FazalGR
24 posts
May 29, 2025
12:25 AM
|
Security teams can detect suspicious PSA software and RMM tools deployments by identifying executions from abnormal locations in the file system.
The query logic focuses on process names containing “AnyDesk.exe” while excluding common legitimate paths such as AppData, Downloads, and Program Files directories.
When executed against Sysmon logs, this query can reveal instances where attackers have hidden RMM tools in unusual locations like the Public Music directory.
Intel471 recommends organizations implement strict application control policies and monitor network connections from RMM tools to identify potentially malicious command and control traffic.
Also Read: What is SHA256 Encryption: How it Works and Applications
|
