Detect Remote Desktop Software in IBM QRadar
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome's Remote Desktop.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1219 Remote Access Tools
- Sub-technique
- T1219.002 Remote Desktop Software
- Canonical reference
- https://attack.mitre.org/techniques/T1219/002/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username AS username,
sourceip AS source_ip,
"Process Name" AS process_name,
"Parent Process Name" AS parent_process_name,
"Command" AS command_line,
CASE
WHEN LOWER("Process Name") LIKE '%teamviewer%' OR LOWER("Process Name") LIKE '%tv_w32%' OR LOWER("Process Name") LIKE '%tv_x64%' THEN 'TeamViewer'
WHEN LOWER("Process Name") LIKE '%anydesk%' THEN 'AnyDesk'
WHEN LOWER("Process Name") LIKE '%screenconnect%' OR LOWER("Process Name") LIKE '%connectwise%' THEN 'ScreenConnect'
WHEN LOWER("Process Name") LIKE '%logmein%' OR LOWER("Process Name") LIKE '%lmi_rescue%' THEN 'LogMeIn'
WHEN LOWER("Process Name") LIKE '%ammyy%' OR LOWER("Process Name") LIKE '%aa_v3%' THEN 'AmmyyAdmin'
WHEN LOWER("Process Name") LIKE '%vnc%' OR LOWER("Process Name") LIKE '%tvnserver%' OR LOWER("Process Name") LIKE '%winvnc%' THEN 'VNC'
WHEN LOWER("Process Name") LIKE '%splashtop%' THEN 'Splashtop'
WHEN LOWER("Process Name") LIKE '%rustdesk%' THEN 'RustDesk'
WHEN LOWER("Process Name") LIKE '%supremo%' THEN 'Supremo'
WHEN LOWER("Process Name") LIKE '%netsupport%' OR LOWER("Process Name") LIKE '%client32%' THEN 'NetSupport'
WHEN LOWER("Process Name") LIKE '%chrome_remote%' OR LOWER("Process Name") LIKE '%remoting_host%' THEN 'ChromeRD'
ELSE 'Other'
END AS tool_family,
CASE
WHEN LOWER("Parent Process Name") LIKE '%powershell%'
OR LOWER("Parent Process Name") LIKE '%pwsh%'
OR LOWER("Parent Process Name") LIKE '%cmd.exe%'
OR LOWER("Parent Process Name") LIKE '%wscript%'
OR LOWER("Parent Process Name") LIKE '%cscript%'
OR LOWER("Parent Process Name") LIKE '%mshta%'
OR LOWER("Parent Process Name") LIKE '%rundll32%'
OR LOWER("Parent Process Name") LIKE '%msiexec%'
OR LOWER("Parent Process Name") LIKE '%taskeng%'
OR LOWER("Parent Process Name") LIKE '%taskhostw%'
THEN 'Yes' ELSE 'No'
END AS suspicious_parent,
CASE
WHEN LOWER("Process Name") LIKE '%\\temp\\%'
OR LOWER("Process Name") LIKE '%\\tmp\\%'
OR LOWER("Process Name") LIKE '%\\downloads\\%'
OR LOWER("Process Name") LIKE '%appdata%local%temp%'
THEN 'Yes' ELSE 'No'
END AS from_temp_path,
CASE
WHEN LOWER("Process Name") NOT LIKE '%program files%' THEN 'Yes'
ELSE 'No'
END AS is_portable
FROM events
WHERE
starttime > (CURRENT_TIMESTAMP - 86400000)
AND LOGSOURCETYPEID IN (12, 433)
AND (
LOWER("Process Name") LIKE '%teamviewer%'
OR LOWER("Process Name") LIKE '%tv_w32.exe%'
OR LOWER("Process Name") LIKE '%tv_x64.exe%'
OR LOWER("Process Name") LIKE '%anydesk%'
OR LOWER("Process Name") LIKE '%screenconnect%'
OR LOWER("Process Name") LIKE '%connectwisecontrol%'
OR LOWER("Process Name") LIKE '%logmein%'
OR LOWER("Process Name") LIKE '%lmi_rescue%'
OR LOWER("Process Name") LIKE '%ammyyadmin%'
OR LOWER("Process Name") LIKE '%aa_v3.exe%'
OR LOWER("Process Name") LIKE '%tvnserver%'
OR LOWER("Process Name") LIKE '%winvnc%'
OR LOWER("Process Name") LIKE '%uvnc%'
OR LOWER("Process Name") LIKE '%vncviewer%'
OR LOWER("Process Name") LIKE '%splashtop%'
OR LOWER("Process Name") LIKE '%rustdesk%'
OR LOWER("Process Name") LIKE '%supremo%'
OR LOWER("Process Name") LIKE '%netsupportmanager%'
OR LOWER("Process Name") LIKE '%client32.exe%'
OR LOWER("Process Name") LIKE '%chrome_remote_desktop%'
OR LOWER("Process Name") LIKE '%remoting_host%'
OR LOWER("Process Name") LIKE '%zoommtg%'
)
ORDER BY starttime DESCDetects Remote Desktop Software / RMM tool execution (T1219.002) in IBM QRadar using Windows Security Event Log (LOGSOURCETYPEID 12) and Sysmon (LOGSOURCETYPEID 433) process creation events. Leverages QRadar's normalized 'Process Name' and 'Parent Process Name' custom properties from the Windows DSM. Classifies tool families and flags suspicious parent processes, temp-path execution, and non-standard install locations. Requires the Windows Sysmon DSM or Security Event Log DSM to be configured with Process Name extraction.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT support personnel using approved RMM tools during scheduled maintenance windows, particularly when agents are managed by endpoint management platforms like SCCM or Intune
- Software asset discovery tools that enumerate running processes including RMM binaries as part of inventory scans, producing high-volume benign matches
- Security operations personnel using NetSupport or similar tools during incident response for forensic acquisition from remote endpoints
Other platforms for T1219.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AnyDesk Portable Download and ID Retrieval
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest downloading AnyDesk. Sysmon Event ID 11: File creation at Downloads\AnyDesk_test.exe. Sysmon Event ID 1: AnyDesk_test.exe process creation from Downloads folder. Sysmon Event ID 3: Network connection to AnyDesk relay servers. Sysmon Event ID 22: DNS query for *.anydesk.com.
- Test 2NetSupport Manager Client32 Execution
Expected signal: Sysmon Event ID 1: cmd.exe spawning with path containing NetSupport_Test. Sysmon Event ID 11: File creation events for the mock batch file in temp directory. Security Event ID 4688: Process creation for cmd.exe with command line referencing NetSupport.
- Test 3ScreenConnect Client Service Installation Simulation
Expected signal: Security Event ID 7045: New service installed with ServiceName=ScreenConnectTest, ServiceFileName containing ScreenConnect. Sysmon Event ID 1: sc.exe process creation with command line containing ScreenConnect. Sysmon Event ID 12/13: Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\ScreenConnectTest.
References (8)
- https://attack.mitre.org/techniques/T1219/002/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
Unlock Pro Content
Get the full detection package for T1219.002 including response playbook, investigation guide, and atomic red team tests.