TeamViewer — CraftedSignal Threat Feed

Potential RemoteMonologue Attack via Registry Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 14:00:00 +0000

The RemoteMonologue attack technique abuses Component Object Model (COM) objects to coerce authentication from a remote system. This is achieved by modifying the RunAs registry value associated with a COM object. Setting this value to “Interactive User” forces the COM object to run under the context of the interactive user, enabling attackers to hijack sessions and potentially escalate privileges. This technique is often used as a defense evasion or persistence mechanism by adversaries after gaining initial access to a system. The attack involves modifying registry keys associated with COM objects to trigger NTLM authentication coercion. This can be used for lateral movement and gaining access to sensitive resources. This rule is designed to detect registry modifications indicative of the RemoteMonologue attack.

Attack Chain

Initial Access: An attacker gains initial access to the target system through unspecified means.
Identify COM Objects: The attacker identifies suitable COM objects for abuse.
Modify Registry: The attacker modifies the registry to set the RunAs value for the selected COM object to Interactive User. This involves modifying the registry path HKCR\AppID\{Clsid}\RunAs.
Trigger COM Object Execution: The attacker triggers the execution of the modified COM object, potentially through a remote procedure call or other inter-process communication mechanisms.
Authentication Coercion: The execution of the COM object triggers NTLM authentication to a system controlled by the attacker.
Relay Attack: The attacker relays the coerced NTLM authentication to gain access to other resources on the network.
Session Hijacking: Successful relay leads to session hijacking, allowing the attacker to impersonate the user.
Lateral Movement/Privilege Escalation: The attacker uses the hijacked session for lateral movement or privilege escalation within the network.

Impact

A successful RemoteMonologue attack can lead to unauthorized access to sensitive systems and data. By coercing authentication and hijacking sessions, attackers can bypass security controls and escalate their privileges within the network. The scope of the impact depends on the privileges of the hijacked user account and the resources accessible to that account. This attack can enable lateral movement, data exfiltration, and other malicious activities.

Recommendation

Deploy the Sigma rule Detect RemoteMonologue Registry Modification to your SIEM to identify suspicious registry modifications related to COM object hijacking.
Enable Sysmon registry event logging to capture the necessary data for the Sigma rules to function effectively.
Investigate any alerts generated by the Sigma rule by reviewing the registry event logs and identifying the user account and process responsible for the registry modification.
Implement enhanced monitoring on critical systems to detect any attempts to modify COM object registry settings.
Block the attack by ensuring “RunAs” value is not set to “Interactive User”.

Multiple Remote Management Tool Vendors on Same Host

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection rule identifies Windows systems running multiple Remote Monitoring and Management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments might utilize several tools, the presence of multiple RMM solutions on a single host can signify a compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access points. The rule maps process names to vendor labels to avoid inflated counts from multiple binaries of the same vendor. This activity has been observed as a component of broader attack campaigns, including those leveraging compromised MSP infrastructure, and is described in CISA AA23-025A. The timeframe analyzed is “now-9m”, and the rule triggers if two or more different vendors are detected.

Attack Chain

Initial Access: The attacker gains initial access to the system, possibly through phishing, exploiting vulnerabilities, or stolen credentials.
Tool Deployment: The attacker deploys an initial RMM tool (e.g., AnyDesk, TeamViewer) for remote access and control.
Persistence: The attacker establishes persistence by configuring the RMM tool to start automatically on system boot.
Lateral Movement: The attacker uses the initial access to discover other systems on the network.
Additional RMM Deployment: The attacker deploys a second RMM tool (e.g., ScreenConnect, Splashtop) from a different vendor to create a redundant access method.
Privilege Escalation: The attacker escalates privileges using the compromised RMM tools, if necessary.
Remote Control: The attacker uses the RMM tools to remotely control the system, execute commands, and access sensitive data.
Data Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or uses the compromised system to launch further attacks on the network.

Impact

A successful attack leveraging multiple RMM tools can result in unauthorized access to sensitive data, system compromise, and lateral movement within the network. The presence of multiple RMM tools increases the attacker’s resilience, making it harder to detect and remediate the intrusion. Affected systems can be used as a staging ground for further attacks, leading to significant financial and reputational damage. This can impact any Windows-based system, and the CISA advisory AA23-025A specifically highlights the risk of MSP infrastructure compromise.

Recommendation

Deploy the Sigma rule Multiple RMM Vendors on Same Host to your SIEM and tune for your environment.
Investigate hosts triggering the rule to confirm legitimate use of multiple RMM tools. Check Esql.vendors_seen and Esql.processes_name_values for insight into the involved tools.
Review asset inventory and change tickets to verify authorized RMM software installations.
Isolate any unauthorized or unexplained hosts and remove unapproved RMM tools.
Enforce a single approved RMM stack per asset class where possible.
Enable Sysmon process creation logging (Event ID 1) on Windows endpoints to enhance detection capabilities as described in the rule’s setup instructions.

