Detect Spearphishing Voice in Elastic Security
Adversaries use voice communications (phone calls, VoIP) to socially engineer victims into granting system access, installing remote management tools (RMM), executing malicious scripts, or approving fraudulent MFA prompts. The attacker typically impersonates IT support or a trusted authority, creating urgency to bypass the victim's critical thinking. Unlike phishing email techniques, vishing leaves no direct technical artifact from the call itself — detection must focus on the downstream behaviors: abnormal RMM tool installation, suspicious process chains spawned during or after remote sessions, and MFA anomaly patterns. Storm-1811 is a documented threat group using this technique, directing victims to open Quick Assist (a built-in Windows remote desktop tool) to hand over system control to the attacker posing as Microsoft or internal IT support.
MITRE ATT&CK
- Tactic
- Initial Access
- Technique
- T1566 Phishing
- Sub-technique
- T1566.004 Spearphishing Voice
- Canonical reference
- https://attack.mitre.org/techniques/T1566/004/
Elastic Detection Query
process where event.type == "start" and
(
(process.name : ("anydesk.exe","teamviewer.exe","screenconnect.exe","quickassist.exe",
"remotepc.exe","logmeinrescue.exe","atera_agent.exe","splashtop.exe",
"supremo.exe","ultraviewer.exe","rustdesk.exe","meshagent.exe") and
process.parent.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe")) or
(process.parent.name : ("anydesk.exe","teamviewer.exe","screenconnect.exe","quickassist.exe",
"remotepc.exe","logmeinrescue.exe","atera_agent.exe","splashtop.exe") and
process.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe",
"certutil.exe","bitsadmin.exe","msiexec.exe","rundll32.exe","regsvr32.exe"))
)Detects voice phishing (vishing) by monitoring RMM tools launched from suspicious parents or spawning LOLBins.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT helpdesk sessions where support staff use Quick Assist or AnyDesk to assist users and then run PowerShell diagnostic scripts
- Managed Service Providers (MSPs) running RMM agents (Atera, ConnectWise, Splashtop) that legitimately execute scripts for patch management or software deployment
- Software asset management tools that deploy or update packages via RMM-like processes during business hours
- IT onboarding workflows where AnyDesk or TeamViewer is used to configure new endpoints and install baseline tooling via scripted deployment
- Vendor-initiated remote support sessions for enterprise software that involve running diagnostic PowerShell commands
Other platforms for T1566.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Silent AnyDesk Installation (Vishing Initial Access Simulation)
Expected signal: Sysmon Event ID 11 (File Create): AnyDesk.exe written to %TEMP%. Sysmon Event ID 1 (Process Create): AnyDesk.exe spawned with --portable argument, parent process is PowerShell. Sysmon Event ID 3 (Network Connection): Outbound connection to download.anydesk.com (185.34.32.x) on port 443 for download, and to AnyDesk relay servers on port 7070 or 443 after launch. Windows Security Event 4688 if command line auditing enabled.
- Test 2Quick Assist Session Initiation with Child PowerShell (Storm-1811 TTP)
Expected signal: Sysmon Event ID 1 (Process Create): quickassist.exe started. Sysmon Event ID 1 (Process Create): powershell.exe started with parent process being the test script's shell (simulating quick assist parent). The detection query branch 'QuickAssist_Child_Execution' specifically looks for Quick Assist spawning PowerShell. Microsoft-Windows-RemoteAssistance/Operational Event ID 1 logged when Quick Assist initializes.
- Test 3Post-Vishing Script Delivery via RMM Session Simulation
Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with -ExecutionPolicy Bypass, -WindowStyle Hidden, and Net.WebClient/DownloadString in CommandLine. Sysmon Event ID 3 (Network Connection): attempt to connect to 127.0.0.1:9999 (will fail — no listener). Sysmon Event ID 11 (File Create): vishing-stage2-test.txt written to %TEMP%. PowerShell ScriptBlock Log Event ID 4104: full deobfuscated script content captured.
- Test 4Callback Phishing URL Pattern Execution (Luna Moth Simulation)
Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning msiexec.exe with HTTP URL argument. Sysmon Event ID 3 (Network Connection): msiexec.exe attempting outbound HTTP connection to 127.0.0.1:9998 (will fail). Windows Security Event 4688: msiexec.exe process creation with URL in command line if command line auditing enabled. The msiexec with HTTP URL pattern is characteristic of vishing-directed software installation.
References (10)
- https://attack.mitre.org/techniques/T1566/004/
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/
- https://blog.sygnia.co/luna-moth-false-subscription-scams
- https://www.cisa.gov/uscert/ncas/alerts/aa23-025a
- https://www.proofpoint.com/us/threat-reference/vishing
- https://www.redcanary.com/blog/storm-1811/
- https://www.rapid7.com/blog/post/2024/05/23/email-bombing-and-vishing-attacks-deploying-black-basta-ransomware/
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/quick-assist
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.004/T1566.004.md
Unlock Pro Content
Get the full detection package for T1566.004 including response playbook, investigation guide, and atomic red team tests.