Detect Remote Desktop Software in Microsoft Sentinel
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome's Remote Desktop.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1219 Remote Access Tools
- Sub-technique
- T1219.002 Remote Desktop Software
- Canonical reference
- https://attack.mitre.org/techniques/T1219/002/
KQL Detection Query
let RMMTools = dynamic([
"teamviewer.exe", "teamviewer_service.exe", "tv_w32.exe", "tv_x64.exe",
"anydesk.exe", "anydesk_service.exe",
"screenconnect.exe", "screenconnectclient.exe", "connectwisecontrol.client.exe",
"logmein.exe", "lmi_rescue.exe", "logmeinrescue.exe", "logmeinrescueworkstation.exe",
"ammyyadmin.exe", "aa_v3.exe",
"vnc.exe", "vncviewer.exe", "tvnserver.exe", "winvnc.exe", "uvnc_service.exe", "vncserver.exe",
"splashtop.exe", "splashtopremote.exe", "splashtop_streamer.exe",
"rustdesk.exe", "supremo.exe", "supremoservice.exe",
"netsupportmanager.exe", "client32.exe",
"chrome_remote_desktop.exe", "remoting_host.exe",
"zoommtg.exe"
]);
let SuspiciousParents = dynamic([
"powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
"cscript.exe", "mshta.exe", "rundll32.exe", "msiexec.exe",
"taskeng.exe", "taskhostw.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (RMMTools)
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend FromTempPath = FolderPath has_any ("\\Temp\\", "\\tmp\\", "\\AppData\\Local\\Temp", "\\Downloads\\")
| extend IsPortable = FolderPath !startswith "C:\\Program Files" and FolderPath !startswith "C:\\Program Files (x86)"
| extend ToolFamily = case(
FileName has_any ("teamviewer", "tv_w32", "tv_x64"), "TeamViewer",
FileName has_any ("anydesk"), "AnyDesk",
FileName has_any ("screenconnect", "connectwise"), "ScreenConnect",
FileName has_any ("logmein", "lmi_rescue"), "LogMeIn",
FileName has_any ("ammyy", "aa_v3"), "AmmyyAdmin",
FileName has_any ("vnc", "tvnserver", "winvnc", "uvnc"), "VNC",
FileName has_any ("splashtop"), "Splashtop",
FileName has_any ("rustdesk"), "RustDesk",
FileName has_any ("supremo"), "Supremo",
FileName has_any ("netsupport", "client32"), "NetSupport",
FileName has_any ("chrome_remote", "remoting_host"), "ChromeRD",
"Other")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath,
InitiatingProcessFileName, InitiatingProcessCommandLine,
ToolFamily, SuspiciousParent, FromTempPath, IsPortable
| sort by Timestamp descDetects execution of remote desktop and RMM software using Microsoft Defender for Endpoint DeviceProcessEvents. Covers TeamViewer, AnyDesk, ScreenConnect/ConnectWise, LogMeIn, AmmyyAdmin, VNC variants, Splashtop, RustDesk, Supremo, NetSupport Manager, and Chrome Remote Desktop. Enriches alerts with tool family classification, suspicious parent process detection, and portable/temp path execution indicators that help distinguish adversary usage from legitimate IT support.
Data Sources
Required Tables
False Positives & Tuning
- IT helpdesk technicians using approved RMM tools (TeamViewer, ScreenConnect, LogMeIn) for employee support sessions with active support tickets
- Managed Service Providers (MSPs) running authorized RMM agents (ConnectWise, Splashtop) as part of contracted endpoint management
- End users launching pre-installed remote desktop tools from standard paths for legitimate personal use (Chrome Remote Desktop)
- Software deployment systems (SCCM, PDQ Deploy) installing or updating approved RMM agents across the fleet
Other platforms for T1219.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AnyDesk Portable Download and ID Retrieval
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest downloading AnyDesk. Sysmon Event ID 11: File creation at Downloads\AnyDesk_test.exe. Sysmon Event ID 1: AnyDesk_test.exe process creation from Downloads folder. Sysmon Event ID 3: Network connection to AnyDesk relay servers. Sysmon Event ID 22: DNS query for *.anydesk.com.
- Test 2NetSupport Manager Client32 Execution
Expected signal: Sysmon Event ID 1: cmd.exe spawning with path containing NetSupport_Test. Sysmon Event ID 11: File creation events for the mock batch file in temp directory. Security Event ID 4688: Process creation for cmd.exe with command line referencing NetSupport.
- Test 3ScreenConnect Client Service Installation Simulation
Expected signal: Security Event ID 7045: New service installed with ServiceName=ScreenConnectTest, ServiceFileName containing ScreenConnect. Sysmon Event ID 1: sc.exe process creation with command line containing ScreenConnect. Sysmon Event ID 12/13: Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\ScreenConnectTest.
References (8)
- https://attack.mitre.org/techniques/T1219/002/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
Unlock Pro Content
Get the full detection package for T1219.002 including response playbook, investigation guide, and atomic red team tests.