Detect Remote Monitoring and Management (RMM) Tools over DNS
This query identifies the presence or execution of common RMM utilities (e.g., AnyDesk, TeamViewer, ConnectWise, ScreenConnect, Splashtop). While these tools are legitimate and widely used for IT administration, adversaries often abuse them as “living-off-the-land” remote access backdoors. Because they operate under the guise of trusted software and can blend with normal activity, malicious use of RMM tools may bypass traditional security controls, enabling persistence, data exfiltration, or hands-on-keyboard attacks.
NetworkhuntingT1219.002
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
#event_simpleName=DnsRequest
| DomainName=/anydesk\.com|action1\.com|beamyourscreen\.com|snapview\.de|rustdesk\.com|fleetdeck\.io|tailscale\.com|dwservice\.net|secure\.logmein\.com|teamviewer\.com|screenconnect\.com|fixme\.it|n-able\.com|domotz\.com|datto\.com|level\.io|itarian\.com|pulseway\.com|zoho\.com|manageengine\.com|bomgarcloud\.com|bomgar\.com|zabbix\.com/i
| groupBy([DomainName],function=[collect(ContextBaseFileName), count(aid,distinct=true,as=HostCount)])
| sort(HostCount,order=asc)Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.