Mshta Making Network Connections Indicative of Defense Evasion

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Mshta.exe is a legitimate Windows utility used to execute Microsoft HTML Application (HTA) files. Adversaries exploit it to run malicious scripts, leveraging its trusted status to bypass security measures. This activity can be difficult to detect because Mshta.exe is a signed Microsoft binary. This detection identifies suspicious network activity by Mshta.exe, excluding known benign processes, to flag potential threats. Legitimate uses of Mshta.exe include software updates, installations, and automation scripts using HTA files. This rule helps identify unauthorized network connections indicative of malicious intent and flags suspicious use of mshta.exe.

Attack Chain

An attacker gains initial access through an unknown method, such as phishing or exploiting a software vulnerability.
The attacker executes a malicious script, such as VBScript or JavaScript, using Mshta.exe.
Mshta.exe interprets and executes the script, bypassing application control policies due to its signed status.
The script establishes a network connection to an external command and control (C2) server.
The C2 server provides instructions to the compromised host, such as downloading additional malware.
The downloaded malware executes, performing actions such as data exfiltration or lateral movement.
The attacker leverages the compromised host to move laterally within the network, compromising additional systems.
The attacker achieves their objective, such as stealing sensitive data or deploying ransomware.

Impact

Successful exploitation can lead to the execution of arbitrary code, potentially compromising sensitive data, facilitating lateral movement, and establishing a persistent presence within the network. Systems affected by this activity may be used as a beachhead for further attacks, leading to significant data breaches, financial loss, and reputational damage. The number of victims can vary depending on the scope of the initial compromise and the attacker’s objectives.

Recommendation

Enable Sysmon process creation logging to capture the command-line arguments used by Mshta.exe.
Deploy the “Mshta Network Connection” Sigma rule to your SIEM and tune for your environment.
Implement application whitelisting to prevent unauthorized execution of Mshta.exe and similar system binaries.
Monitor network connections initiated by Mshta.exe, including destination IP addresses, domains, and ports, to identify any connections to known malicious or suspicious endpoints.

Remote File Copy via TeamViewer

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

Attackers sometimes transfer malicious tools into a compromised environment using the command and control channel, but they also abuse legitimate utilities like TeamViewer to drop these files. TeamViewer is a remote access and control tool frequently used by help desks and system administrators for support activities; however, attackers and scammers also leverage it to deploy malware and conduct other malicious activities. This detection identifies instances of the TeamViewer process creating files with suspicious extensions on Windows systems, indicating potential misuse of the tool for unauthorized file transfers. The rule is designed to detect suspicious remote file copies during TeamViewer sessions, focusing on files with extensions commonly associated with executables and scripts.

Attack Chain

An attacker gains initial access to a system through various means.
The attacker installs or leverages an existing TeamViewer instance on the compromised system.
The attacker establishes a remote connection to the compromised system using TeamViewer.
The attacker initiates a file transfer session within TeamViewer.
The attacker transfers a malicious executable or script file (e.g., .exe, .dll, .ps1) to the compromised system.
The transferred file is saved to a location on the compromised system.
The attacker executes the transferred file, leading to further malicious activities such as malware installation or command execution.
The attacker performs post-exploitation activities, like lateral movement or data exfiltration.

Impact

Successful exploitation via remote file copy can lead to the introduction of malware into the targeted environment, potentially compromising sensitive data and causing significant operational disruption. The severity of the impact depends on the nature of the transferred file and the subsequent actions performed by the attacker.

Recommendation

Deploy the Sigma rule TeamViewer Remote File Copy to your SIEM and tune for your environment.
Investigate any alerts generated by this rule by examining process execution chains and file origins.
Block the file extensions listed in the file.extension field in the query at the network level to prevent the transfer of potentially malicious files.
Enable Elastic Defend or SentinelOne Cloud Funnel to collect the necessary file creation events to trigger the detection.
Review TeamViewer usage within your organization and restrict its use to authorized personnel only.

Multiple Remote Management Tool Vendors on Same Host

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.

Attack Chain

Initial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.
Tool Deployment: The attacker deploys an initial RMM tool for remote access and control.
Secondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.
Privilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.
Lateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.
Data Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.

Impact

A successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.

Recommendation

Deploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.
Investigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.
Enforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.
Tune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.
Review asset inventory and change tickets for approved RMM software to identify unauthorized installations.