Suspicious DNS Queries to Remote Monitoring and Management Domains from Non-Browser Processes
This brief details the detection of DNS queries targeting commonly abused Remote Monitoring and Management (RMM) or remote access software domains, originating from non-browser processes, which is a common tactic for command and control, persistence, and lateral movement by threat actors.
This threat brief focuses on the detection of suspicious DNS queries directed towards domains associated with Remote Monitoring and Management (RMM) and remote access software. Threat actors frequently exploit legitimate RMM tools for various malicious purposes, including establishing command and control (C2), maintaining persistence within compromised environments, and facilitating lateral movement. The detection rule specifically targets DNS queries made by non-browser processes, aiming to surface activity from unapproved RMM clients, malicious scripts, or other unexpected software attempting to contact these services. This approach helps defenders identify unauthorized remote access, which could indicate a compromise, or the illicit use of legitimate tools for adversary operations, enabling timely response and mitigation.
Attack Chain
- Initial Access: A user falls victim to a phishing email or exploits an internet-facing vulnerability, allowing an attacker to gain an initial foothold on a system.
- Execution & Staging: Malicious code is executed, often disguised as a legitimate application or utility, which may download further tools or scripts.
- RMM Tool Deployment: The attacker deploys a legitimate, but often unauthorized or cracked, RMM or remote access client on the compromised system. This could be done through direct installation or by leveraging existing system capabilities.
- Command and Control (C2) Initialization: The newly deployed RMM client attempts to establish a connection to its control server, which involves performing DNS queries to its service domains (e.g.,
teamviewer.com,anydesk.com,connectwise.com). - Persistent Remote Access: Successful connection to the RMM domain provides the attacker with persistent remote access to the compromised system, often bypassing traditional firewall rules due to the nature of RMM applications.
- Internal Reconnaissance & Lateral Movement: Using the RMM tool, the attacker conducts internal reconnaissance, maps the network, and moves laterally to other systems within the environment.
- Objective Achievement: The attacker executes their final objectives, which may include data exfiltration, deployment of ransomware, or further propagation of malware.
Impact
The abuse of RMM tools by threat actors can lead to severe organizational impact. Successful exploitation can result in unauthorized, persistent access to critical systems, enabling extensive data exfiltration of sensitive information, deployment of ransomware causing significant operational disruption and financial losses, or complete network compromise. Organizations across all sectors, particularly those relying on legitimate RMM for IT support, are susceptible. If the attack succeeds, it can undermine an organization's security posture, lead to regulatory non-compliance, and damage reputation.
Recommendation
- Deploy the provided Sigma rule (or its ESQL equivalent) to your SIEM/endpoint security platform and tune for your environment to detect suspicious DNS queries.
- Ensure that DNS query logging is enabled for all Windows endpoints, ideally via Sysmon Event ID 22 or Elastic Defend, to provide the necessary telemetry for the detection rule.
- Investigate all alerts generated by the
Detect DNS Query to Remote Monitoring/Management (RMM) Domain from Non-Browser Processrule, focusing on theprocess.executableand its parent process. - Review the code signatures (
process.code_signature) of flagged processes to verify legitimacy and prevent abuse of trojanized RMM installers. - Block the RMM domains listed in the IOC table at the DNS resolver and firewall levels for any systems not explicitly authorized to use such tools.
- Implement and enforce a strict policy for approved RMM tools and publishers, ensuring only authorized staff use managed, legitimate software for remote support.
