Hunting - redttps

Chrome Remote Desktop

Introduction

Chrome Remote Desktop (CRD) is a free remote access tool developed by Google that allows users to securely connect to another computer over the internet using the Google Chrome browser or a dedicated application.

KQL

DeviceProcessEvents
| where (
        // Silent installation 
        FileName =~ "msiexec.exe"
        and ProcessCommandLine has "chromeremotedesktophost.msi"
        and ProcessCommandLine has "/i"
        and ProcessCommandLine has "/qn"
    )
    or (
        // Detect command line with undocumented argument
        FileName =~ "remoting_host.exe"
        and ProcessCommandLine has "--pin="
    )
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFileName
| order by Timestamp desc