detection.wiki

Remote Access Tools T1219

Tactic: Command & Control

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.

Events covered

23 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 17PipeEvent (Pipe Created)
SysmonEvent ID 18PipeEvent (Pipe Connected)
SysmonEvent ID 22DNSEvent (DNS query)
SysmonEvent ID 23FileDelete (File Delete archived)
SysmonEvent ID 26FileDeleteDetected (File Delete logged)
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4697A service was installed in the system.
Security-AuditingEvent ID 4698A scheduled task was created.
ESFexecProcess Execution (Notify)
NTLMEvent ID 8001NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
MsiInstallerEvent ID 1033Windows Installer installed the product.
Service-Control-ManagerEvent ID 7045A service was installed in the system.
Sysmon-for-LinuxEvent ID 1Process Create

Authoring guide

Patterns shared across the 100 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (73 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image31ends_with 25, contains 7, eq 2, starts_with 2, wildcard 2, in 1, regex_match 1\anydesk.exe, \anydeskmsi.exe, \cmd.exe, \mstsc.exe, \appdata\local\flock\
CommandLine25contains 16, match 5, ends_with 4, regex_match 2, is_not_null 1, wildcard 1--meshservicename, --accept-server-license-terms, (?i)(anydesk.exe).*(--silent), (?i)\/i\s.*IntegratorLogin=\S+@(gmail|hotmail|outlook|pro..., (?i)anydesk.exe
EventID22eq 221, 4688, 1033, 22, 4103
process_name18match 8, eq 7, wildcard 2, in 1, is_not_null 1(?i)(simple(help(customer)?|service|gatewayservice)|remot..., (?i)^(teamviewer\.exe|anydesk\.exe|lmiignition\.exe|gotoa..., (?i)^anydesk.exe$, (?i)ateraagent\.exe, (?i)jwrapper-remote\s+(access|support)
event.type12eq 12start, creation, deletion
TargetFilename11ends_with 6, contains 5, wildcard 1.7z, .bat, .cmd, .dll, .exe
OriginalFileName10eq 6, contains 2, is_null 2meshagent, mstsc.exe, client32.exe, pcicfgui.exe, ultraviewer_desktop.exe
Company9eq 8, in 1AnyDesk Software GmbH, LogMeIn, Inc., ATERA Networks*, AmidaWare*, Ammyy LLC*
Product9eq 8, in 1AnyDesk, Advanced Monitoring Agent*, Ammyy Admin*, AnyDesk*, GoTo Opener
Description8eq 7, in 1AnyDesk, Advanced Monitoring Agent*, Ammyy Admin*, AnyDesk*, GoTo Opener
ParentImage7ends_with 5, eq 1, wildcard 1?:\programdata\*\client32.exe, ?:\users\*\client32.exe, \action1_agent.exe, \cmd.exe, \code-tunnel.exe
event.category7eq 5, in 2network, process, network_traffic, file, registry
isutility7eq 7True, TRUE
Type6eq 6
parent_process_name5eq 5, wildcard 1AA_v*.exe, AeroAdmin.exe, AgentMon.exe, ScreenConnect.ClientService.exe, ScreenConnect.WindowsBackstageShell.exe

Top indicator values (1095 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
10606
EventIDeq
1
8237
EventIDeq
4688
6313
CommandLinecontains
--meshservicename
44
CommandLinecontains
--accept-server-license-terms
34
CommandLinecontains
-code
22
CommandLinecontains
-id
22
CommandLinecontains
-region
22
CommandLinecontains
-register
22
CommandLinecontains
.exe tunnel
22
CommandLinecontains
/d /c
22
CommandLinecontains
\servers\stable-
22
CommandLinecontains
code-server.cmd
23
Imageends_with
\anydesk.exe
45
Imageends_with
\anydeskmsi.exe
44
Imageends_with
\cmd.exe
4130
Imageends_with
\mstsc.exe
36
Imageends_with
\powershell.exe
3182
Imageends_with
\pwsh.exe
3168
isutilityeq
True
44
isutilityeq
TRUE
33
event.categoryeq
process
3128
process_nameeq
screenconnect.clientservice.exe
33
CommandLineends_with
.exe tunnel
22
CommandLineends_with
.rdp
22
CommandLineends_with
.rdp"
22
CommandLinematch
(?i)\/i\s.*IntegratorLogin=\S+@(gmail|hotmail|outlook|protonmail)\.com|(yande...
22
CommandLinematch
(?i)anydesk.exe
22
CommandLineregex_match
(?i)(anydesk.exe).*(--silent)
22
Companyeq
AnyDesk Software GmbH
23

Exclusions (165 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
rmm_exceptioneq
TRUE
8
rmm_exception_endin
FALSE
8
rmm_exception_endin
UNLIMITED
8
CommandLineregex_match
(?i)(install)
2
Imagecontains
\appdata\local\flock\
2
Imagecontains
\appdata\local\maxthon\
2
Imagecontains
\appdata\local\phoebe\
2
Imagecontains
\appdata\local\programs\midori-ng\
2
Imagecontains
\appdata\local\programs\opera\
2
Imagecontains
\appdata\local\vivaldi\
2
Imagecontains
\tor browser\
2
Imageends_with
\avant.exe
2
Imageends_with
\brave.exe
2
Imageends_with
\falkon.exe
2
Imageends_with
\flock.exe
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 50 rules

Elastic 15 rules

Splunk 32 rules

YARA-L 2 rules

Panther 1 rule