Detect Remote Access Software Usage URL

name: Detect Remote Access Software Usage URL
id: 9296f515-073c-43a5-88ec-eda5a4626654
version: 14
date: '2026-03-23'
author: Steven Dick
status: production
type: Anomaly
description: |
    The following analytic detects the execution of known remote access software within the environment.
    It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer.
    This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk.
data_source:
    - Palo Alto Network Threat
search: |
    | tstats `security_content_summariesonly`
             count min(_time) as firstTime
                   max(_time) as lastTime
                   latest(Web.http_method) as http_method
                   latest(Web.http_user_agent) as http_user_agent
                   latest(Web.url) as url
                   latest(Web.user) as user
                   latest(Web.dest) as dest

    from datamodel=Web where

    Web.url_domain=*
    NOT Web.url_domain IN (
        "-",
        "unknown"
    )
    by Web.action Web.src Web.category
       Web.url_domain Web.url_length

    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `drop_dm_object_name("Web")`
    | lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference
    as desc, category
    | search isutility = True
    | `remote_access_software_usage_exceptions`
    | `detect_remote_access_software_usage_url_filter`
how_to_implement: |
    The detection is based on data that originates from network logs. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the network logs. The logs must also be mapped to the `Web` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device- based exceptions for this set of detections.
known_false_positives: |
    It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content
references:
    - https://attack.mitre.org/techniques/T1219/
    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
drilldown_searches:
    - name: View the detection results for - "$src$" and "$user$"
      search: '%original_detection_search% | search  src = "$src$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: Investigate traffic to $url_domain$
      search: '| from datamodel:Web | search src=$src$ url_domain=$url_domain$'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A domain for a known remote access software $url_domain$ was contacted by $src$.
    risk_objects:
        - field: src
          type: system
          score: 20
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: url_domain
          type: domain
        - field: signature
          type: signature
tags:
    analytic_story:
        - Insider Threat
        - Command And Control
        - Ransomware
        - CISA AA24-241A
        - Remote Monitoring and Management Software
        - Interlock Ransomware
        - Scattered Lapsus$ Hunters
    asset_type: Network
    mitre_attack_id:
        - T1219
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
    manual_test: This detection uses A&I lookups from Enterprise Security.
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_palo.log
          source: not_applicable
          sourcetype: pan:threat