title: Use Radmin Viewer Utility
id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d
status: experimental
description: An adversary may use Radmin Viewer Utility to remotely control Windows device
author: frack113
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md#atomic-test-1---radmin-viewer-utility
    - https://www.radmin.fr/
date: 2022/01/22
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'Radmin Viewer'
        - Product: 'Radmin Viewer'
        - OriginalFileName: 'Radmin.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
tags:
    - attack.execution
    - attack.lateral_movement
    - attack.t1072