T1566.004 Spearphishing Voice Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let RMMProcesses = dynamic([
    "anydesk.exe", "teamviewer.exe", "teamviewer_service.exe",
    "screenconnect.exe", "connectwisecontrol.exe", "quickassist.exe",
    "remotepc.exe", "logmeinrescue.exe", "atera_agent.exe", "atera.exe",
    "splashtop.exe", "supremo.exe", "ultraviewer.exe", "rustdesk.exe",
    "ammyyadmin.exe", "getscreen.exe", "zoho_assist.exe",
    "msra.exe", "fixmeit.exe", "dwagent.exe"
]);
let SuspiciousChildren = dynamic([
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
    "bitsadmin.exe", "msiexec.exe", "curl.exe", "wget.exe"
]);
let SuspiciousCmdPatterns = dynamic([
    "-EncodedCommand", "-enc ", "Invoke-WebRequest", "DownloadString",
    "DownloadFile", "IEX(", "-ExecutionPolicy Bypass", "-WindowStyle Hidden",
    "Start-BitsTransfer", "certutil -urlcache", "Net.WebClient"
]);
// Branch 1: RMM tool spawning suspicious interpreter or LOLBin (key vishing post-exploitation pattern)
let RMMSpawningSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (RMMProcesses)
| where FileName has_any (SuspiciousChildren)
| extend DetectionBranch = "RMM_Spawned_Suspicious_Child"
| extend HasSuspiciousCmd = ProcessCommandLine has_any (SuspiciousCmdPatterns)
| extend RiskScore = 3 + toint(HasSuspiciousCmd);
// Branch 2: RMM tool process with a suspicious command line (direct download/execution via RMM session)
let RMMWithSuspiciousCmd = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (RMMProcesses)
| where ProcessCommandLine has_any (SuspiciousCmdPatterns)
| extend DetectionBranch = "RMM_Process_Suspicious_Cmdline"
| extend HasSuspiciousCmd = true
| extend RiskScore = 2;
// Branch 3: Quick Assist (Storm-1811 specific) spawning any child process
let QuickAssistChildren = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "quickassist.exe" or InitiatingProcessFileName =~ "msra.exe"
| where FileName has_any (SuspiciousChildren)
| extend DetectionBranch = "QuickAssist_Child_Execution"
| extend HasSuspiciousCmd = ProcessCommandLine has_any (SuspiciousCmdPatterns)
| extend RiskScore = 4 + toint(HasSuspiciousCmd);
union RMMSpawningSuspicious, RMMWithSuspiciousCmd, QuickAssistChildren
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch, HasSuspiciousCmd, RiskScore
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint Network: Network Connection Creation

Required Tables

DeviceProcessEvents

False Positives

Legitimate IT helpdesk sessions where support staff use Quick Assist or AnyDesk to assist users and then run PowerShell diagnostic scripts
Managed Service Providers (MSPs) running RMM agents (Atera, ConnectWise, Splashtop) that legitimately execute scripts for patch management or software deployment
Software asset management tools that deploy or update packages via RMM-like processes during business hours
IT onboarding workflows where AnyDesk or TeamViewer is used to configure new endpoints and install baseline tooling via scripted deployment
Vendor-initiated remote support sessions for enterprise software that involve running diagnostic PowerShell commands

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval ParentImage_lower=lower(ParentImage)
| eval CommandLine_lower=lower(CommandLine)
| eval IsRMMParent=if(match(ParentImage_lower, "(anydesk|teamviewer|screenconnect|connectwise|quickassist|remotepc|logmeinrescue|atera|splashtop|supremo|ultraviewer|rustdesk|ammyy|getscreen|zoho_assist|msra|fixmeit|dwagent)"), 1, 0)
| eval IsRMMProcess=if(match(Image_lower, "(anydesk|teamviewer|screenconnect|connectwise|quickassist|remotepc|logmeinrescue|atera|splashtop|supremo|ultraviewer|rustdesk|ammyy|getscreen|zoho_assist|msra|fixmeit|dwagent)"), 1, 0)
| eval IsSuspiciousChild=if(IsRMMParent=1 AND match(Image_lower, "(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|curl\.exe|wget\.exe)"), 1, 0)
| eval HasEncodedCmd=if(match(CommandLine_lower, "(-encodedcommand|-enc\s|-ec\s)"), 1, 0)
| eval HasDownloadCradle=if(match(CommandLine_lower, "(invoke-webrequest|downloadstring|downloadfile|net\.webclient|start-bitstransfer|certutil.*urlcache)"), 1, 0)
| eval HasBypass=if(match(CommandLine_lower, "(-executionpolicy\s+bypass|iex\(|-windowstyle\s+hidden)"), 1, 0)
| eval IsQuickAssistParent=if(match(ParentImage_lower, "(quickassist|msra)"), 1, 0)
| eval RiskScore=IsSuspiciousChild + HasEncodedCmd + HasDownloadCradle + HasBypass + (IsQuickAssistParent * 2)
| where IsSuspiciousChild=1 OR (IsRMMProcess=1 AND (HasEncodedCmd=1 OR HasDownloadCradle=1 OR HasBypass=1)) OR (IsQuickAssistParent=1)
| eval DetectionType=case(
    IsQuickAssistParent=1, "QuickAssist_Child_Execution",
    IsSuspiciousChild=1, "RMM_Spawned_Suspicious_Child",
    IsRMMProcess=1, "RMM_Suspicious_Cmdline",
    true(), "Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, IsSuspiciousChild, HasEncodedCmd, HasDownloadCradle, HasBypass, RiskScore
| sort - RiskScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate IT helpdesk using Quick Assist or AnyDesk to run diagnostic scripts on user machines during support sessions
MSP-deployed RMM agents (ConnectWise, Atera) that execute scripted patch deployments or configuration management tasks
Corporate IT departments using TeamViewer for remote onboarding that involves running PowerShell configuration scripts
Vendor remote support sessions for enterprise software (ERP, HR systems) that use their own remote access clients and run diagnostic tools
Automated software deployment pipelines that happen to run through an RMM agent interface

