Detections
- Home
- - Detections
- -DT122
- ID: DT122
- Created: 07th May 2025
- Updated: 07th May 2025
- Platforms: MacOS, Windows, Linux,
- Contributor: The ITM Team
DNS and HTTPS Traffic to Web-Based Remote Access Platforms
Monitor DNS queries and outbound HTTP/S traffic to known domains associated with browser-based remote access services. These platforms—such as LogMeIn, AnyDesk, Chrome Remote Desktop, and Microsoft RD Web Access—allow subjects to initiate or maintain remote sessions outside of approved IT infrastructure. Their use may indicate preparation for unauthorized remote access, data exfiltration, or external collaboration.
Detection Methods:
- Collect and analyze DNS logs and web proxy traffic across all egress points.
- Maintain and regularly update a threat intelligence list of domains and subdomains linked to web-based remote desktop platforms.
Example domains and subdomains include:
- logmein.com
- remotedesktop.google.com
- anydesk.com
- rdweb.wvd.microsoft.com
- teamviewer.com
- parsec.app
- splashtop.com
Configure alerting for:
- First-time access to any listed domain by a user or endpoint.
- Repeated access over time, suggesting potential session establishment.
- Access outside approved VPN channels or corporate IP ranges.
- DNS tunneling or large data transfers over HTTPS to these platforms.
Integrate results with identity sources to correlate web access with role-based access expectations.
Sections
ID | Name | Description |
---|---|---|
PR026.002 | Remote Desktop Web Access | The subject initiates or configures access to a system using Remote Desktop or Remote Assistance via a web browser interface, often through third-party tools or services (e.g., LogMeIn, AnyDesk, Chrome Remote Desktop, Microsoft RD Web Access). This behavior may indicate preparatory actions to facilitate unauthorized remote access, either for a co-conspirator, a secondary device, or future remote exfiltration. Unlike traditional RDP clients, browser-based remote access methods may bypass endpoint controls and often operate over HTTPS, making detection more difficult with traditional monitoring.
This method may be used when traditional RDP clients are blocked or monitored, or when the subject intends to evade installed software policies and gain access through externally hosted portals. While some web-based tools require agents to be installed on the target machine, others permit remote viewing or interaction without full installation, particularly when configured in advance. |