RMM Domain DNS Queries from Non-Browser Processes

This detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.

Attack Chain

1. An attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.
2. The attacker installs an unauthorized RMM tool (e.g., using a script or installer).
3. The RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).
4. The system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.
5. The attacker uses the RMM tool to execute commands on the compromised system.
6. The attacker uses the RMM tool for lateral movement within the network.
7. The attacker uses the RMM tool to maintain persistence on the compromised system.

Impact

Compromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker’s ability to move laterally.

Recommendation

• Deploy the Sigma rule RMM Domain DNS Queries from Non-Browser Processes to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.
• Investigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule’s description.
• Monitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.
• Enable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the “Setup” section of the content.