Home/Sigma rules
Sigma

Sigma detection rules

47 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

47 shown of 47
critical
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status stable author Florian Roth (Nextron Systems), Arnim Rupp id 238527ad-3c2c-4e4f-a1f6-92fd63adb864
view Sigma YAML 
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports an exploitation framework.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
    - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
    - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.execution
    - attack.t1203
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: antivirus
detection:
    selection:
        Signature|contains:
            - 'Backdoor.Cobalt'
            - 'Brutel'
            - 'BruteR'
            - 'CobaltStr'
            - 'CobaltStrike'
            - 'COBEACON'
            - 'Cometer'
            - 'Exploit.Script.CVE'
            - 'IISExchgSpawnCMD'
            - 'Metasploit'
            - 'Meterpreter'
            - 'MeteTool'
            - 'Mpreter'
            - 'MsfShell'
            - 'PowerSploit'
            - 'Razy'
            - 'Rozena'
            - 'Sbelt'
            - 'Seatbelt'
            - 'Sliver'
            - 'Swrort'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
status test author Nasreddine Bencherchali (Nextron Systems) id bb09dd3e-2b78-4819-8e35-a7c1b874e449
view Sigma YAML 
title: HackTool - Inveigh Execution Artefacts
id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
status: test
description: Detects the presence and execution of Inveigh via dropped artefacts
references:
    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2024-06-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '\Inveigh-Log.txt'
            - '\Inveigh-Cleartext.txt'
            - '\Inveigh-NTLMv1Users.txt'
            - '\Inveigh-NTLMv2Users.txt'
            - '\Inveigh-NTLMv1.txt'
            - '\Inveigh-NTLMv2.txt'
            - '\Inveigh-FormInput.txt'
            - '\Inveigh.dll'
            - '\Inveigh.exe'
            - '\Inveigh.ps1'
            - '\Inveigh-Relay.ps1'
    condition: selection
falsepositives:
    - Unlikely
level: critical
high
Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
status test author Bhabesh Raj id 87261fb2-69d0-42fe-b9de-88c6b5f65a43
view Sigma YAML 
title: Atera Agent Installation
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
status: test
description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
references:
    - https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
author: Bhabesh Raj
date: 2021-09-01
modified: 2022-12-25
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    service: application
    product: windows
detection:
    selection:
        EventID: 1033
        Provider_Name: MsiInstaller
        Message|contains: AteraAgent
    condition: selection
falsepositives:
    - Legitimate Atera agent installation
level: high
high
HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
status test author Nasreddine Bencherchali (Nextron Systems) id 3ab79e90-9fab-4cdf-a7b2-6522bc742adb
view Sigma YAML 
title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
id: 3ab79e90-9fab-4cdf-a7b2-6522bc742adb
status: test
description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
references:
    - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - ':\windows\temp\sam.tmp'
            - ':\windows\temp\sec.tmp'
            - ':\windows\temp\sys.tmp'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Hijack Legit RDP Session to Move Laterally
Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
status test author Samir Bousseaden id 52753ea4-b3a0-4365-910d-36cff487b789
view Sigma YAML 
title: Hijack Legit RDP Session to Move Laterally
id: 52753ea4-b3a0-4365-910d-36cff487b789
status: test
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
author: Samir Bousseaden
references:
    - Internal Research
date: 2019-02-21
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\mstsc.exe'
        TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Remote Access Tool - AnyDesk Silent Installation
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
status test author Ján Trenčanský id 114e7f1c-f137-48c8-8f54-3088c24ce4b9
view Sigma YAML 
title: Remote Access Tool - AnyDesk Silent Installation
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
status: test
description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
references:
    - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
    - https://support.anydesk.com/Automatic_Deployment
author: Ján Trenčanský
date: 2021-08-06
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '--install'