Elastic Security (EQL)

eql

process where event.type == "start" and
  (
    (process.name : ("anydesk.exe","teamviewer.exe","screenconnect.exe","quickassist.exe",
                      "remotepc.exe","logmeinrescue.exe","atera_agent.exe","splashtop.exe",
                      "supremo.exe","ultraviewer.exe","rustdesk.exe","meshagent.exe") and
     process.parent.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe")) or
    (process.parent.name : ("anydesk.exe","teamviewer.exe","screenconnect.exe","quickassist.exe",
                              "remotepc.exe","logmeinrescue.exe","atera_agent.exe","splashtop.exe") and
     process.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe",
                      "certutil.exe","bitsadmin.exe","msiexec.exe","rundll32.exe","regsvr32.exe"))
  )

high severity medium confidence

Data Sources

Windows Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate IT helpdesk sessions where support staff use Quick Assist or AnyDesk to assist users and then run PowerShell diagnostic scripts
Managed Service Providers (MSPs) running RMM agents (Atera, ConnectWise, Splashtop) that legitimately execute scripts for patch management or software deployment
Software asset management tools that deploy or update packages via RMM-like processes during business hours
IT onboarding workflows where AnyDesk or TeamViewer is used to configure new endpoints and install baseline tooling via scripted deployment
Vendor-initiated remote support sessions for enterprise software that involve running diagnostic PowerShell commands

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "ParentImage" as ParentProcess, "Image" as ChildProcess, "CommandLine" as CommandLine,
  CASE WHEN LOWER("Image") LIKE ANY ('%anydesk%','%teamviewer%','%screenconnect%','%quickassist%')
            AND LOWER("ParentImage") LIKE '%powershell%' THEN 10
       WHEN LOWER("ParentImage") LIKE ANY ('%anydesk%','%teamviewer%','%screenconnect%')
            AND LOWER("Image") LIKE ANY ('%powershell%','%mshta%','%wscript%') THEN 10
       ELSE 7 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
  AND (
    (LOWER("Image") LIKE ANY ('%anydesk.exe%','%teamviewer.exe%','%screenconnect.exe%',
                                '%quickassist.exe%','%rustdesk.exe%','%supremo.exe%') AND
     LOWER("ParentImage") LIKE ANY ('%cmd.exe%','%powershell%','%wscript%','%cscript%','%mshta%'))
    OR (LOWER("ParentImage") LIKE ANY ('%anydesk.exe%','%teamviewer.exe%','%screenconnect.exe%',
                                         '%quickassist.exe%','%splashtop.exe%') AND
        LOWER("Image") LIKE ANY ('%cmd.exe%','%powershell%','%wscript%','%certutil%','%bitsadmin%','%msiexec%'))
  )
ORDER BY RiskScore DESC, EventTime DESC

high severity medium confidence

Data Sources

Windows Sysmon Windows Security Event Log

Required Tables

events

False Positives

Legitimate IT helpdesk sessions where support staff use Quick Assist or AnyDesk to assist users and then run PowerShell diagnostic scripts
Managed Service Providers (MSPs) running RMM agents (Atera, ConnectWise, Splashtop) that legitimately execute scripts for patch management or software deployment
Software asset management tools that deploy or update packages via RMM-like processes during business hours
IT onboarding workflows where AnyDesk or TeamViewer is used to configure new endpoints and install baseline tooling via scripted deployment
Vendor-initiated remote support sessions for enterprise software that involve running diagnostic PowerShell commands