Detection coverage 1
Detect DNS Query to Remote Monitoring/Management (RMM) Domain from Non-Browser Process
mediumDetects DNS queries to commonly abused RMM or remote access software domains originating from processes other than common browsers, indicating potential C2 or unauthorized remote access.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
193
domain
| Type | Value |
|---|---|
| domain | 01com.com |
| domain | 247ithelp.com |
| domain | action1.com |
| domain | addigy.com |
| domain | aeroadmin.com |
| domain | ammyy.com |
| domain | anydesk.com |
| domain | anyplace-control.com |
| domain | anysupport.net |
| domain | atera.com |
| domain | aurelius.host |
| domain | auvik.com |
| domain | aweray.com |
| domain | aweray.net |
| domain | backdrop.cloud |
| domain | barracudamsp.com |
| domain | beamyourscreen.com |
| domain | beanywhere.com |
| domain | beinsync.com |
| domain | beinsync.net |
| domain | beyondtrustcloud.com |
| domain | bomgar.com |
| domain | bomgarcloud.com |
| domain | centrastage.net |
| domain | centuriontech.com |
| domain | connectwise.com |
| domain | crossloop.com |
| domain | dameware.com |
| domain | datto.com |
| domain | datto.net |
| domain | deskday.ai |
| domain | deskroll.com |
| domain | desktopstreaming.com |
| domain | distantdesktop.com |
| domain | donkz.nl |
| domain | dwservice.net |
| domain | ehorus.com |
| domain | electric.ai |
| domain | emcosoftware.com |
| domain | ericom.com |
| domain | fastsupport.com |
| domain | fastviewer.com |
| domain | fixme.it |
| domain | fleetdeck.io |
| domain | gatherplace.com |
| domain | gatherplace.net |
| domain | getgo.com |
| domain | getscreen.me |
| domain | gotoassist.at |
| domain | gotoassist.com |
| domain | gotoassist.me |
| domain | gotohttp.com |
| domain | gotoresolve.com |
| domain | goverlan.com |
| domain | heartbeatrm.com |
| domain | helpme.net |
| domain | helpwire.app |
| domain | hoptodesk.com |
| domain | hostedrmm.com |
| domain | immy.bot |
| domain | immybot.com |
| domain | imperosoftware.com |
| domain | instanthousecall.com |
| domain | instanthousecall.net |
| domain | intelliadmin.com |
| domain | internapcdn.net |
| domain | internetid.ru |
| domain | iperius-rs.com |
| domain | iperius.net |
| domain | iperiusremote.com |
| domain | islonline.com |
| domain | islonline.net |
| domain | itarian.com |
| domain | itsupport247.net |
| domain | jumpcloud.com |
| domain | jumpdesktop.com |
| domain | jumpto.me |
| domain | kabuto.io |
| domain | kabutoservices.com |
| domain | kaseya.com |
| domain | kaseya.net |
| domain | kickidler.com |
| domain | laplink.com |
| domain | level.io |
| domain | liongard.com |
| domain | litemanager.com |
| domain | litemanager.ru |
| domain | logicnow.com |
| domain | logmein-gateway.com |
| domain | logmein.com |
| domain | logmeininc.com |
| domain | logmeinrescue.com |
| domain | logmeinrescue.eu |
| domain | lunixar.com |
| domain | meshcentral.com |
| domain | mikogo.com |
| domain | mikogo4.com |
| domain | miradore.com |
| domain | msp360.com |
| domain | mygreenpc.com |
| domain | n-able.com |
| domain | naverisk.com |
| domain | nchuser.com |
| domain | netop.com |
| domain | netsupportmanager.com |
| domain | netsupportsoftware.com |
| domain | netviewer.com |
| domain | ninjaone.com |
| domain | ninjarmm.com |
| domain | ninjarmm.net |
| domain | nomachine.com |
| domain | ntrsupport.com |
| domain | opti-tune.com |
| domain | optitune.us |
| domain | oray.com |
| domain | oray.net |
| domain | panorama9.com |
| domain | parsec.app |
| domain | parsecusercontent.com |
| domain | pcvisit.de |
| domain | pilixo.com |
| domain | playanext.com |
| domain | pulseway.com |
| domain | qetqo.com |
| domain | r-hud.net |
| domain | real-time-collaboration.com |
| domain | remmon.hu |
| domain | remote.it |
| domain | remote.management |
| domain | remotecall.com |
| domain | remotedesktop.com |
| domain | remotepc.com |
| domain | remotetopc.com |
| domain | remoteutilities.com |
| domain | remotix.com |
| domain | remotly.com |
| domain | repairshopr.com |
| domain | rmansys.ru |
| domain | rmmservice.ca |
| domain | rmmservice.eu |
| domain | royalapps.com |
| domain | rport.io |
| domain | rudesktop.ru |
| domain | rustdesk.com |
| domain | rview.com |
| domain | screenconnect.com |
| domain | screenmeet.com |
| domain | scrn.mt |
| domain | servably.com |
| domain | server-eye.de |
| domain | set.me |
| domain | setme.net |
| domain | showmypc.com |
| domain | signalserver.xyz |
| domain | simple-help.com |
| domain | skyfex.com |
| domain | sorillus.com |
| domain | splashtop.com |
| domain | splashtop.eu |
| domain | spyanywhere.com |
| domain | spytech-web.com |
| domain | startsupport.com |
| domain | superops.ai |
| domain | superops.com |
| domain | superopsalpha.com |
| domain | superopsbeta.com |
| domain | supremocontrol.com |
| domain | swi-rc.com |
| domain | swi-tc.com |
| domain | syncroapi.com |
| domain | syncromsp.com |
| domain | syspectr.com |
| domain | system-monitor.com |
| domain | systemmonitor.us |
| domain | tacticalrmm.com |
| domain | tailscale.com |
| domain | teamviewer.com |
| domain | techinline.net |
| domain | tele-desk.com |
| domain | tiflux.com |
| domain | tightvnc.com |
| domain | tmate.io |
| domain | todesk.com |
| domain | twingate.com |
| domain | ultraviewer.net |
| domain | ultravnc.com |
| domain | vnc.com |
| domain | weezo.me |
| domain | weezo.net |
| domain | xeox.com |
| domain | zoho.eu |
| domain | zohoassist.com |
| domain | zohoassist.jp |