Detect Remote Access Tools in Google Chronicle
An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software and remote management software allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1219 Remote Access Tools
- Canonical reference
- https://attack.mitre.org/techniques/T1219/
YARA-L Detection Query
rule t1219_remote_access_tools {
meta:
author = "df00tech"
description = "Detects execution of known Remote Access Tools and RMM software (MITRE ATT&CK T1219). Identifies commercial RMM tools, VNC variants, MSP management agents, and open-source remote access utilities launched on Windows endpoints."
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1219"
severity = "MEDIUM"
priority = "MEDIUM"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.process.file.full_path != ""
(
re.regex($e.target.process.file.full_path, `(?i)(teamviewer|teamviewer_service|anydesk|anydesk_service|screenconnect|connectwisecontrol\.client|logmein|lmi_rescue|logmeinrescue|ammyyadmin|aa_v3|supremo|supremoservice|rustdesk|splashtop|ateraagent|ninjaone|ninjaremote|simplehelp|dwrcs|dwrcst|tmate|tvnserver|vncviewer|uvnc_service|winvnc|chrome_remote_desktop|remote_assistance_host)\.exe$`)
)
match:
$e.principal.hostname over 15m
outcome:
$hostname = $e.principal.hostname
$username = $e.principal.user.userid
$process_name = $e.target.process.file.full_path
$command_line = $e.target.process.command_line
$parent_process = $e.principal.process.file.full_path
$rat_category = if(
re.regex($e.target.process.file.full_path, `(?i)(teamviewer|anydesk|screenconnect|connectwise)`), "Commercial RMM",
if(
re.regex($e.target.process.file.full_path, `(?i)(vnc|tvnserver|winvnc|uvnc)`), "VNC",
if(
re.regex($e.target.process.file.full_path, `(?i)(logmein|lmi_rescue)`), "LogMeIn",
if(
re.regex($e.target.process.file.full_path, `(?i)(ammyy|aa_v3)`), "AmmyyAdmin",
if(
re.regex($e.target.process.file.full_path, `(?i)(rustdesk|splashtop|supremo)`), "Other RMM",
if(
re.regex($e.target.process.file.full_path, `(?i)(atera|ninja|simplehelp|dwrcs)`), "MSP Tool",
"Unknown"
)
)
)
)
)
)
$is_service_launched = if(
re.regex($e.principal.process.file.full_path, `(?i)(services\.exe|svchost\.exe)`), "Yes", "No"
)
$is_user_launched = if(
re.regex($e.principal.process.file.full_path, `(?i)(explorer\.exe|cmd\.exe|powershell\.exe)`), "Yes", "No"
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting Remote Access Tool process launches on Windows endpoints. Monitors PROCESS_LAUNCH UDM events and matches against a comprehensive list of known RMM and remote access binary names. Enriches detections with tool category classification and launch context (service vs. interactive user), supporting analyst triage of MITRE ATT&CK T1219.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise environments where ScreenConnect or Atera is centrally deployed and whitelisted for IT operations
- End users with personal copies of AnyDesk or TeamViewer installed for home-to-office remote access
- Security red team exercises using RustDesk or SimpleHelp to simulate adversary remote access
Other platforms for T1219
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AnyDesk Portable Execution from Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\anydesk_test.exe. Sysmon Event ID 3: Network connection to AnyDesk relay servers (*.net.anydesk.com). Sysmon Event ID 11: File creation in %TEMP% for the AnyDesk binary. Sysmon Event ID 22: DNS query for anydesk.com domains.
- Test 2TeamViewer Service Installation Detection
Expected signal: Sysmon Event ID 12: Registry key created at HKCU\SOFTWARE\TeamViewer_Test. Sysmon Event ID 13: Registry value set for Run key persistence. Security Event ID 4688: reg.exe process creation with command line containing TeamViewer.
- Test 3VNC Server Execution Test
Expected signal: Sysmon Event ID 1: Process Create with Image containing tvnserver.exe or cmd.exe (mock). If TightVNC present: Sysmon Event ID 3 for VNC listening on port 5900. Security Event ID 4688 with command line arguments.
References (8)
- https://attack.mitre.org/techniques/T1219/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
- https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
Unlock Pro Content
Get the full detection package for T1219 including response playbook, investigation guide, and atomic red team tests.