            - '--start-with-win'
            - '--silent'
    condition: selection
falsepositives:
    - Legitimate deployment of AnyDesk
level: high
high
Remote Access Tool - Anydesk Execution From Suspicious Folder
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author Florian Roth (Nextron Systems) id 065b00ca-5d5c-4557-ac95-64a6d0b64d86
view Sigma YAML 
title: Remote Access Tool - Anydesk Execution From Suspicious Folder
id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
related:
    - id: b52e84a3-029e-4529-b09b-71d19dd27e94
      type: similar
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-05-20
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\AnyDesk.exe'
              - '\AnyDeskMSI.exe'
        - Description: AnyDesk
        - Product: AnyDesk
        - Company: AnyDesk Software GmbH
    filter:
        Image|contains:
            - '\AppData\'
            - 'Program Files (x86)\AnyDesk'
            - 'Program Files\AnyDesk'
    condition: selection and not filter
falsepositives:
    - Legitimate use of AnyDesk from a non-standard folder
level: high
high
Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
status experimental author Norbert Jaśniewicz (AlphaSOC) id bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
view Sigma YAML 
title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
related:
    - id: b471f462-eb0d-4832-be35-28d94bdb4780
      type: similar
    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
      type: derived
status: experimental
description: |
    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1219.002
    - attack.t1036.003
logsource:
    category: process_creation
    product: macos
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith:
            - '/meshagent'
            - '/meshagent_osx64'
    condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Remote Access Tool - Renamed MeshAgent Execution - Windows
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
status experimental author Norbert Jaśniewicz (AlphaSOC) id b471f462-eb0d-4832-be35-28d94bdb4780
view Sigma YAML 
title: Remote Access Tool - Renamed MeshAgent Execution - Windows
id: b471f462-eb0d-4832-be35-28d94bdb4780
related:
    - id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
      type: similar
    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
      type: derived
status: experimental
description: |
    Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
    RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
    However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1219.002
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_meshagent:
        - CommandLine|contains: '--meshServiceName'
        - OriginalFileName|contains: 'meshagent'
    filter_main_legitimate:
        Image|endswith: '\meshagent.exe'
    condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Renamed Visual Studio Code Tunnel Execution
Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
status test author Nasreddine Bencherchali (Nextron Systems) id 2cf29f11-e356-4f61-98c0-1bdb9393d6da
view Sigma YAML 
title: Renamed Visual Studio Code Tunnel Execution
id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da
status: test
description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-28
modified: 2025-10-29
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_image_only_tunnel:
        OriginalFileName: null
        CommandLine|endswith: '.exe tunnel'
    selection_image_tunnel_args:
        CommandLine|contains|all:
            - '.exe tunnel'
            - '--accept-server-license-terms'
    selection_image_tunnel_service:
        CommandLine|contains|all:
            - 'tunnel '
            - 'service'
            - 'internal-run'
            - 'tunnel-service.log'
    selection_parent_tunnel:
        ParentCommandLine|endswith: ' tunnel'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/d /c '
            - '\servers\Stable-'
            - 'code-server.cmd'
    filter_main_parent_code:
        ParentImage|endswith:
            - '\code-tunnel.exe'
            - '\code.exe'
    filter_main_image_code:
        Image|endswith:
            - '\code-tunnel.exe'
            - '\code.exe'
    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
falsepositives:
    - Unknown
level: high
high
Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
status test author Nasreddine Bencherchali (Nextron Systems) id 2d367498-5112-4ae5-a06a-96e7bc33a211
view Sigma YAML 
title: Suspicious Binary Writes Via AnyDesk
id: 2d367498-5112-4ae5-a06a-96e7bc33a211
status: test
description: |
    Detects AnyDesk writing binary files to disk other than "gcapi.dll".
