Detect Remote Desktop Software in CrowdStrike LogScale
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome's Remote Desktop.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1219 Remote Access Tools
- Sub-technique
- T1219.002 Remote Desktop Software
- Canonical reference
- https://attack.mitre.org/techniques/T1219/002/
LogScale Detection Query
#event_simpleName = ProcessRollup2
| FileName = /(?i)^(teamviewer|teamviewer_service|tv_w32|tv_x64|anydesk|anydesk_service|screenconnect|screenconnectclient|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|logmeinrescueworkstation|ammyyadmin|aa_v3|vnc|vncviewer|tvnserver|winvnc|uvnc_service|vncserver|splashtop|splashtopremote|splashtop_streamer|rustdesk|supremo|supremoservice|netsupportmanager|client32|chrome_remote_desktop|remoting_host|zoommtg)\.exe$/i
| ToolFamily := case {
FileName = /(?i)(teamviewer|tv_w32|tv_x64)/ => "TeamViewer",
FileName = /(?i)anydesk/ => "AnyDesk",
FileName = /(?i)(screenconnect|connectwise)/ => "ScreenConnect",
FileName = /(?i)(logmein|lmi_rescue)/ => "LogMeIn",
FileName = /(?i)(ammyy|aa_v3)/ => "AmmyyAdmin",
FileName = /(?i)(vnc|tvnserver|winvnc|uvnc)/ => "VNC",
FileName = /(?i)splashtop/ => "Splashtop",
FileName = /(?i)rustdesk/ => "RustDesk",
FileName = /(?i)supremo/ => "Supremo",
FileName = /(?i)(netsupport|client32)/ => "NetSupport",
FileName = /(?i)(chrome_remote|remoting_host)/ => "ChromeRD",
* => "Other"
}
| SuspiciousParent := if(ParentBaseFileName = /(?i)(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|msiexec|taskeng|taskhostw)/, "Yes", "No")
| FromTempPath := if(ImageFileName = /(?i)(\\Temp\\|\\tmp\\|\\Downloads\\|AppData.Local.Temp)/, "Yes", "No")
| IsPortable := if(ImageFileName != /(?i)C:\\Program Files/, "Yes", "No")
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ImageFileName, ParentBaseFileName, ParentCommandLine, ToolFamily, SuspiciousParent, FromTempPath, IsPortable])
| sort(timestamp, order=desc)Detects Remote Desktop Software / RMM tool execution (T1219.002) using CrowdStrike Falcon's ProcessRollup2 events in LogScale (Humio CQL). Matches known RMM tool executables by FileName, classifies into tool families, and enriches with suspicious parent process (script interpreters and LOLBins), temp-path execution indicator, and portable/non-standard install path detection. Uses Falcon sensor process telemetry without dependency on third-party log forwarding.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT administrators deploying Falcon-allowlisted RMM tools via approved MDM or endpoint management solutions (e.g., Intune, SCCM), where the parent process is a management agent rather than a LOLBin
- Vendor-initiated remote support sessions pre-approved through change management where the RMM binary is dropped to a staging directory before installation completes and moves it to Program Files
- Security operations or incident response teams using NetSupport Manager or similar tools on compromised endpoints for forensic triage under an approved IR playbook
Other platforms for T1219.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AnyDesk Portable Download and ID Retrieval
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest downloading AnyDesk. Sysmon Event ID 11: File creation at Downloads\AnyDesk_test.exe. Sysmon Event ID 1: AnyDesk_test.exe process creation from Downloads folder. Sysmon Event ID 3: Network connection to AnyDesk relay servers. Sysmon Event ID 22: DNS query for *.anydesk.com.
- Test 2NetSupport Manager Client32 Execution
Expected signal: Sysmon Event ID 1: cmd.exe spawning with path containing NetSupport_Test. Sysmon Event ID 11: File creation events for the mock batch file in temp directory. Security Event ID 4688: Process creation for cmd.exe with command line referencing NetSupport.
- Test 3ScreenConnect Client Service Installation Simulation
Expected signal: Security Event ID 7045: New service installed with ServiceName=ScreenConnectTest, ServiceFileName containing ScreenConnect. Sysmon Event ID 1: sc.exe process creation with command line containing ScreenConnect. Sysmon Event ID 12/13: Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\ScreenConnectTest.
References (8)
- https://attack.mitre.org/techniques/T1219/002/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
Unlock Pro Content
Get the full detection package for T1219.002 including response playbook, investigation guide, and atomic red team tests.