Adversaries may use GoToAssist as a temporary installation artifact to establish an interactive command and control channel for persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential remote access and lateral movement tactics early.
Detection Rule
title: GoToAssist Temporary Installation Artefact
id: 5d756aee-ad3e-4306-ad95-cb1abec48de2
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
author: frack113
date: 2022-02-13
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Expert\'
condition: selection
falsepositives:
- Legitimate use
level: medium
imFileEvent
| where TargetFileName contains "\\AppData\\Local\\Temp\\LogMeInInc\\GoToAssist Remote Support Expert\\"Scenario: IT Department Installs GoToAssist for Remote Support
Description: The IT team installs GoToAssist on company endpoints to provide remote support to end-users.
Filter/Exclusion: process.name != "GoToAssist.exe" OR process.parent.name == "ITSupportService.exe" OR user.account == "ITSupportGroup"
Scenario: Scheduled Maintenance Job Uses GoToAssist for System Updates
Description: A scheduled job runs via Task Scheduler to update systems using GoToAssist for remote patching.
Filter/Exclusion: process.name != "GoToAssist.exe" OR event.id == 1000 (for Task Scheduler events) OR process.parent.name == "TaskScheduler.exe"
Scenario: Admin Uses GoToAssist to Troubleshoot a User’s Machine
Description: An admin uses GoToAssist to connect to a user’s machine to resolve a technical issue.
Filter/Exclusion: process.name != "GoToAssist.exe" OR user.account == "DomainAdmins" OR process.parent.name == "RemoteSupportTool.exe"
Scenario: GoToAssist Installed via Group Policy for Remote Access
Description: GoToAssist is deployed via Group Policy to enable remote access for all users in a specific OU.
Filter/Exclusion: process.name != "GoToAssist.exe" OR event.source == "GroupPolicy" OR user.account == "DomainAdmins"
Scenario: GoToAssist Used for Internal Helpdesk Support
Description: The helpdesk uses GoToAssist to assist users with software installation or configuration issues.
Filter/Exclusion: process.name != "GoToAssist.exe" OR `user.account == “HelpdeskGroup