Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

GoToAssist Temporary Installation Artefact

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Feb 135d756aee-ad3e-4306-ad95-cb1abec48de2windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Expert\'
    condition: selection
False Positives

Legitimate use

References
1
Resolving title…
github.com
MITRE ATT&CK

Other

attack.t1219.002
Rule Metadata
Rule ID
5d756aee-ad3e-4306-ad95-cb1abec48de2
Status
test
Level
medium
Type
Detection
Created
Sun Feb 13
Author
François Hubaut
Path
rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml
Raw Tags
attack.command-and-controlattack.t1219.002
View on GitHub