This detection rule identifies DNS queries directed towards domains affiliated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. These applications can be exploited by adversaries to secure unauthorized access to compromised systems, hence enabling potential data breaches or ransomware deployments. The priority of this rule lies in facilitating SOC teams to quickly identify and respond to possible exploitations of legitimate remote access tools by malicious actors. The rule leverages Sysmon Event ID 22 data, focusing on the surveillance and resolution of DNS queries that may indicate the usage of remote administration tools, thereby enhancing the overall security posture of the monitored environments. Appropriate tagging including the MITRE ATT&CK framework assists in aligning detection capabilities with known tactics employed by attackers.