KQL Search

Query Details

HomeAI ToolsDevice Query

Rustdeskexecution

Query

# Rule: RustDesk Remote Access Tool usage

## Description
Detects installation or use of remote access tools like RustDesk on servers or privileged endpoints where such tools are not authorized. Attackers often install legitimate remote tools to maintain remote access and bypass controls.

- **Source:** The DFIR Report — From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira (Aug 05, 2025)

## Detection Logic
- Monitor for installer execution of `rustdesk.exe`/`rustdesk-service` or creation of persistent services related to RustDesk.
- Alert when remote access tools are installed on domain controllers, file servers, or admin workstations.
- Correlate with SSH tunneling, scheduled tasks, or service creation.

## Tags
- Persistence  
- Remote Access  
- MITRE ATT&CK: T1219 (Remote Access Tools), T1543 (Create or Modify System Process)

## Search Query
```kql
DeviceProcessEvents
| where FileName has_any ("rustdesk.exe","rustdesk-service.exe","rustdesk")
| join kind=leftouter (
    DeviceImageLoadEvents
    | where FolderPath has "Program Files" or FolderPath has "ProgramData"
) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, ReportId
```

Explanation

This query is designed to detect the installation or use of the RustDesk remote access tool on servers or privileged endpoints where such tools are not authorized. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify unauthorized installations or executions of the RustDesk remote access tool, which attackers might use to maintain remote access to systems.

  2. Detection Logic:

    • It looks for processes related to RustDesk, specifically files named rustdesk.exe, rustdesk-service.exe, or containing rustdesk.
    • It checks if these processes are associated with files located in common installation directories like "Program Files" or "ProgramData".
    • It focuses on critical systems such as domain controllers, file servers, or admin workstations.

  3. How It Works:

    • The query searches for events where a process related to RustDesk is executed.
    • It then attempts to match these events with any image load events (like loading a program or service) from typical installation directories.
    • The results include details like the timestamp of the event, the device name, the file name, the command line used to execute the process, the folder path, and a report ID for further investigation.

  4. Tags and Context:

    • The query is tagged with "Persistence" and "Remote Access" to indicate its focus on detecting persistent remote access tools.
    • It aligns with MITRE ATT&CK techniques T1219 (Remote Access Tools) and T1543 (Create or Modify System Process), which are common tactics used by attackers to maintain access and control over compromised systems.

Overall, this query helps security teams monitor and alert on unauthorized use of remote access tools like RustDesk, which could indicate potential security breaches or policy violations.

Details

Ali Hussein profile picture

Ali Hussein

Released: November 12, 2025

Tables

DeviceProcessEventsDeviceImageLoadEvents

Keywords

DeviceProcessEventsDeviceImageLoadEventsTimestampDeviceNameFileNameProcessCommandLineFolderPathReportId

Operators

has_anyjoin kind=leftouterwhereonproject

Actions