This detection rule identifies the execution of remote access software typically associated with threat actors. Legitimate remote access tools like TeamViewer, AnyDesk, and others are often exploited by adversaries after compromising a target system. These tools serve multiple purposes, including establishing persistent access, facilitating interactive sessions, or facilitating reverse connections to an adversarial infrastructure. The execution logic analyzes the endpoint data for known executable file names of these remote access tools, which are commonly integrated into adversarial tactics. By detecting these processes, organizations can respond to potential compromises and enhance their defensive posture. Noted threat actors using such software include Andariel, FIN7, and others. The rule is implemented in Splunk, utilizing the EDR logs for a comprehensive analysis of the running processes to identify misuse of these remote access utilities.