    According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
    which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
references:
    - https://redcanary.com/blog/misbehaving-rats/
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\AnyDesk.exe'
            - '\AnyDeskMSI.exe'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_dlls:
        TargetFilename|endswith: '\gcapi.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high
high
Suspicious Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
status test author Nasreddine Bencherchali (Nextron Systems) id 6e22722b-dfb1-4508-a911-49ac840b40f8
view Sigma YAML 
title: Suspicious Mstsc.EXE Execution With Local RDP File
id: 6e22722b-dfb1-4508-a911-49ac840b40f8
status: test
description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
references:
    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mstsc.exe'
        - OriginalFileName: 'mstsc.exe'
    selection_extension:
        CommandLine|endswith:
            - '.rdp'
            - '.rdp"'
    selection_paths:
        # Note: This list of paths is better transformed into a whitelist where you only exclude legitimate locations you use in your env
        CommandLine|contains:
            - ':\Users\Public\'
            - ':\Windows\System32\spool\drivers\color'
            - ':\Windows\System32\Tasks_Migrated '
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - ':\Windows\Tracing\'
            - '\AppData\Local\Temp\'
            # - '\Desktop\' # Could be source of FP depending on the environment
            - '\Downloads\' # Could be source of FP depending on the environment
    condition: all of selection_*
falsepositives:
    - Likelihood is related to how often the paths are used in the environment
level: high
high
Suspicious TSCON Start as SYSTEM
Detects a tscon.exe start as LOCAL SYSTEM
status test author Florian Roth (Nextron Systems) id 9847f263-4a81-424f-970c-875dab15b79b
view Sigma YAML 
title: Suspicious TSCON Start as SYSTEM
id: 9847f263-4a81-424f-970c-875dab15b79b
status: test
description: Detects a tscon.exe start as LOCAL SYSTEM
references:
    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
    - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
author: Florian Roth (Nextron Systems)
date: 2018-03-17
modified: 2022-05-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
        Image|endswith: '\tscon.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
view Sigma YAML 
title: Suspicious Velociraptor Child Process
id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
status: experimental
description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
references:
    - https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-29
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\Velociraptor.exe'
    selection_child_vscode_tunnel:
        CommandLine|contains|all:
            - 'code.exe'
            - 'tunnel'
            - '--accept-server-license-terms'
    selection_child_msiexec:
        CommandLine|contains|all:
            - 'msiexec'
            - '/i'
            - 'http'
    selection_child_powershell:
        Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest '
            - 'IWR '
            - '.DownloadFile'
            - '.DownloadString'
    # Add more child process patterns as needed
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
level: high
medium
Anydesk Temporary Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id 0b9ad457-2554-44c1-82c2-d56a99c42377
view Sigma YAML 
title: Anydesk Temporary Artefact
id: 0b9ad457-2554-44c1-82c2-d56a99c42377
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
author: frack113
date: 2022-02-11
modified: 2024-07-20
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Roaming\AnyDesk\user.conf'
            - '\AppData\Roaming\AnyDesk\system.conf'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/info.yml
medium
DNS Query To AzureWebsites.NET By Non-Browser Process
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
status test author Nasreddine Bencherchali (Nextron Systems) id e043f529-8514-4205-8ab0-7f7d2927b400
view Sigma YAML 
title: DNS Query To AzureWebsites.NET By Non-Browser Process
id: e043f529-8514-4205-8ab0-7f7d2927b400
related:
    - id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
      type: derived
status: test
description: |
    Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
references:
    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|endswith: 'azurewebsites.net'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_defender:
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_optional_brave:
        Image|endswith: '\brave.exe'
        Image|startswith: 'C:\Program Files\BraveSoftware\'
    filter_optional_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_optional_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_optional_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    filter_optional_tor:
        Image|contains: '\Tor Browser\'
    filter_optional_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_optional_midori:
        Image|contains: '\AppData\Local\Programs\midori-ng\'
        Image|endswith: '\Midori Next Generation.exe'
    filter_optional_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_optional_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_optional_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_optional_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_optional_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium
medium
DNS Query To Remote Access Software Domain From Non-Browser App
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113, Connor Martin id 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
view Sigma YAML 
title: DNS Query To Remote Access Software Domain From Non-Browser App
id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
related:
    - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
      type: obsolete
    - id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
      type: obsolete
    - id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
      type: obsolete
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
    - https://redcanary.com/blog/misbehaving-rats/
    - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
    - https://blog.sekoia.io/scattered-spider-laying-new-eggs/
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
author: frack113, Connor Martin
date: 2022-07-11
modified: 2024-12-17
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: dns_query
detection:
    selection_generic:
        QueryName|endswith:
            - 'agent.jumpcloud.com'
            - 'agentreporting.atera.com'
            - 'ammyy.com'
            - 'api.parsec.app'
            - 'api.playanext.com'
            - 'api.splashtop.com'
            - 'app.atera.com'
            - 'assist.zoho.com'
            - 'authentication.logmeininc.com'
            - 'beyondtrustcloud.com'
            - 'cdn.kaseya.net'
            - 'client.teamviewer.com'
            - 'comserver.corporate.beanywhere.com'
            - 'control.connectwise.com'
            - 'downloads.zohocdn.com'
            - 'dwservice.net'
            - 'express.gotoassist.com'
            - 'getgo.com'
            - 'getscreen.me'  # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
            - 'integratedchat.teamviewer.com'
            - 'join.zoho.com'
            - 'kickstart.jumpcloud.com'
            - 'license.bomgar.com'
            - 'logmein-gateway.com'
            - 'logmein.com'
            - 'logmeincdn.http.internapcdn.net'
            - 'n-able.com'
            - 'net.anydesk.com'
            - 'netsupportsoftware.com' # For NetSupport Manager RAT
            - 'parsecusercontent.com'
            - 'pubsub.atera.com'
            - 'relay.kaseya.net'
            - 'relay.screenconnect.com'
            - 'relay.splashtop.com'
            - 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
            - 'remotedesktop-pa.googleapis.com'
            - 'remoteutilities.com' # Usage of Remote Utilities RAT
            - 'secure.logmeinrescue.com'
            - 'services.vnc.com'
            - 'static.remotepc.com'
            - 'swi-rc.com'
            - 'swi-tc.com'
            - 'tailscale.com' # Scattered Spider threat group used this RMM tool
            - 'telemetry.servers.qetqo.com'
            - 'tmate.io'
            - 'twingate.com'  # Scattered Spider threat group used this RMM tool
            - 'zohoassist.com'
    selection_rustdesk:  # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
        QueryName|endswith: '.rustdesk.com'
        QueryName|startswith: 'rs-'
    # Exclude browsers for legitimate visits of the domains mentioned above
    # Add missing browsers you use and exclude the ones you don't
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_defender:
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_optional_brave:
        Image|endswith: '\brave.exe'
        Image|startswith: 'C:\Program Files\BraveSoftware\'
    filter_optional_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_optional_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_optional_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    filter_optional_tor:
        Image|contains: '\Tor Browser\'
    filter_optional_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_optional_midori:
        Image|contains: '\AppData\Local\Programs\midori-ng\'
        Image|endswith: '\Midori Next Generation.exe'
    filter_optional_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_optional_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_optional_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_optional_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_optional_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium
medium
GoToAssist Temporary Installation Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id 5d756aee-ad3e-4306-ad95-cb1abec48de2
view Sigma YAML 
title: GoToAssist Temporary Installation Artefact
id: 5d756aee-ad3e-4306-ad95-cb1abec48de2
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
author: frack113
date: 2022-02-13
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Expert\'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
Installation of TeamViewer Desktop
TeamViewer_Desktop.exe is create during install
status test author frack113 id 9711de76-5d4f-4c50-a94f-21e4e8f8384d
view Sigma YAML 
title: Installation of TeamViewer Desktop
id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
status: test
description: TeamViewer_Desktop.exe is create during install
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
author: frack113
date: 2022-01-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '\TeamViewer_Desktop.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Mesh Agent Service Installation
Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
status test author Nasreddine Bencherchali (Nextron Systems) id e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
view Sigma YAML 
title: Mesh Agent Service Installation
id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
status: test
description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
references:
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'MeshAgent.exe'
        - ServiceName|contains: 'Mesh Agent'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium
medium
OpenEDR Spawning Command Shell
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool. Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
status experimental author @kostastsale id 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
view Sigma YAML 
title: OpenEDR Spawning Command Shell
id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
status: experimental
