Detect Remote Desktop Software in Splunk
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome's Remote Desktop.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1219 Remote Access Tools
- Sub-technique
- T1219.002 Remote Desktop Software
- Canonical reference
- https://attack.mitre.org/techniques/T1219/002/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\teamviewer*.exe" OR Image="*\\tv_w32.exe" OR Image="*\\tv_x64.exe"
OR Image="*\\anydesk*.exe"
OR Image="*\\screenconnect*.exe" OR Image="*\\connectwisecontrol*.exe"
OR Image="*\\logmein*.exe" OR Image="*\\lmi_rescue*.exe"
OR Image="*\\ammyyadmin.exe" OR Image="*\\aa_v3.exe"
OR Image="*\\*vnc*.exe" OR Image="*\\tvnserver.exe" OR Image="*\\winvnc.exe"
OR Image="*\\splashtop*.exe"
OR Image="*\\rustdesk.exe" OR Image="*\\supremo*.exe"
OR Image="*\\netsupportmanager.exe" OR Image="*\\client32.exe"
OR Image="*\\chrome_remote_desktop*.exe" OR Image="*\\remoting_host.exe")
| eval ToolFamily=case(
match(Image, "(?i)(teamviewer|tv_w32|tv_x64)"), "TeamViewer",
match(Image, "(?i)anydesk"), "AnyDesk",
match(Image, "(?i)(screenconnect|connectwise)"), "ScreenConnect",
match(Image, "(?i)(logmein|lmi_rescue)"), "LogMeIn",
match(Image, "(?i)(ammyy|aa_v3)"), "AmmyyAdmin",
match(Image, "(?i)(vnc|tvnserver|winvnc|uvnc)"), "VNC",
match(Image, "(?i)splashtop"), "Splashtop",
match(Image, "(?i)rustdesk"), "RustDesk",
match(Image, "(?i)supremo"), "Supremo",
match(Image, "(?i)(netsupport|client32)"), "NetSupport",
match(Image, "(?i)(chrome_remote|remoting_host)"), "ChromeRD",
1=1, "Other")
| eval SuspiciousParent=if(match(ParentImage, "(?i)(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|msiexec|taskeng|taskhostw)"), "Yes", "No")
| eval FromTempPath=if(match(Image, "(?i)(\\Temp\\|\\tmp\\|\\Downloads\\|\\AppData\\Local\\Temp)"), "Yes", "No")
| eval IsPortable=if(NOT match(Image, "(?i)C:\\Program Files"), "Yes", "No")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ToolFamily, SuspiciousParent, FromTempPath, IsPortable
| sort - _timeDetects remote desktop and RMM tool execution via Sysmon Process Creation (Event ID 1). Identifies TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, VNC variants, Splashtop, RustDesk, Supremo, NetSupport Manager, and Chrome Remote Desktop. Enriches with suspicious parent process flags, temp/download path indicators, and portable execution markers. These enrichments help analysts quickly distinguish between adversary-deployed RMM tools and legitimate IT operations.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT helpdesk using approved tools for legitimate remote support with active tickets
- MSPs running contracted RMM agents for endpoint management
- End users with pre-installed Chrome Remote Desktop or similar tools
- Software deployment systems updating approved RMM agents across the fleet
Other platforms for T1219.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AnyDesk Portable Download and ID Retrieval
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest downloading AnyDesk. Sysmon Event ID 11: File creation at Downloads\AnyDesk_test.exe. Sysmon Event ID 1: AnyDesk_test.exe process creation from Downloads folder. Sysmon Event ID 3: Network connection to AnyDesk relay servers. Sysmon Event ID 22: DNS query for *.anydesk.com.
- Test 2NetSupport Manager Client32 Execution
Expected signal: Sysmon Event ID 1: cmd.exe spawning with path containing NetSupport_Test. Sysmon Event ID 11: File creation events for the mock batch file in temp directory. Security Event ID 4688: Process creation for cmd.exe with command line referencing NetSupport.
- Test 3ScreenConnect Client Service Installation Simulation
Expected signal: Security Event ID 7045: New service installed with ServiceName=ScreenConnectTest, ServiceFileName containing ScreenConnect. Sysmon Event ID 1: sc.exe process creation with command line containing ScreenConnect. Sysmon Event ID 12/13: Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\ScreenConnectTest.
References (8)
- https://attack.mitre.org/techniques/T1219/002/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
Unlock Pro Content
Get the full detection package for T1219.002 including response playbook, investigation guide, and atomic red team tests.