{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/webview2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon","Chrome","Edge","Firefox","Safari","Brave Browser","Opera Browser","Vivaldi Browser","WebView2"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","rmm","dns"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Mozilla","Apple","Brave","Opera","Vivaldi"],"content_html":"\u003cp\u003eThis detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker installs an unauthorized RMM tool (e.g., using a script or installer).\u003c/li\u003e\n\u003cli\u003eThe RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool for lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to maintain persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker\u0026rsquo;s ability to move laterally.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRMM Domain DNS Queries from Non-Browser Processes\u003c/code\u003e to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule\u0026rsquo;s description.\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the \u0026ldquo;Setup\u0026rdquo; section of the content.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-domain-dns/","summary":"Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.","title":"RMM Domain DNS Queries from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-domain-dns/"}],"language":"en","title":"CraftedSignal Threat Feed — WebView2","version":"https://jsonfeed.org/version/1.1"}