description: |
    Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
    This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
    Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
author: '@kostastsale'
date: 2026-02-19
references:
    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
    - attack.execution
    - attack.t1059.003
    - attack.lateral-movement
    - attack.t1021.004
    - attack.command-and-control
    - attack.t1219
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        ParentImage|endswith: '\ITSMService.exe'
        Image|endswith: '\ssh-shellhost.exe'
        CommandLine|contains: '--pty'
    selection_cli_shell:
        CommandLine|contains:
            - 'bash'
            - 'cmd'
            - 'powershell'
            - 'pwsh'
    condition: all of selection_*
falsepositives:
    - Legitimate use of OpenEDR for remote command execution
level: medium
medium
Potential Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
status test author Muhammad Faisal id d20ee2f4-822c-4827-9e15-41500b1fff10
view Sigma YAML 
title: Potential Amazon SSM Agent Hijacking
id: d20ee2f4-822c-4827-9e15-41500b1fff10
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-02
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\amazon-ssm-agent.exe'
        CommandLine|contains|all:
            - '-register '
            - '-code '
            - '-id '
            - '-region '
    condition: selection
falsepositives:
    - Legitimate activity of system administrators
level: medium
medium
Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
status test author Muhammad Faisal id f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
view Sigma YAML 
title: Potential Linux Amazon SSM Agent Hijacking
id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
    - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
    - https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
    - https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-03
tags:
    - attack.command-and-control
    - attack.persistence
    - attack.t1219.002
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/amazon-ssm-agent'
        CommandLine|contains|all:
            - '-register '
            - '-code '
            - '-id '
            - '-region '
    condition: selection
falsepositives:
    - Legitimate activity of system administrators
level: medium
medium
Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.
status test author James Pemberton id ce5678bb-b9aa-4fb5-be4b-e57f686256ad
view Sigma YAML 
title: Potential Remote Desktop Connection to Non-Domain Host
id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
status: test
description: Detects logons using NTLM to hosts that are potentially not part of the domain.
references:
    - n/a
author: James Pemberton
date: 2020-05-22
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8001
        TargetName|startswith: 'TERMSRV'
    condition: selection
falsepositives:
    - Host connections to valid domains, exclude these.
    - Host connections not using host FQDN.
    - Host connections to external legitimate domains.
level: medium
medium
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
status experimental author @kostastsale id 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
view Sigma YAML 
title: Potentially Suspicious File Creation by OpenEDR's ITSMService
id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
status: experimental
description: |
    Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
    The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
    While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
author: '@kostastsale'
date: 2026-02-19
references:
    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
    - attack.command-and-control
    - attack.t1105
    - attack.lateral-movement
    - attack.t1570
    - attack.t1219
logsource:
    product: windows
    category: file_event
detection:
    selection_process:
        Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
    selection_suspicious_extensions:
        TargetFilename|endswith:
            - '.7z'
            - '.bat'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.pif'
            - '.ps1'
            - '.rar'
            - '.scr'
            - '.vbe'
            - '.vbs'
            - '.zip'
    condition: all of selection_*
falsepositives:
    - Legitimate OpenEDR file management operations
    - Authorized remote file uploads by IT administrators
    - Software deployment through OpenEDR console
level: medium
medium
Remote Access Tool - AnyDesk Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id b52e84a3-029e-4529-b09b-71d19dd27e94
view Sigma YAML 
title: Remote Access Tool - AnyDesk Execution
id: b52e84a3-029e-4529-b09b-71d19dd27e94
status: test
related:
    - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
      type: similar
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: frack113
date: 2022-02-11
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\AnyDesk.exe'
              - '\AnyDeskMSI.exe'
        - Description: AnyDesk
        - Product: AnyDesk
        - Company: AnyDesk Software GmbH
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
Remote Access Tool - AnyDesk Incoming Connection
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
status experimental author @d4ns4n_ (Wuerth-Phoenix) id d58ba5c6-0ed7-4b9d-a433-6878379efda9
view Sigma YAML 
title: Remote Access Tool - AnyDesk Incoming Connection
id: d58ba5c6-0ed7-4b9d-a433-6878379efda9
status: experimental
description: |
    Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://asec.ahnlab.com/en/40263/
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2024-09-02
modified: 2025-02-24
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\AnyDesk.exe'
            - '\AnyDeskMSI.exe'
        Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false.
