BarracudaRMM — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/barracudarmm/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 02 Jan 2024 12:00:00 +0000Multiple Remote Management Tool Vendors on Same Hosthttps://feed.craftedsignal.io/briefs/2024-01-02-multiple-rmm-vendors/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-multiple-rmm-vendors/This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.This detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.

Attack Chain

  1. Initial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.
  2. Tool Deployment: The attacker deploys an initial RMM tool for remote access and control.
  3. Secondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.
  4. Privilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.
  5. Lateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.
  6. Data Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.

Impact

A successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.

Recommendation

  • Deploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.
  • Investigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.
  • Enforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.
  • Tune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.
  • Review asset inventory and change tickets for approved RMM software to identify unauthorized installations.
]]>mediumadvisorycommand-and-controlrmmwindowsthreat-detection