Detections

Monitor DNS queries and outbound HTTP/S traffic to known domains associated with browser-based remote access services. These platforms—such as LogMeIn, AnyDesk, Chrome Remote Desktop, and Microsoft RD Web Access—allow subjects to initiate or maintain remote sessions outside of approved IT infrastructure. Their use may indicate preparation for unauthorized remote access, data exfiltration, or external collaboration.

Detection Methods:

Collect and analyze DNS logs and web proxy traffic across all egress points.
Maintain and regularly update a threat intelligence list of domains and subdomains linked to web-based remote desktop platforms.

Example domains and subdomains include:

logmein.com
remotedesktop.google.com
anydesk.com
rdweb.wvd.microsoft.com
teamviewer.com
parsec.app
splashtop.com

Configure alerting for:

First-time access to any listed domain by a user or endpoint.
Repeated access over time, suggesting potential session establishment.
Access outside approved VPN channels or corporate IP ranges.
DNS tunneling or large data transfers over HTTPS to these platforms.

Integrate results with identity sources to correlate web access with role-based access expectations.

Sections

ID	Name	Description
IF027	Installing Malicious Software	The subject deliberately or inadvertently introduces malicious software (commonly referred to as malware) into the organization’s environment. This may occur via manual execution, automated dropper delivery, browser‑based compromise, USB usage, or sideloading through legitimate processes. Malicious software includes trojans, keyloggers, ransomware, credential stealers, remote access tools (RATs), persistence frameworks, or other payloads designed to cause harm, exfiltrate data, degrade systems, or maintain unauthorized control. Installation of malicious software represents a high-severity infringement, regardless of whether the subject's intent was deliberate or negligent. In some cases, malware introduction is the culmination of prior behavioral drift (e.g. installing unapproved tools or disabling security controls), while in others it may signal malicious preparation or active compromise. This Section is distinct from general “Installing Unapproved Software”, which covers non‑malicious or policy-violating tools. Here, the software itself is malicious in purpose or impact, even if delivered under benign pretenses.
PR026.002	Remote Desktop Web Access	The subject initiates or configures access to a system using Remote Desktop or Remote Assistance via a web browser interface, often through third-party tools or services (e.g., LogMeIn, AnyDesk, Chrome Remote Desktop, Microsoft RD Web Access). This behavior may indicate preparatory actions to facilitate unauthorized remote access, either for a co-conspirator, a secondary device, or future remote exfiltration. Unlike traditional RDP clients, browser-based remote access methods may bypass endpoint controls and often operate over HTTPS, making detection more difficult with traditional monitoring. This method may be used when traditional RDP clients are blocked or monitored, or when the subject intends to evade installed software policies and gain access through externally hosted portals. While some web-based tools require agents to be installed on the target machine, others permit remote viewing or interaction without full installation, particularly when configured in advance.
IF027.004	Remote Access Tool (RAT) Deployment	The subject deploys a Remote Access Tool (RAT): a software implant that provides covert, persistent remote control of an endpoint or server—enabling continued unauthorized access, monitoring, or post-employment re-entry. Unlike sanctioned remote administration platforms, RATs are deployed without organizational oversight and are often configured to obfuscate their presence, evade detection, or blend into legitimate activity. RATs deployed by insiders may be off-the-shelf tools (e.g. njRAT, Quasar, Remcos), lightly modified open-source frameworks (e.g. Havoc, Pupy), or commercial-grade products repurposed for unsanctioned use (e.g. AnyDesk, TeamViewer in stealth mode). Functionality typically includes: Full GUI or shell access File system interaction Screenshot and webcam capture Credential harvesting Process and registry manipulation Optional keylogging and persistence modules Deployment methods include manual installation, script-wrapped droppers, DLL side-loading, or execution via LOLBins (`mshta`, `rundll32`). Persistence is typically achieved through scheduled tasks, registry run keys, or disguised service installations. In some cases, the RAT may be configured to activate only during specific windows or respond to remote beacons, reducing exposure to detection.