
Summary
This detection rule targets the identification of temporary installation artifacts associated with the GoToAssist remote access tool. It highlights how adversaries can exploit legitimate support software to establish command and control channels by utilizing tools like GoToAssist, which may be whitelisted in application control policies in many environments. The rule focuses on monitoring file events where the target filename contains a specified path related to GoToAssist, which is often used in unauthorized remote access scenarios. Given the prevalence of remote access software for legitimate support purposes, the detection could generate false positives when such tools are employed appropriately. This emphasizes the need for contextual understanding during incident investigations. The rule is categorized under the ATT&CK framework as T1219, denoting the use of remote access tools by malicious actors. It’s tagged as a medium severity detection, and the prospective areas for concern include environments where legitimate use of these tools overlaps with malicious intent.
Categories
- Windows
- Endpoint
- Application
Data Sources
- File
ATT&CK Techniques
- T1219
Created: 2022-02-13