T1219 IBM QRadar · QRadar

Detect Remote Access Tools in IBM QRadar

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software and remote management software allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access. Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1219 Remote Access Tools
Canonical reference
https://attack.mitre.org/techniques/T1219/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name",
  "Command Line",
  "Parent Process Name",
  CATEGORYNAME(category) AS event_category,
  CASE
    WHEN LOWER("Process Name") MATCHES '.*?(teamviewer|anydesk|screenconnect|connectwise).*?' THEN 'Commercial RMM'
    WHEN LOWER("Process Name") MATCHES '.*?(vnc|tvnserver|winvnc|uvnc).*?' THEN 'VNC'
    WHEN LOWER("Process Name") MATCHES '.*?(logmein|lmi_rescue).*?' THEN 'LogMeIn'
    WHEN LOWER("Process Name") MATCHES '.*?(ammyy|aa_v3).*?' THEN 'AmmyyAdmin'
    WHEN LOWER("Process Name") MATCHES '.*?(rustdesk|splashtop|supremo).*?' THEN 'Other RMM'
    WHEN LOWER("Process Name") MATCHES '.*?(atera|ninja|simplehelp|dwrcs).*?' THEN 'MSP Tool'
    ELSE 'Unknown'
  END AS rat_category,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*?(services\.exe|svchost\.exe).*?' THEN 'Yes'
    ELSE 'No'
  END AS is_service_launched,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*?(explorer\.exe|cmd\.exe|powershell\.exe).*?' THEN 'Yes'
    ELSE 'No'
  END AS is_user_launched
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 101, 143)
  AND QIDNAME(qid) ILIKE '%process%'
  AND (
    LOWER("Process Name") MATCHES '.*?teamviewer.*?'
    OR LOWER("Process Name") MATCHES '.*?anydesk.*?'
    OR LOWER("Process Name") MATCHES '.*?screenconnect.*?'
    OR LOWER("Process Name") MATCHES '.*?connectwisecontrol.*?'
    OR LOWER("Process Name") MATCHES '.*?logmein.*?'
    OR LOWER("Process Name") MATCHES '.*?lmi_rescue.*?'
    OR LOWER("Process Name") MATCHES '.*?ammyyadmin.*?'
    OR LOWER("Process Name") MATCHES '.*?aa_v3\.exe.*?'
    OR LOWER("Process Name") MATCHES '.*?supremo.*?'
    OR LOWER("Process Name") MATCHES '.*?rustdesk.*?'
    OR LOWER("Process Name") MATCHES '.*?splashtop.*?'
    OR LOWER("Process Name") MATCHES '.*?ateraagent.*?'
    OR LOWER("Process Name") MATCHES '.*?ninjaone.*?'
    OR LOWER("Process Name") MATCHES '.*?ninjaremote.*?'
    OR LOWER("Process Name") MATCHES '.*?simplehelp.*?'
    OR LOWER("Process Name") MATCHES '.*?dwrcs.*?'
    OR LOWER("Process Name") MATCHES '.*?dwrcst.*?'
    OR LOWER("Process Name") MATCHES '.*?tmate.*?'
    OR LOWER("Process Name") MATCHES '.*?tvnserver.*?'
    OR LOWER("Process Name") MATCHES '.*?winvnc.*?'
    OR LOWER("Process Name") MATCHES '.*?uvnc_service.*?'
    OR LOWER("Process Name") IN ('vnc.exe', 'vncviewer.exe')
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 24 HOURS
medium severity medium confidence

QRadar AQL query detecting process creation events for known Remote Access Tools across Windows endpoints using Sysmon or Windows Security event sources. Normalizes results with RATCategory classification and flags whether the process was service- or user-initiated, enabling triage differentiation between managed RMM deployment and adversary-initiated remote access.

Data Sources

Microsoft Windows Security Event Log (via QRadar DSM)Sysmon event log forwarded to QRadarCarbon Black or CrowdStrike DSM process events

Required Tables

events

False Positives & Tuning

  • Sanctioned MSP agents (Atera, NinjaRMM, ScreenConnect) deployed to managed endpoints as part of a formal IT contract
  • Internal IT staff using TeamViewer or AnyDesk for routine remote support tickets
  • Developer workstations running tmate for collaborative terminal sharing during code review
Download portable Sigma rule (.yml)

Other platforms for T1219

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AnyDesk Portable Execution from Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\anydesk_test.exe. Sysmon Event ID 3: Network connection to AnyDesk relay servers (*.net.anydesk.com). Sysmon Event ID 11: File creation in %TEMP% for the AnyDesk binary. Sysmon Event ID 22: DNS query for anydesk.com domains.

  2. Test 2TeamViewer Service Installation Detection

    Expected signal: Sysmon Event ID 12: Registry key created at HKCU\SOFTWARE\TeamViewer_Test. Sysmon Event ID 13: Registry value set for Run key persistence. Security Event ID 4688: reg.exe process creation with command line containing TeamViewer.

  3. Test 3VNC Server Execution Test

    Expected signal: Sysmon Event ID 1: Process Create with Image containing tvnserver.exe or cmd.exe (mock). If TightVNC present: Sysmon Event ID 3 for VNC listening on port 5900. Security Event ID 4688 with command line arguments.

Last updated: 2026-04-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1219 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1219.001IDE TunnelingT1219.002Remote Desktop SoftwareT1219.003Remote Access HardwareT1543.003Windows ServiceT1105Ingress Tool TransferT1572Protocol TunnelingT1071.001Web ProtocolsT1021.001Remote Desktop ProtocolT1053.005Scheduled Task

Same Tactic: Command and Control

Popular Detections