Threat Overview - RMM Abuse
Remote Monitoring and Management tools have been legitimately used by IT professionals, managed service providers and system administrators to provide the means to monitor and remotely access devices in an effort to streamline the management of IT environments. These tools carry a large amount of power and capability, reducing the need for professionals to be on-site and giving them access to endpoints across the globe. However, these capabilities can be abused and exploited when in a threat actors hands. With organizations more and more relying on RMM tools, malicious actors are able to take advantage and compromise environments masquerading as legitimate software. These tools can give threat actors access to things such as escalated privileges, remote shell access, software deployment, or even move laterally with stolen credentials; all while operating under the radar as a legitimate RMM tool. This collection is focused on providing Hunt packages to best identify activities related to the installation and abuse of RMM tools. The target scope RMM tools provided in this collection are popular tools, used legitimately in many organizations, therefore analysts should first determine if the tool associated with the Hunt Package is allowed in the organization. If it is allowed by exception, analysis of the results should take this into account.
TITAN References:
Intelligence Bulletin: Rise of remote monitoring, management software
Get your FREE Community Account today on the HUNTER471 Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
GET YOUR FREE HUNTER471 COMMUNITY ACCOUNT!
Related Hunt Packages
SplashTop RMM Command Line Install
This Threat Hunt package identifies attempts to install Splashtop Remote Monitoring and Management (RMM) software via command-line interfaces (CLI) or the Windows Installer (msiexec). Adversaries often use legitimate remote administration tools like Splashtop RMM to maintain persistent access to compromised systems, evade detection, and manage multiple infected machines.
NetSupport Manager Execution from Abnormal Folder - Potential Malicious Use of RMM Tool
NetSupport is a common and widely utilized tool for remotely controlling machines, and was even utilized as the base code for the NetSupport RAT. It has been adopted by many actors to remotely access victim machines and deploying additional malware or ransomware payloads. This Hunt Package is designed to exclude common paths where NetSupport is executed from. Due to NetSupport being able to be installed or executed from nearly any directory, Analysts should review whether NetSupport is allowed, and follow internal policies if it is not authorized. Some common \"red flag\" type directories can be temporary directories, Temp and System32. Additionally, to appear more legitimate, some attackers may utilize installation paths that include legitimate sounding names, such as "Microsoft Management" or "Customer Service".
MeshAgent Service Installation
This Hunt Package is intended to identify the service that is created when MeshAgent is installed utilizing its default service profile. This can be customized utilizing specific command line arguments, however many attackers utilize the default installation path. MeshAgent is not often utilized in organizations, however it may be utilizes in one-off use cases for immediate needs. As such, ensure to verify, following internal guidance, if MeshAgent is allowed in your environment.
MeshAgent Suspicious Child Process - Potential Malicious RMM Tool Usage
Identifies the default installation process executing suspect applications, such as powershell, schtasks, cmd and other applications that can by abused by built in modules.
Atera Agent utilized for Unauthorized Remote Access
This package identifies when the Atera Agent is installed for remote connectivity by looking for key registry values or command line arguments used to install and register the agent to an unauthorized account. This package uses different artifacts in order to identify this behavior. Check out the 'Deployment Requirements' section for each tool in order to understand the limitations or requirements. NOTE: Queries will require to put your business name into the query parameters if your organization utilizes Atera.
AnyDesk Silent Installation - Potential Malicious RMM Tool Installation
Identifies when AnyDesk is installed utilizing the silent method as to not prompt or show any details to the user logged into the system. This can be done by malware to automate the installation process, without letting the user know its been installed.
Remote Atera Agent Download - Command Line
This Threat Hunt package identifies when a tool like a lolbin is used to fetch the Atera's Remote Montoring and Management (RMM) agent directly from Atera's distribution domain.
Remote Atera Agent Download - Web
This Threat Hunt package identifies when the Atera's Remote Montoring and Management (RMM) agent is downloaded directly from Atera's distribution domain.
AnyDesk Password Set Via CLI - Potential Malicious RMM Tool Installation
Threat actors wishing to install AnyDesk in the background and set a password for it to be logged into, will utilize the command flag --set-password after echoing the password to be set for the installation. This Hunt Package attempts to identify when a password is set for AnyDesk via the CLI. This is an uncommon practice for most users as it will often be configured in the UI instead of by running a command. NOTE: Hunt and Behavioral Detections have been provided to identify when AnyDesk has been modified from its default execution name. The provided Behavioral Detection logic will look for the common AnyDesk execution name, while the Hunt logic will only target the applicable command line parameters.
AnyDesk Service Installation - Potentially Malicious RMM Tool Installation
Identifies when the AnyDesk service is installed onto a system. This can be legitimate if the organization allows AnyDesk, however if it is not a commonly utilized application, any service installations should be considered suspect.
NetSupport Manager Service Install - Potentially Malicious RMM Tool Installation
This Hunt Package is intended to identify the service that is created when NetSupport Manager is installed utilizing its default service profile. Analysts should ensure to verify, following internal guidance, if NetSupport manager is allowed in your environment before executing this Hunt Package.
AnyDesk Execution from Abnormal Folder - Potential Malicious Use of RMM Tool
Anydesk is a common and widely utilized tool for remotely controlling machines. However, it has also been adopted by many actors to remotely access victim machines and deploying malware or ransomware payloads. This Hunt Package is designed to exclude common paths where AnyDesk is executed from. Due to AnyDesk being able to be installed or executed from nearly any directory, Analysts should review whether AnyDesk is allowed, and follow internal policies if it is not authorized. Some common \"red flag\" type directories can be temporary directories, ProgramData and System32. Additionally, to appear more legitimate, some attackers may utilize installation paths that include legitimate sounding names, such as "Microsoft Management" or "Customer Service".
