Adversary installation or use of RMM software (e.g., TeamViewer, AnyDesk, ScreenConnect) followed by outbound beaconing or remote session establishment
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Firewall Rule Modification (DC0051) | WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | new rule allowing inbound or outbound connections for remote desktop software |
| Field | Description |
|---|---|
| Image | RMM software can vary; defenders should update rules to account for additional binaries (e.g., ConnectWise, Zoho Assist) |
| DestinationPort | RMM software may use configurable or random high ports outside of standard (e.g., 7070, 5650) |
| ParentImage | Expected parent process may vary in different enterprise contexts |
| TimeWindow | Correlation window for install-to-beacon or process-to-network event should match operational environment |
Execution of known or custom VNC/remote desktop daemons or tunneling agents that initiate external communication after launch
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Connection Creation (DC0082) | NSM:Flow | outbound connections to RMM services or to unusual destination ports |
| Field | Description |
|---|---|
| binary_name | Custom-compiled or renamed VNC servers (e.g., x11vnc, tightvncserver) may require local tuning |
| OutboundIPRange | Destination IP or ASN may shift depending on geolocation of cloud-hosted RMM backends |
Initiation of remote desktop sessions via AnyDesk, TeamViewer, or Chrome Remote Desktop accompanied by unexpected user logins or system modifications
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | launch of remote desktop app or helper binary |
| Network Connection Creation (DC0082) | macos:unifiedlog | network sessions initiated by remote desktop apps |
| Field | Description |
|---|---|
| process_signature | App may be notarized and signed differently depending on distribution method (App Store vs .pkg) |
| sandbox_exception | If the remote desktop tool circumvents sandbox, it may produce additional telemetry in local TCC logs |