← Back to Explore
splunk_escuAnomaly
Detect Remote Access Software Usage FileInfo
The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.
MITRE ATT&CK
Detection Query
`sysmon` EventCode=1
| stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product
BY action dest original_file_name
parent_process parent_process_exec parent_process_guid
parent_process_id parent_process_name parent_process_path
process process_exec process_guid
process_hash process_id process_integrity_level
process_name process_path user
user_id vendor_product
| lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_fileinfo_filter`Author
Steven Dick
Created
2026-03-10
Data Sources
Sysmon EventID 1
References
Tags
Insider ThreatCommand And ControlRansomwareGozi MalwareRemote Monitoring and Management SoftwareCactus RansomwareSeashell BlizzardScattered SpiderInterlock RansomwareScattered Lapsus$ Hunters
Raw Content
name: Detect Remote Access Software Usage FileInfo
id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454
version: 13
date: '2026-03-10'
author: Steven Dick
status: production
type: Anomaly
description: The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.
data_source:
- Sysmon EventID 1
search: |-
`sysmon` EventCode=1
| stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product
BY action dest original_file_name
parent_process parent_process_exec parent_process_guid
parent_process_id parent_process_name parent_process_path
process process_exec process_guid
process_hash process_id process_integrity_level
process_name process_path user
user_id vendor_product
| lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_fileinfo_filter`
how_to_implement: This analytic relies on Sysmon to be properly installed and utilized in the environment. Ensure that proper logging is setup for Sysmon and data is being ingested into Splunk. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection named "remote_software_exceptions" that lets you track and maintain device-based exceptions for this set of detections.
known_false_positives: Known or approved applications used by the organization or usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content
references:
- https://attack.mitre.org/techniques/T1219/
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: Investigate processes on $dest$
search: '| from datamodel:Endpoint.Processes| search dest=$dest$ process_name=$process_name$'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: A file attributes for known a remote access software [$process_name$] was detected on $dest$
risk_objects:
- field: dest
type: system
score: 20
- field: user
type: user
score: 20
threat_objects:
- field: process_name
type: process_name
- field: signature
type: signature
tags:
analytic_story:
- Insider Threat
- Command And Control
- Ransomware
- Gozi Malware
- Remote Monitoring and Management Software
- Cactus Ransomware
- Seashell Blizzard
- Scattered Spider
- Interlock Ransomware
- Scattered Lapsus$ Hunters
asset_type: Endpoint
mitre_attack_id:
- T1219
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
manual_test: This detection uses A&I lookups from Enterprise Security.
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog