Remote Desktop Detection

Protection Module: RemoteDesktop

Detects remote access sessions, screen sharing applications, and unauthorized remote control attempts including TeamViewer, AnyDesk, VNC, and Chrome Remote Desktop.

Available for: Windows (full), Linux (partial), macOS (partial), Mobile (N/A)

How It Works

The Remote Desktop Detection module identifies unauthorized remote access and screen sharing by monitoring for remote access applications, detecting process execution patterns, and analyzing environment variables. This prevents compromised accounts from being remotely controlled by attackers.

Detection Techniques

RDP Session Detection (Windows): SESSIONNAME environment variable starting with "RDP-" (confidence: 0.95)
Remote Access App Detection: Identifies TeamViewer, AnyDesk, Parsec, NoMachine, Splashtop processes (confidence: 0.9)
VNC Server Detection: Detects TightVNC, RealVNC, UltraVNC, TigerVNC, x11vnc processes (confidence: 0.7)
Chrome Remote Desktop Detection: Identifies remoting_host, chrome_remote_desktop_host processes (confidence: 0.7)
Native Remote Desktop Tools: Detects mstsc, rdpclip (Windows), screensharingd (macOS), remmina (Linux) (confidence: 0.9)
X11 Forwarding Detection (Linux): DISPLAY environment variable combined with SSH_CONNECTION or SSH_CLIENT (confidence: 0.8)
Process Runtime Monitoring: Tracks active remote access processes and network connections

Detection confidence: 0.7-0.95 (varies by method) | Default interval: 2 minutes (process cache 2 minutes)

Configuration

JSON Configuration

JSON

{
  "protections": [
    {
      "type": "RemoteDesktop",
      "action": "log",
      "intervalMs": 120000
    }
  ]
}

{
  "protections": [
    {
      "type": "RemoteDesktop",
      "action": "log",
      "intervalMs": 120000
    }
  ]
}

Kotlin Code-Based

Kotlin

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        ActionType.LOG,
        120000
    )
}

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        ActionType.LOG,
        120000
    )
}

Java Code-Based

Java

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        ActionType.LOG,
        120000
    );
});

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        ActionType.LOG,
        120000
    );
});

Available Actions

Action	Behavior	Recommended For
close	Terminate application immediately	Production apps with critical IP
log	Record incident and continue	Development, analytics
erase	Securely delete data then terminate	Financial, healthcare apps
custom	Execute custom handler	Enterprise integrations
none	Detect only, no action	Testing configurations

See Actions for detailed action documentation.

When to Use

Enable Remote Desktop Detection when:

Protecting financial accounts from remote takeover
Securing enterprise applications and data access
Preventing credential harvesting via screen sharing
Detecting device compromise through remote access
Protecting against account takeover attacks
Monitoring for unauthorized administrative access

Code Examples

Kotlin - Basic Integration

Kotlin

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

class MainActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        Monitor.configure { config ->
            config.addProtection(
                ProtectionModuleType.REMOTE_DESKTOP,
                ActionType.LOG,
                120000
            )
        }

        setContentView(R.layout.activity_main)
    }
}

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

class MainActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)

        Monitor.configure { config ->
            config.addProtection(
                ProtectionModuleType.REMOTE_DESKTOP,
                ActionType.LOG,
                120000
            )
        }

        setContentView(R.layout.activity_main)
    }
}

Kotlin - Custom Action with Threat Details

Kotlin

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.registerCustomAction("handle-remote-desktop") { threat ->
        val threatType = threat.getThreatType()
        val description = threat.getDescription()
        val confidence = threat.getConfidence()
        val metadata = threat.getMetadata()

        Log.e("Security", "Remote access detected: $threatType (confidence: $confidence)")
        Log.e("Security", "Description: $description")

        when (threatType) {
            "TeamViewer" -> {
                Log.e("Security", "TeamViewer process active")
                disableSensitiveFeatures()
            }
            "AnyDesk" -> {
                Log.e("Security", "AnyDesk process active")
                disableSensitiveFeatures()
            }
            "RDP" -> {
                Log.e("Security", "RDP session detected")
                disableSensitiveFeatures()
            }
        }
    }

    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        "handle-remote-desktop",
        120000
    )
}

private fun disableSensitiveFeatures() {
    // Disable payment processing, sensitive data display, etc.
}

import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.registerCustomAction("handle-remote-desktop") { threat ->
        val threatType = threat.getThreatType()
        val description = threat.getDescription()
        val confidence = threat.getConfidence()
        val metadata = threat.getMetadata()

        Log.e("Security", "Remote access detected: $threatType (confidence: $confidence)")
        Log.e("Security", "Description: $description")

        when (threatType) {
            "TeamViewer" -> {
                Log.e("Security", "TeamViewer process active")
                disableSensitiveFeatures()
            }
            "AnyDesk" -> {
                Log.e("Security", "AnyDesk process active")
                disableSensitiveFeatures()
            }
            "RDP" -> {
                Log.e("Security", "RDP session detected")
                disableSensitiveFeatures()
            }
        }
    }

    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        "handle-remote-desktop",
        120000
    )
}

private fun disableSensitiveFeatures() {
    // Disable payment processing, sensitive data display, etc.
}

