp\\|\\tmp\\|\\Downloads\\|AppData.Local.Temp)`),
      "Yes", "No"
    )
    $is_portable = if(
      not re.regex($proc.principal.process.file.full_path, `(?i)C:\\Program Files`),
      "Yes", "No"
    )

  condition:
    $proc
}

medium severity high confidence

Data Sources

Google Chronicle Security Operations Chronicle Forwarder (Windows Event Log / Sysmon) Google Workspace Chronicle integration UDM PROCESS_LAUNCH event stream

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Internal IT operations teams using authorized remote management tools (TeamViewer, ScreenConnect) for legitimate system administration, particularly when deployed by endpoint management solutions
Third-party vendor remote support sessions using pre-approved RMM tools during scheduled change windows, where parent process may be a script-based launcher deployed by the vendor
CI/CD or test automation frameworks that invoke Chrome Remote Desktop or Zoom as part of automated UI testing pipelines on build agents

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| FileName = /(?i)^(teamviewer|teamviewer_service|tv_w32|tv_x64|anydesk|anydesk_service|screenconnect|screenconnectclient|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|logmeinrescueworkstation|ammyyadmin|aa_v3|vnc|vncviewer|tvnserver|winvnc|uvnc_service|vncserver|splashtop|splashtopremote|splashtop_streamer|rustdesk|supremo|supremoservice|netsupportmanager|client32|chrome_remote_desktop|remoting_host|zoommtg)\.exe$/i
| ToolFamily := case {
    FileName = /(?i)(teamviewer|tv_w32|tv_x64)/ => "TeamViewer",
    FileName = /(?i)anydesk/ => "AnyDesk",
    FileName = /(?i)(screenconnect|connectwise)/ => "ScreenConnect",
    FileName = /(?i)(logmein|lmi_rescue)/ => "LogMeIn",
    FileName = /(?i)(ammyy|aa_v3)/ => "AmmyyAdmin",
    FileName = /(?i)(vnc|tvnserver|winvnc|uvnc)/ => "VNC",
    FileName = /(?i)splashtop/ => "Splashtop",
    FileName = /(?i)rustdesk/ => "RustDesk",
    FileName = /(?i)supremo/ => "Supremo",
    FileName = /(?i)(netsupport|client32)/ => "NetSupport",
    FileName = /(?i)(chrome_remote|remoting_host)/ => "ChromeRD",
    * => "Other"
  }
| SuspiciousParent := if(ParentBaseFileName = /(?i)(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|msiexec|taskeng|taskhostw)/, "Yes", "No")
| FromTempPath := if(ImageFileName = /(?i)(\\Temp\\|\\tmp\\|\\Downloads\\|AppData.Local.Temp)/, "Yes", "No")
| IsPortable := if(ImageFileName != /(?i)C:\\Program Files/, "Yes", "No")
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ImageFileName, ParentBaseFileName, ParentCommandLine, ToolFamily, SuspiciousParent, FromTempPath, IsPortable])
| sort(timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Platform CrowdStrike Falcon LogScale (Humio) Falcon Sensor ProcessRollup2 telemetry

Required Tables

#event_simpleName = ProcessRollup2

False Positives

Authorized IT administrators deploying Falcon-allowlisted RMM tools via approved MDM or endpoint management solutions (e.g., Intune, SCCM), where the parent process is a management agent rather than a LOLBin
Vendor-initiated remote support sessions pre-approved through change management where the RMM binary is dropped to a staging directory before installation completes and moves it to Program Files
Security operations or incident response teams using NetSupport Manager or similar tools on compromised endpoints for forensic triage under an approved IR playbook

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1219.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Remote Desktop Software

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections