Remote-Access

A malspam campaign is leveraging the Tiflux RMM to gain remote access and persistence on victim machines, abusing legitimate remote management software for stealthy access and persistence.

A remote attacker, either anonymous or authenticated, can exploit multiple vulnerabilities in Oracle Java SE to compromise confidentiality, integrity, and availability.

Researchers have disclosed unspecified vulnerabilities in IP KVM devices from four manufacturers, potentially allowing attackers to gain unauthorized access to connected systems.

Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.

Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.

Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect, potentially indicating abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.

Detects process creation events indicative of remote management tools, potentially signifying legitimate use or malicious exploitation by threat actors abusing RMM software.

Attackers may abuse legitimate utilities such as TeamViewer to deploy malware interactively by remotely copying executable or script files during a TeamViewer session.

The creation of the 'Level Watchdog' task, indicative of the Level remote management tool installation, is detected, highlighting the potential abuse of legitimate RMM tools for persistence and execution by threat actors on Windows systems.