Java - Close Action (Production Security)

Java

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        ActionType.CLOSE,
        120000
    );
});

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        ActionType.CLOSE,
        120000
    );
});

Java - Erase Action (Financial Apps)

Java

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        ActionType.ERASE,
        120000
    );
});

import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.REMOTE_DESKTOP,
        ActionType.ERASE,
        120000
    );
});

Platform Compatibility

Platform	Status	Notes
Windows 7+	✓ Fully Supported	RDP session detection, process analysis
Windows 10+	✓ Optimized	Enhanced RDP and process monitoring
Linux	✓ Partial	VNC detection, X11 forwarding, process-based
macOS	✓ Partial	VNC detection, Screen Sharing, process-based
Mobile (Android)	✗ N/A	Not applicable on mobile platforms
TeamViewer	✓ Detected	All versions
AnyDesk	✓ Detected	All versions
Parsec	✓ Detected	Cloud gaming remote desktop
Chrome Remote Desktop	✓ Detected	Process and service detection
VNC Variants	✓ Detected	TightVNC, RealVNC, UltraVNC, TigerVNC, x11vnc

Performance Impact

CPU Impact: 1-2% during detection cycles
Memory Overhead: ~350 KB for process metadata caching
Detection Latency: 150-300 ms per cycle
Battery Impact: Minimal (frequent but lightweight checks)
Network Impact: None (local process and environment analysis)

Threat Detection Details

JSON

{
  "detection": {
    "threatType": "TeamViewer",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "Remote access application detected and running with active network connection",
    "confidence": 0.9,
    "metadata": {
      "detectionMethod": "process_analysis",
      "processName": "TeamViewer.exe",
      "packageName": "com.teamviewer.teamviewer.market.mobile",
      "appName": "TeamViewer",
      "version": "15.44.23",
      "isRunning": true,
      "hasNetworkConnection": true,
      "firstSeen": "2026-03-01T10:30:00.000Z"
    }
  }
}

{
  "detection": {
    "threatType": "TeamViewer",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "Remote access application detected and running with active network connection",
    "confidence": 0.9,
    "metadata": {
      "detectionMethod": "process_analysis",
      "processName": "TeamViewer.exe",
      "packageName": "com.teamviewer.teamviewer.market.mobile",
      "appName": "TeamViewer",
      "version": "15.44.23",
      "isRunning": true,
      "hasNetworkConnection": true,
      "firstSeen": "2026-03-01T10:30:00.000Z"
    }
  }
}

RDP session detection example:

JSON

{
  "detection": {
    "threatType": "RDP",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "Remote Desktop Protocol session active via RDP environment variable",
    "confidence": 0.95,
    "metadata": {
      "detectionMethod": "rdp_environment_variable",
      "sessionName": "RDP-Tcp#1",
      "isRemoteSession": true,
      "sessionType": "RDP-Tcp",
      "detectionSource": "SESSIONNAME"
    }
  }
}

{
  "detection": {
    "threatType": "RDP",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "Remote Desktop Protocol session active via RDP environment variable",
    "confidence": 0.95,
    "metadata": {
      "detectionMethod": "rdp_environment_variable",
      "sessionName": "RDP-Tcp#1",
      "isRemoteSession": true,
      "sessionType": "RDP-Tcp",
      "detectionSource": "SESSIONNAME"
    }
  }
}

X11 Forwarding detection example (Linux):

JSON

{
  "detection": {
    "threatType": "X11Forwarding",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "X11 forwarding detected via SSH connection with DISPLAY variable",
    "confidence": 0.8,
    "metadata": {
      "detectionMethod": "x11_ssh_forwarding",
      "displayVariable": ":10.0",
      "sshConnection": "192.168.1.100:22",
      "sshClient": "ssh",
      "isForwarded": true
    }
  }
}

{
  "detection": {
    "threatType": "X11Forwarding",
    "timestamp": "2026-03-03T14:30:45.309Z",
    "description": "X11 forwarding detected via SSH connection with DISPLAY variable",
    "confidence": 0.8,
    "metadata": {
      "detectionMethod": "x11_ssh_forwarding",
      "displayVariable": ":10.0",
      "sshConnection": "192.168.1.100:22",
      "sshClient": "ssh",
      "isForwarded": true
    }
  }
}

Remote Desktop Detection

How It Works

Detection Techniques

Configuration

JSON Configuration

Kotlin Code-Based

Java Code-Based

Available Actions

When to Use

Code Examples

Kotlin - Basic Integration

Kotlin - Custom Action with Threat Details

Java - Close Action (Production Security)

Java - Erase Action (Financial Apps)

Platform Compatibility

Performance Impact

Threat Detection Details

Debugger Detection

Process Injection Detection

Jailbreak Detection

Anomaly Detection

Next Steps

Protection Actions Overview

Implement Custom Actions

Configuration API Reference

How It Works

Detection Techniques

Configuration

JSON Configuration

Kotlin Code-Based

Java Code-Based

Available Actions

When to Use

Code Examples

Kotlin - Basic Integration

Kotlin - Custom Action with Threat Details

Java - Close Action (Production Security)

Java - Erase Action (Financial Apps)

Platform Compatibility

Performance Impact

Threat Detection Details

Related Protections

Next Steps