Detect Remote Desktop Software in Sumo Logic CSE
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, TeamViewer, AnyDesk, ScreenConnect, LogMeIn, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment. Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome's Remote Desktop.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1219 Remote Access Tools
- Sub-technique
- T1219.002 Remote Desktop Software
- Canonical reference
- https://attack.mitre.org/techniques/T1219/002/
Sumo Detection Query
(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon" OR _sourceCategory="*sysmon*")
| where EventID = "1"
| parse regex field=Image "(?<process_path>.+)"
| parse regex field=Image "(?:[^\\\\]+\\\\)*(?<process_name>[^\\\\]+\.exe)" nodrop
| parse regex field=ParentImage "(?:[^\\\\]+\\\\)*(?<parent_process_name>[^\\\\]+\.exe)" nodrop
| where process_name matches /(?i)^(teamviewer|teamviewer_service|tv_w32|tv_x64|anydesk|anydesk_service|screenconnect|screenconnectclient|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|logmeinrescueworkstation|ammyyadmin|aa_v3|vnc|vncviewer|tvnserver|winvnc|uvnc_service|vncserver|splashtop|splashtopremote|splashtop_streamer|rustdesk|supremo|supremoservice|netsupportmanager|client32|chrome_remote_desktop|remoting_host|zoommtg)\.exe$/
| if(process_name matches /(?i)(teamviewer|tv_w32|tv_x64)/, "TeamViewer",
if(process_name matches /(?i)anydesk/, "AnyDesk",
if(process_name matches /(?i)(screenconnect|connectwise)/, "ScreenConnect",
if(process_name matches /(?i)(logmein|lmi_rescue)/, "LogMeIn",
if(process_name matches /(?i)(ammyy|aa_v3)/, "AmmyyAdmin",
if(process_name matches /(?i)(vnc|tvnserver|winvnc|uvnc)/, "VNC",
if(process_name matches /(?i)splashtop/, "Splashtop",
if(process_name matches /(?i)rustdesk/, "RustDesk",
if(process_name matches /(?i)supremo/, "Supremo",
if(process_name matches /(?i)(netsupport|client32)/, "NetSupport",
if(process_name matches /(?i)(chrome_remote|remoting_host)/, "ChromeRD",
"Other"))))))))))) as tool_family
| if(parent_process_name matches /(?i)(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|msiexec|taskeng|taskhostw)/, "Yes", "No") as suspicious_parent
| if(Image matches /(?i)(\\Temp\\|\\tmp\\|\\Downloads\\|AppData.Local.Temp)/, "Yes", "No") as from_temp_path
| if(!(Image matches /(?i)C:\\Program Files/), "Yes", "No") as is_portable
| todate(_messageTime) as event_time
| fields event_time, Computer, User, process_name, Image, CommandLine, parent_process_name, ParentCommandLine, tool_family, suspicious_parent, from_temp_path, is_portable
| sort by _messageTime descDetects Remote Desktop Software / RMM tool execution (T1219.002) in Sumo Logic using Sysmon EventID 1 (Process Create) events. Parses process and parent process names from Image fields, classifies tool families, and enriches events with suspicious parent process, temp-path execution, and portable installation indicators. Designed for Sumo Logic Installed Collector with Windows Event Log sources forwarding Sysmon operational logs.
Data Sources
Required Tables
False Positives & Tuning
- Help desk and IT support teams using approved remote access tools (TeamViewer, AnyDesk, ScreenConnect) during normal business hours for legitimate end-user support sessions
- Automated endpoint provisioning or onboarding workflows that download and execute RMM agents from temporary directories as part of first-run setup scripts
- Security red team or penetration testing exercises that use RMM tools as C2 channels against targets in authorized engagement scopes
Other platforms for T1219.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AnyDesk Portable Download and ID Retrieval
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-WebRequest downloading AnyDesk. Sysmon Event ID 11: File creation at Downloads\AnyDesk_test.exe. Sysmon Event ID 1: AnyDesk_test.exe process creation from Downloads folder. Sysmon Event ID 3: Network connection to AnyDesk relay servers. Sysmon Event ID 22: DNS query for *.anydesk.com.
- Test 2NetSupport Manager Client32 Execution
Expected signal: Sysmon Event ID 1: cmd.exe spawning with path containing NetSupport_Test. Sysmon Event ID 11: File creation events for the mock batch file in temp directory. Security Event ID 4688: Process creation for cmd.exe with command line referencing NetSupport.
- Test 3ScreenConnect Client Service Installation Simulation
Expected signal: Security Event ID 7045: New service installed with ServiceName=ScreenConnectTest, ServiceFileName containing ScreenConnect. Sysmon Event ID 1: sc.exe process creation with command line containing ScreenConnect. Sysmon Event ID 12/13: Registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\ScreenConnectTest.
References (8)
- https://attack.mitre.org/techniques/T1219/002/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
Unlock Pro Content
Get the full detection package for T1219.002 including response playbook, investigation guide, and atomic red team tests.