| ID | Technique | Tactic |
|---|---|---|
| T1219 | Remote Access Tools | Command And Control |
Detection: Detect Remote Access Software Usage File
Description
The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems. It is best to update both the remote_access_software_usage_exception.csv lookup and the remote_access_software lookup with any known or approved remote access software to reduce false positives and increase coverage. In order to enhance performance, the detection filters for specific file names extensions / names that are used in the remote_access_software lookup. If add additional entries, consider updating the search filters to include those file names / extensions as well, if not alread covered.
Search
1
2| tstats `security_content_summariesonly`
3 count min(_time) as firstTime,
4 max(_time) as lastTime
5 values(Filesystem.file_path) as file_path
6from datamodel=Endpoint.Filesystem
7where Filesystem.file_name IN (
8 "*.app",
9 "*.exe",
10 "*.msi",
11 "*.pkg",
12 "*echoware.dll",
13 "*Idrive.*",
14 "*rdp2tcp.py"
15)
16by Filesystem.action Filesystem.dest Filesystem.file_access_time
17 Filesystem.file_create_time Filesystem.file_hash
18 Filesystem.file_modify_time Filesystem.file_name
19 Filesystem.file_path Filesystem.file_acl Filesystem.file_size
20 Filesystem.process_guid Filesystem.process_id
21 Filesystem.user Filesystem.vendor_product
22
23| `security_content_ctime(firstTime)`
24
25| `security_content_ctime(lastTime)`
26
27| `drop_dm_object_name(Filesystem)`
28
29| lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category
30
31| search isutility = TRUE
32
33| `remote_access_software_usage_exceptions`
34
35| `detect_remote_access_software_usage_file_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 11 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| remote_access_software_usage_exceptions | `eval exception_asset = CASE(isnotnull(src),src,isnotnull(dest),dest) |
| detect_remote_access_software_usage_file_filter | search * |
detect_remote_access_software_usage_file_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the file path, file name, and the user that created the file. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Filesystem node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. The "exceptions" macro leverages both an Assets and Identities lookup, as well as a KVStore collection called "remote_software_exceptions" that lets you track and maintain device-based exceptions for this set of detections.
Known False Positives
Known or approved applications used by the organization or usage of built-in functions. Known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A file for known a remote access software [$file_name$] was created on $dest$ by $user$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 25 | signature, file_name |
| dest | system | 25 | signature, file_name |
References
-
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
-
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 13