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json auto
| where EventID in ("1","4688")
| eval ParentLower = toLower(coalesce(ParentImage, ParentProcessName, ""))
| eval ImageLower = toLower(coalesce(Image, NewProcessName, ""))
| eval rmm_tools = "(anydesk|teamviewer|screenconnect|quickassist|remotepc|logmeinrescue|atera|splashtop|supremo|ultraviewer|rustdesk|meshagent)"
| eval script_tools = "(cmd|powershell|pwsh|wscript|cscript|mshta|certutil|bitsadmin|msiexec|rundll32|regsvr32)"
| eval is_rmm_from_script = if(ImageLower matches concat(".*",rmm_tools,".*") AND
    ParentLower matches concat(".*",script_tools,".*"), 1, 0)
| eval is_script_from_rmm = if(ParentLower matches concat(".*",rmm_tools,".*") AND
    ImageLower matches concat(".*",script_tools,".*"), 1, 0)
| where is_rmm_from_script == 1 OR is_script_from_rmm == 1
| eval detection_type = if(is_rmm_from_script == 1, "RMM_Launched_By_Script", "Script_Launched_By_RMM")
| table _time, Computer, User, ParentImage, Image, CommandLine, detection_type
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Windows Security via Sumo Logic

Required Tables

windows/sysmon windows/security

False Positives

Legitimate IT helpdesk sessions where support staff use Quick Assist or AnyDesk to assist users and then run PowerShell diagnostic scripts
Managed Service Providers (MSPs) running RMM agents (Atera, ConnectWise, Splashtop) that legitimately execute scripts for patch management or software deployment
Software asset management tools that deploy or update packages via RMM-like processes during business hours
IT onboarding workflows where AnyDesk or TeamViewer is used to configure new endpoints and install baseline tooling via scripted deployment
Vendor-initiated remote support sessions for enterprise software that involve running diagnostic PowerShell commands

Google Chronicle / SecOps

yaral

rule vishing_rmm_tool_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects vishing attacks via RMM tool abuse (T1566.004)"
    severity = "HIGH"
    tactic = "TA0001"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (re.regex($e.target.process.file.full_path, `(?i)(anydesk|teamviewer|screenconnect|quickassist|splashtop|rustdesk|supremo)`) nocase and
       re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell|wscript|cscript|mshta)`) nocase)
      or
      (re.regex($e.principal.process.file.full_path, `(?i)(anydesk|teamviewer|screenconnect|quickassist|splashtop|rustdesk)`) nocase and
       re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell|wscript|cscript|mshta|certutil|bitsadmin)\.exe`) nocase)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate IT helpdesk sessions where support staff use Quick Assist or AnyDesk to assist users and then run PowerShell diagnostic scripts
Managed Service Providers (MSPs) running RMM agents (Atera, ConnectWise, Splashtop) that legitimately execute scripts for patch management or software deployment
Software asset management tools that deploy or update packages via RMM-like processes during business hours
IT onboarding workflows where AnyDesk or TeamViewer is used to configure new endpoints and install baseline tooling via scripted deployment
Vendor-initiated remote support sessions for enterprise software that involve running diagnostic PowerShell commands

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /(anydesk|teamviewer|screenconnect|quickassist|splashtop|rustdesk|supremo)/i
   AND ParentBaseFileName = /(cmd|powershell|pwsh|wscript|cscript|mshta)\.exe$/i)
  OR (ParentBaseFileName = /(anydesk|teamviewer|screenconnect|quickassist|splashtop|rustdesk)/i
      AND ImageFileName = /(cmd|powershell|pwsh|wscript|cscript|mshta|certutil|bitsadmin)\.exe$/i)
| eval detection_type = case {
    ParentBaseFileName = /(anydesk|teamviewer|screenconnect|quickassist)/i : "Script_From_RMM";
    * : "RMM_From_Script"
  }
| table timestamp, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, detection_type
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Legitimate IT helpdesk sessions where support staff use Quick Assist or AnyDesk to assist users and then run PowerShell diagnostic scripts
Managed Service Providers (MSPs) running RMM agents (Atera, ConnectWise, Splashtop) that legitimately execute scripts for patch management or software deployment
Software asset management tools that deploy or update packages via RMM-like processes during business hours
IT onboarding workflows where AnyDesk or TeamViewer is used to configure new endpoints and install baseline tooling via scripted deployment
Vendor-initiated remote support sessions for enterprise software that involve running diagnostic PowerShell commands

Spearphishing Voice

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Initial Access

Popular Detections