
Summary
This detection rule identifies the execution of known remote access software utilizing data from Endpoint Detection and Response (EDR) agents. Specifically, it scrutinizes process names and their parent processes mapped to the Endpoint data model, focusing on software like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer which are commonly exploited by adversaries to unauthorizedly control systems, exfiltrate data, or deploy malware. The detection relies on specific Sysmon EventID and Windows Event Log identifiers, alongside the CrowdStrike ProcessRollup data, to capture relevant activity. Moreover, the implementation relies on Splunk's capabilities to ingest, process, and analyze the telemetry gathered from EDR agents to ensure effective monitoring and response to potential threats.
Categories
- Endpoint
Data Sources
- Windows Registry
- Process
- Application Log
ATT&CK Techniques
- T1219
Created: 2024-11-13