T1219.002 Elastic Security · Elastic

Detect Remote Desktop Software in Elastic Security

An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome's Remote Desktop.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1219 Remote Access Tools
Sub-technique
T1219.002 Remote Desktop Software
Canonical reference
https://attack.mitre.org/techniques/T1219/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and
  process.name : (
    "teamviewer.exe", "teamviewer_service.exe", "tv_w32.exe", "tv_x64.exe",
    "anydesk.exe", "anydesk_service.exe",
    "screenconnect.exe", "screenconnectclient.exe", "connectwisecontrol.client.exe",
    "logmein.exe", "lmi_rescue.exe", "logmeinrescue.exe", "logmeinrescueworkstation.exe",
    "ammyyadmin.exe", "aa_v3.exe",
    "vnc.exe", "vncviewer.exe", "tvnserver.exe", "winvnc.exe", "uvnc_service.exe", "vncserver.exe",
    "splashtop.exe", "splashtopremote.exe", "splashtop_streamer.exe",
    "rustdesk.exe", "supremo.exe", "supremoservice.exe",
    "netsupportmanager.exe", "client32.exe",
    "chrome_remote_desktop.exe", "remoting_host.exe",
    "zoommtg.exe"
  ) and (
    process.parent.name : (
      "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
      "cscript.exe", "mshta.exe", "rundll32.exe", "msiexec.exe",
      "taskeng.exe", "taskhostw.exe"
    ) or
    process.executable : (
      "*\\Temp\\*", "*\\tmp\\*",
      "*\\AppData\\Local\\Temp\\*", "*\\Downloads\\*"
    ) or
    (
      not process.executable : "C:\\Program Files*" and
      not process.executable : "C:\\Program Files (x86)*"
    )
  )
medium severity high confidence

Detects execution of Remote Desktop Software / RMM tools (T1219.002) using Elastic ECS process events. Alerts on RMM tool processes launched from suspicious parent processes (script interpreters, LOLBins), temp/download directories, or non-standard install paths indicating portable/dropped binaries. Covers TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, VNC variants, Splashtop, RustDesk, Supremo, NetSupport, Chrome Remote Desktop, and Zoom.

Data Sources

Elastic Endpoint Security (elastic-agent)Winlogbeat with Sysmon modulelogs-endpoint.events.process-*

Required Tables

logs-endpoint.events.process-*winlogbeat-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Legitimate IT helpdesk staff launching approved RMM clients (e.g., TeamViewer, AnyDesk) from administrative consoles or via scripted deployment tools during approved support sessions
  • Software packaging and deployment pipelines (e.g., SCCM, Intune, PDQ Deploy) that extract and execute RMM installers from TEMP directories as part of managed rollouts
  • Managed service providers (MSPs) whose remote agents are legitimately installed outside Program Files due to vendor design choices (e.g., RustDesk, Supremo portable editions)
Download portable Sigma rule (.yml)

Other platforms for T1219.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AnyDesk Portable Download and ID Retrieval

    Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest downloading AnyDesk. Sysmon Event ID 11: File creation at Downloads\AnyDesk_test.exe. Sysmon Event ID 1: AnyDesk_test.exe process creation from Downloads folder. Sysmon Event ID 3: Network connection to AnyDesk relay servers. Sysmon Event ID 22: DNS query for *.anydesk.com.

  2. Test 2NetSupport Manager Client32 Execution

    Expected signal: Sysmon Event ID 1: cmd.exe spawning with path containing NetSupport_Test. Sysmon Event ID 11: File creation events for the mock batch file in temp directory. Security Event ID 4688: Process creation for cmd.exe with command line referencing NetSupport.

  3. Test 3ScreenConnect Client Service Installation Simulation

    Expected signal: Security Event ID 7045: New service installed with ServiceName=ScreenConnectTest, ServiceFileName containing ScreenConnect. Sysmon Event ID 1: sc.exe process creation with command line containing ScreenConnect. Sysmon Event ID 12/13: Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\ScreenConnectTest.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1219.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1219Remote Access Tools

Related Sub-techniques

T1219.001IDE TunnelingT1219.003Remote Access Hardware

Related Techniques

T1219Remote Access ToolsT1219.001IDE TunnelingT1219.003Remote Access HardwareT1543.003Windows ServiceT1547.001Registry Run Keys / Startup FolderT1105Ingress Tool TransferT1021.001Remote Desktop ProtocolT1486Data Encrypted for ImpactT1570Lateral Tool Transfer

Same Tactic: Command and Control

Popular Detections