    condition: selection
falsepositives:
    - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).
level: medium
medium
Remote Access Tool - AnyDesk Piped Password Via CLI
Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
status test author Nasreddine Bencherchali (Nextron Systems) id b1377339-fda6-477a-b455-ac0923f9ec2c
view Sigma YAML 
title: Remote Access Tool - AnyDesk Piped Password Via CLI
id: b1377339-fda6-477a-b455-ac0923f9ec2c
status: test
description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
            - '/c '
            - 'echo '
            - '.exe --set-password'
    condition: selection
falsepositives:
    - Legitimate piping of the password to anydesk
    - Some FP could occur with similar tools that uses the same command line '--set-password'
level: medium
medium
Remote Access Tool - GoToAssist Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id b6d98a4f-cef0-4abf-bbf6-24132854a83d
view Sigma YAML 
title: Remote Access Tool - GoToAssist Execution
id: b6d98a4f-cef0-4abf-bbf6-24132854a83d
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
author: frack113
date: 2022-02-13
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'GoTo Opener'
        - Product: 'GoTo Opener'
        - Company: 'LogMeIn, Inc.'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
Remote Access Tool - LogMeIn Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id d85873ef-a0f8-4c48-a53a-6b621f11729d
view Sigma YAML 
title: Remote Access Tool - LogMeIn Execution
id: d85873ef-a0f8-4c48-a53a-6b621f11729d
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
author: frack113
date: 2022-02-11
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: LMIGuardianSvc
        - Product: LMIGuardianSvc
        - Company: LogMeIn, Inc.
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
Remote Access Tool - MeshAgent Command Execution via MeshCentral
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
status test author @Kostastsale id 74a2b202-73e0-4693-9a3a-9d36146d0775
view Sigma YAML 
title: Remote Access Tool - MeshAgent Command Execution via MeshCentral
id: 74a2b202-73e0-4693-9a3a-9d36146d0775
status: test
description: |
    Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
    MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
references:
    - https://github.com/Ylianst/MeshAgent
    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55
author: '@Kostastsale'
date: 2024-09-22
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\meshagent.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
level: medium
medium
Remote Access Tool - NetSupport Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id 758ff488-18d5-4cbe-8ec4-02b6285a434f
view Sigma YAML 
title: Remote Access Tool - NetSupport Execution
id: 758ff488-18d5-4cbe-8ec4-02b6285a434f
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
author: frack113
date: 2022-09-25
modified: 2023-03-06
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: NetSupport Client Configurator
        - Product: NetSupport Remote Control
        - Company: NetSupport Ltd
        - OriginalFileName: PCICFGUI.EXE
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
Remote Access Tool - Potential MeshAgent Execution - MacOS
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
status experimental author Norbert Jaśniewicz (AlphaSOC) id 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
view Sigma YAML 
title: Remote Access Tool - Potential MeshAgent Execution - MacOS
id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
related:
    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
      type: similar
status: experimental
description: |
    Detects potential execution of MeshAgent which is a tool used for remote access.
    Historical data shows that threat actors rename MeshAgent binary to evade detection.
    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection
falsepositives:
    - Environments that legitimately use MeshAgent
level: medium
medium
Remote Access Tool - Potential MeshAgent Execution - Windows
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
status experimental author Norbert Jaśniewicz (AlphaSOC) id 2fbbe9ff-0afc-470b-bdc0-592198339968
view Sigma YAML 
title: Remote Access Tool - Potential MeshAgent Execution - Windows
id: 2fbbe9ff-0afc-470b-bdc0-592198339968
related:
    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
      type: similar
status: experimental
description: |
    Detects potential execution of MeshAgent which is a tool used for remote access.
