Threat Huntmediumtest

Remote Access Tool - Cmd.EXE Execution via AnyViewer

Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

kostastsaleCreated Sat Aug 03bc533330-fc29-44c0-b245-7dc6e5939c87windows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\AVCore.exe'
        ParentCommandLine|contains: 'AVCore.exe" -d'
        Image|endswith: '\cmd.exe'
    condition: selection

False Positives

Legitimate use for admin activity.

References

Resolving title…

anyviewer.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0003 · Persistence

Other

detection.threat-hunting

Rule Metadata

Rule ID

bc533330-fc29-44c0-b245-7dc6e5939c87

Status

test

Level

medium

Type

Threat Hunt

Created

Sat Aug 03

Author

kostastsale

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_anyviewer_shell_exec.yml

Raw Tags

attack.executionattack.persistencedetection.threat-hunting

View on GitHub