Detect Remote Desktop Software in Google Chronicle
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome's Remote Desktop.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1219 Remote Access Tools
- Sub-technique
- T1219.002 Remote Desktop Software
- Canonical reference
- https://attack.mitre.org/techniques/T1219/002/
YARA-L Detection Query
rule t1219_002_remote_desktop_software_execution {
meta:
author = "Detection Engineering"
description = "Detects execution of Remote Desktop Software and RMM tools (MITRE ATT&CK T1219.002). Identifies known RMM tool executables and enriches with suspicious parent process, temp-path execution, and portable installation indicators."
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1219.002"
mitre_attack_technique_name = "Remote Desktop Software"
reference = "https://attack.mitre.org/techniques/T1219/002/"
severity = "MEDIUM"
priority = "MEDIUM"
version = "1.0"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
re.regex(
$proc.principal.process.file.basename,
`(?i)^(teamviewer|teamviewer_service|tv_w32|tv_x64|anydesk|anydesk_service|screenconnect|screenconnectclient|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|logmeinrescueworkstation|ammyyadmin|aa_v3|vnc|vncviewer|tvnserver|winvnc|uvnc_service|vncserver|splashtop|splashtopremote|splashtop_streamer|rustdesk|supremo|supremoservice|netsupportmanager|client32|chrome_remote_desktop|remoting_host|zoommtg)\.exe$`
)
match:
$proc.principal.hostname over 5m
outcome:
$hostname = $proc.principal.hostname
$username = $proc.principal.user.userid
$process_name = $proc.principal.process.file.basename
$process_path = $proc.principal.process.file.full_path
$command_line = $proc.principal.process.command_line
$parent_process_name = $proc.principal.process.parent_process.file.basename
$parent_command_line = $proc.principal.process.parent_process.command_line
$tool_family = if(
re.regex($proc.principal.process.file.basename, `(?i)(teamviewer|tv_w32|tv_x64)`), "TeamViewer",
if(re.regex($proc.principal.process.file.basename, `(?i)anydesk`), "AnyDesk",
if(re.regex($proc.principal.process.file.basename, `(?i)(screenconnect|connectwise)`), "ScreenConnect",
if(re.regex($proc.principal.process.file.basename, `(?i)(logmein|lmi_rescue)`), "LogMeIn",
if(re.regex($proc.principal.process.file.basename, `(?i)(ammyy|aa_v3)`), "AmmyyAdmin",
if(re.regex($proc.principal.process.file.basename, `(?i)(vnc|tvnserver|winvnc|uvnc)`), "VNC",
if(re.regex($proc.principal.process.file.basename, `(?i)splashtop`), "Splashtop",
if(re.regex($proc.principal.process.file.basename, `(?i)rustdesk`), "RustDesk",
if(re.regex($proc.principal.process.file.basename, `(?i)supremo`), "Supremo",
if(re.regex($proc.principal.process.file.basename, `(?i)(netsupport|client32)`), "NetSupport",
if(re.regex($proc.principal.process.file.basename, `(?i)(chrome_remote|remoting_host)`), "ChromeRD",
"Other")))))))))))
)
$suspicious_parent = if(
re.regex($proc.principal.process.parent_process.file.basename,
`(?i)(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|msiexec|taskeng|taskhostw)`),
"Yes", "No"
)
$from_temp_path = if(
re.regex($proc.principal.process.file.full_path,
`(?i)(\\Temp\\|\\tmp\\|\\Downloads\\|AppData.Local.Temp)`),
"Yes", "No"
)
$is_portable = if(
not re.regex($proc.principal.process.file.full_path, `(?i)C:\\Program Files`),
"Yes", "No"
)
condition:
$proc
}Google Chronicle YARA-L 2.0 detection rule for Remote Desktop Software / RMM tool execution (T1219.002). Uses UDM PROCESS_LAUNCH events to match known RMM tool executables by basename. Outcome fields provide tool family classification, suspicious parent process indicator, temp-path execution flag, and portable installation indicator for analyst triage. Designed for Chronicle Security Operations with Windows endpoint telemetry forwarded via Chronicle Forwarder or Google Workspace integrations.
Data Sources
Required Tables
False Positives & Tuning
- Internal IT operations teams using authorized remote management tools (TeamViewer, ScreenConnect) for legitimate system administration, particularly when deployed by endpoint management solutions
- Third-party vendor remote support sessions using pre-approved RMM tools during scheduled change windows, where parent process may be a script-based launcher deployed by the vendor
- CI/CD or test automation frameworks that invoke Chrome Remote Desktop or Zoom as part of automated UI testing pipelines on build agents
Other platforms for T1219.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AnyDesk Portable Download and ID Retrieval
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest downloading AnyDesk. Sysmon Event ID 11: File creation at Downloads\AnyDesk_test.exe. Sysmon Event ID 1: AnyDesk_test.exe process creation from Downloads folder. Sysmon Event ID 3: Network connection to AnyDesk relay servers. Sysmon Event ID 22: DNS query for *.anydesk.com.
- Test 2NetSupport Manager Client32 Execution
Expected signal: Sysmon Event ID 1: cmd.exe spawning with path containing NetSupport_Test. Sysmon Event ID 11: File creation events for the mock batch file in temp directory. Security Event ID 4688: Process creation for cmd.exe with command line referencing NetSupport.
- Test 3ScreenConnect Client Service Installation Simulation
Expected signal: Security Event ID 7045: New service installed with ServiceName=ScreenConnectTest, ServiceFileName containing ScreenConnect. Sysmon Event ID 1: sc.exe process creation with command line containing ScreenConnect. Sysmon Event ID 12/13: Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\ScreenConnectTest.
References (8)
- https://attack.mitre.org/techniques/T1219/002/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
Unlock Pro Content
Get the full detection package for T1219.002 including response playbook, investigation guide, and atomic red team tests.