    Historical data shows that threat actors rename MeshAgent binary to evade detection.
    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection
falsepositives:
    - Environments that legitimately use MeshAgent
level: medium
medium
Remote Access Tool - ScreenConnect Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id 57bff678-25d1-4d6c-8211-8ca106d12053
view Sigma YAML 
title: Remote Access Tool - ScreenConnect Execution
id: 57bff678-25d1-4d6c-8211-8ca106d12053
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'ScreenConnect Service'
        - Product: 'ScreenConnect'
        - Company: 'ScreenConnect Software'
    condition: selection
falsepositives:
    - Legitimate usage of the tool
level: medium
medium
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
Detects potentially suspicious child processes launched via the ScreenConnect client service.
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale id 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
view Sigma YAML 
title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
related:
    - id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
      type: derived
status: test
description: |
    Detects potentially suspicious child processes launched via the ScreenConnect client service.
references:
    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
    - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
    - https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2022-02-25
modified: 2024-02-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentCommandLine|contains|all:
            - ':\Windows\TEMP\ScreenConnect\'
            - 'run.cmd'
        Image|endswith:
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\curl.exe'
            - '\dllhost.exe'
            - '\net.exe'
            - '\nltest.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\rundll32.exe'
            - '\wevtutil.exe'
    condition: selection
falsepositives:
    - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
level: medium
medium
Remote Access Tool - Simple Help Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author Nasreddine Bencherchali (Nextron Systems) id 95e60a2b-4705-444b-b7da-ba0ea81a3ee2
view Sigma YAML 
title: Remote Access Tool - Simple Help Execution
id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - '\JWrapper-Remote Access\'
            - '\JWrapper-Remote Support\'
        Image|endswith: '\SimpleService.exe'
    condition: selection
falsepositives:
    - Legitimate usage of the tool
level: medium
medium
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
status experimental author Ahmed Nosir (@egycondor) id 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
view Sigma YAML 
title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
id: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
status: experimental
description: |
    Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
    These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
    This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
references:
    - https://github.com/amidaware/tacticalrmm
    - https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
author: Ahmed Nosir (@egycondor)
date: 2025-05-29
tags:
    - attack.command-and-control
    - attack.t1219
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: '\TacticalAgent\tacticalrmm.exe'
        CommandLine|contains|all:
            - '--api'
            - '--auth'
            - '--client-id'
            - '--site-id'
            - '--agent-type'
    condition: selection
falsepositives:
    - Legitimate system administrator deploying TacticalRMM
level: medium
medium
Remote Access Tool - UltraViewer Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id 88656cec-6c3b-487c-82c0-f73ebb805503
view Sigma YAML 
title: Remote Access Tool - UltraViewer Execution
id: 88656cec-6c3b-487c-82c0-f73ebb805503
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
author: frack113
date: 2022-09-25
modified: 2024-03-14
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Product: 'UltraViewer'
        - Company: 'DucFabulous Co,ltd'
        - OriginalFileName: 'UltraViewer_Desktop.exe'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
ScreenConnect Temporary Installation Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id fec96f39-988b-4586-b746-b93d59fd1922
view Sigma YAML 
title: ScreenConnect Temporary Installation Artefact
id: fec96f39-988b-4586-b746-b93d59fd1922
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\Bin\ScreenConnect.' # pattern to dll and jar file
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
TacticalRMM Service Installation
Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
status test author Nasreddine Bencherchali (Nextron Systems) id 4bb79b62-ef12-4861-981d-2aab43fab642
view Sigma YAML 
title: TacticalRMM Service Installation
id: 4bb79b62-ef12-4861-981d-2aab43fab642
status: test
description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
references:
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'tacticalrmm.exe'
        - ServiceName|contains: 'TacticalRMM Agent Service'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium
medium
TeamViewer Domain Query By Non-TeamViewer Application
Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
status test author Florian Roth (Nextron Systems) id 778ba9a8-45e4-4b80-8e3e-34a419f0b85e
view Sigma YAML 
title: TeamViewer Domain Query By Non-TeamViewer Application
id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e
status: test
description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
references:
    - https://www.teamviewer.com/en-us/
author: Florian Roth (Nextron Systems)
date: 2022-01-30
modified: 2023-09-18
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName:
            - 'taf.teamviewer.com'
            - 'udp.ping.teamviewer.com'
    filter_main_teamviewer:
        # Note: To avoid evasion based on similar names. Best add full install location of TeamViewer
        Image|contains: 'TeamViewer'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown binary names of TeamViewer
    - Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications
level: medium
medium
TeamViewer Remote Session
Detects the creation of log files during a TeamViewer remote session
status test author Florian Roth (Nextron Systems) id 162ab1e4-6874-4564-853c-53ec3ab8be01
view Sigma YAML 
title: TeamViewer Remote Session
id: 162ab1e4-6874-4564-853c-53ec3ab8be01
status: test
description: Detects the creation of log files during a TeamViewer remote session
references:
    - https://www.teamviewer.com/en-us/
author: Florian Roth (Nextron Systems)
date: 2022-01-30
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection1:
        TargetFilename|endswith:
            - '\TeamViewer\RemotePrinting\tvprint.db'
            - '\TeamViewer\TVNetwork.log'
    selection2:
        TargetFilename|contains|all:
            - '\TeamViewer'
            - '_Logfile.log'
    condition: 1 of selection*
falsepositives:
    - Legitimate uses of TeamViewer in an organisation
level: medium
medium
Use of UltraVNC Remote Access Software
An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
status test author frack113 id 145322e4-0fd3-486b-81ca-9addc75736d8
view Sigma YAML 
title: Use of UltraVNC Remote Access Software
id: 145322e4-0fd3-486b-81ca-9addc75736d8
status: test
description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md
author: frack113
date: 2022-10-02
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: VNCViewer
        - Product: UltraVNC VNCViewer
        - Company: UltraVNC
        - OriginalFileName: VNCViewer.exe
    condition: selection
falsepositives:
    - Legitimate use
level: medium
medium
Visual Studio Code Tunnel Execution
Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
status test author Nasreddine Bencherchali (Nextron Systems), citron_ninja id 90d6bd71-dffb-4989-8d86-a827fedd6624
view Sigma YAML 
title: Visual Studio Code Tunnel Execution
id: 90d6bd71-dffb-4989-8d86-a827fedd6624
status: test
description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems), citron_ninja
date: 2023-10-25
modified: 2025-10-29
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_only_tunnel:
        OriginalFileName: null
        CommandLine|endswith: '.exe tunnel'
    selection_tunnel_args:
        CommandLine|contains|all:
            - '.exe tunnel'
            - '--accept-server-license-terms'
    selection_parent_tunnel:
        ParentCommandLine|endswith: ' tunnel'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/d /c '
            - '\servers\Stable-'
            - 'code-server.cmd'
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of Visual Studio Code tunnel
level: medium
low
Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file
status test author Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock id 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af
view Sigma YAML 
title: Mstsc.EXE Execution With Local RDP File
id: 5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af
status: test
description: Detects potential RDP connection via Mstsc using a local ".rdp" file
references:
    - https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
    - https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock
date: 2023-04-18
modified: 2023-04-30
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mstsc.exe'
        - OriginalFileName: 'mstsc.exe'
    selection_cli:
        CommandLine|endswith:
            - '.rdp'
            - '.rdp"'
    filter_optional_wsl:
        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Likely with legitimate usage of ".rdp" files
level: low
low
QuickAssist Execution
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
status experimental author Muhammad Faisal (@faisalusuf) id e20b5b14-ce93-4230-88af-981983ef6e74
view Sigma YAML 
title: QuickAssist Execution
id: e20b5b14-ce93-4230-88af-981983ef6e74
status: experimental
description: |
    Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
    - https://x.com/cyb3rops/status/1862406110365245506
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\QuickAssist.exe'
    condition: selection
falsepositives:
    - Legitimate use of Quick Assist in the environment.
level: low
Showing 1-47 of 47
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin