https://feed.craftedsignal.io/tags/remote-access/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 19 Mar 2026 17:26:04 +0000https://feed.craftedsignal.io/briefs/2026-03-ip-kvm-vulns/Thu, 19 Mar 2026 17:26:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-ip-kvm-vulns/Researchers have disclosed unspecified vulnerabilities in IP KVM devices from four manufacturers, potentially allowing attackers to gain unauthorized access to connected systems.On March 19, 2026, security researchers publicly disclosed the existence of vulnerabilities affecting IP KVM (Keyboard, Video, Mouse) devices from four unnamed manufacturers. While specific CVEs and technical details remain unconfirmed in the provided context, the general nature of IP KVM vulnerabilities poses a significant risk. These devices, which provide remote access and control over connected servers and workstations, are often deployed in sensitive environments such as data centers and industrial control systems. Exploitation could grant attackers unauthorized access, control, and data exfiltration capabilities. Without further information, organizations are advised to investigate their use of IP KVM devices.

Attack Chain

1. Initial Access: The attacker identifies vulnerable IP KVM devices exposed to the network, potentially through Shodan or similar scanning tools.
2. Vulnerability Exploitation: The attacker leverages an unspecified vulnerability in the IP KVM’s firmware or web interface. This could involve exploiting a buffer overflow, authentication bypass, or command injection flaw.
3. Authentication Bypass (if applicable): If the initial vulnerability allows it, the attacker bypasses authentication mechanisms to gain administrative access to the KVM device.
4. Remote Access: The attacker utilizes the compromised IP KVM to remotely access connected servers and workstations as if they were physically present at the console.
5. Privilege Escalation: Once on a connected system, the attacker attempts to escalate privileges to gain SYSTEM or root access, potentially exploiting known OS vulnerabilities or misconfigurations.
6. Lateral Movement: With elevated privileges, the attacker moves laterally to other systems on the network, using techniques like pass-the-hash or exploiting shared credentials.
7. Data Exfiltration / System Manipulation: The attacker exfiltrates sensitive data from compromised systems or manipulates critical system configurations.
8. Persistence: The attacker establishes persistence mechanisms (e.g., backdoors, scheduled tasks) on the compromised systems to maintain long-term access.

Impact

The successful exploitation of vulnerabilities in IP KVM devices can lead to severe consequences, including unauthorized access to critical systems, data breaches, and disruption of services. The number of potential victims is dependent on the number of vulnerable devices deployed across various organizations. Targeted sectors could include data centers, financial institutions, government agencies, and industrial control systems, all of which commonly rely on IP KVMs for remote server management. If the attack succeeds, organizations could suffer significant financial losses, reputational damage, and legal liabilities.

Recommendation

• Identify and inventory all IP KVM devices on your network to determine the affected manufacturers.
• Monitor network traffic for suspicious connections to IP KVM devices, using a network intrusion detection system (NIDS).
• Deploy the Sigma rule “Detect Suspicious KVM Console Access” to identify unusual console activity related to KVM devices.
• Investigate any unusual process execution events originating from systems connected to IP KVM devices using process creation logs and the Sigma rule “Detect Potential KVM-Initiated Process”.
• Conduct regular vulnerability scans on IP KVM devices to identify and remediate known security weaknesses.
• Implement strong access controls and multi-factor authentication for IP KVM devices to prevent unauthorized access.

]]>highadvisoryip-kvmvulnerabilityremote-accesshttps://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/Wed, 24 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.Attackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.

Attack Chain

1. Initial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.
2. Tool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.
3. Persistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.
4. Command and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.
5. Lateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.
6. Data Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.
7. Cleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.

Impact

Compromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.

Recommendation

• Deploy the process creation rule to detect the execution of RMM tools on endpoints based on process.name and process.code_signature.subject_name criteria in the query.
• Enable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.
• Investigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.

]]>mediumadvisoryremote-accessrmmcommand-and-controlpersistencehttps://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.This detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.

Attack Chain

1. An attacker gains initial access to a Windows host through unspecified means.
2. The attacker deploys or leverages an existing RMM tool on the compromised host.
3. The RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).
4. The DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).
5. The compromised host establishes a connection to the resolved IP address associated with the RMM domain.
6. The attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.
7. The attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.
8. The attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.

Impact

Compromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.

Recommendation

• Deploy the Sigma rule “DNS Queries to Known RMM Domains from Non-Browser Processes” to your SIEM and tune the RMM domain list for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.
• Implement application control policies to restrict the execution of unauthorized RMM tools.
• Enable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.
• Correlate with other alerts to identify potential compromises.
• Review process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.

]]>mediumadvisorycommand-and-controlremote-accesswindowshttps://feed.craftedsignal.io/briefs/2024-01-rmm-after-msi/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rmm-after-msi/Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect, potentially indicating abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.This detection identifies a suspicious sequence of events where an MSI installer is executed, followed by the launch of remote management software (RMM) such as ScreenConnect, Syncro, or VNC. Attackers may leverage this technique to gain unauthorized access to systems by first installing malicious software via an MSI package, and then using the RMM software to establish a remote connection. The rule specifically looks for msiexec.exe being run with an install argument (/i) followed by the execution of known RMM tools within a short timeframe. This behavior is often indicative of malicious actors attempting to establish persistent remote access to compromised machines. The detection is designed for Windows environments and covers a range of data sources including Elastic Defend, Sysmon, SentinelOne, Microsoft Defender XDR, and Crowdstrike.

Attack Chain

1. An attacker gains initial access to a system through various means (e.g., social engineering, compromised website, or existing malware).
2. The attacker deploys a malicious MSI installer to the victim machine. This can be done through phishing attachments or drive-by downloads.
3. The user executes the MSI installer (msiexec.exe) with an installation argument (/i or -i). The parent process is typically explorer.exe or sihost.exe, indicating user-initiated installation.
4. The MSI installer executes, potentially installing malware or modifying system settings.
5. Within one minute of the MSI installation, a remote management software (RMM) client is launched, such as ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, or winvnc.exe.
6. The RMM client attempts to establish an outbound connection to a remote server controlled by the attacker, often using pre-configured access keys.
7. The attacker gains remote access to the compromised system via the RMM client. In the case of ScreenConnect, the attacker may use a guest link with a known session key.
8. The attacker performs malicious activities, such as data exfiltration, lateral movement, or installing additional malware.

Impact

Successful exploitation allows attackers to gain persistent remote access to compromised systems. This can lead to data theft, financial fraud, or disruption of services. Depending on the scope of the initial access, the attacker may be able to move laterally within the network, compromising additional systems. The use of RMM software can mask malicious activity as legitimate remote support, making detection more difficult.

Recommendation

• Enable process creation logging via Sysmon or Windows Security Event Logs to capture the execution of msiexec.exe and RMM tools.
• Deploy the “Remote Management Access Launch After MSI Install” Sigma rule to your SIEM and tune the timeframe (maxspan) to suit your environment.
• Investigate any alerts generated by this rule, focusing on the source of the MSI file and the destination of the RMM connection.
• Block the execution of unauthorized RMM software on your network based on process name, as identified in the rule (ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, winvnc.exe).
• Monitor network connections for RMM software connecting to unusual or external IPs.

]]>mediumadvisorycommand and controlrmmmsiwindowsremote accesshttps://feed.craftedsignal.io/briefs/2024-01-teamviewer-file-copy/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-teamviewer-file-copy/Attackers may abuse legitimate utilities such as TeamViewer to deploy malware interactively by remotely copying executable or script files during a TeamViewer session.Attackers sometimes transfer malicious tools into a compromised environment using the command and control channel, but they also abuse legitimate utilities like TeamViewer to drop these files. TeamViewer is a remote access and control tool frequently used by help desks and system administrators for support activities; however, attackers and scammers also leverage it to deploy malware and conduct other malicious activities. This detection identifies instances of the TeamViewer process creating files with suspicious extensions on Windows systems, indicating potential misuse of the tool for unauthorized file transfers. The rule is designed to detect suspicious remote file copies during TeamViewer sessions, focusing on files with extensions commonly associated with executables and scripts.

Attack Chain

1. An attacker gains initial access to a system through various means.
2. The attacker installs or leverages an existing TeamViewer instance on the compromised system.
3. The attacker establishes a remote connection to the compromised system using TeamViewer.
4. The attacker initiates a file transfer session within TeamViewer.
5. The attacker transfers a malicious executable or script file (e.g., .exe, .dll, .ps1) to the compromised system.
6. The transferred file is saved to a location on the compromised system.
7. The attacker executes the transferred file, leading to further malicious activities such as malware installation or command execution.
8. The attacker performs post-exploitation activities, like lateral movement or data exfiltration.

Impact

Successful exploitation via remote file copy can lead to the introduction of malware into the targeted environment, potentially compromising sensitive data and causing significant operational disruption. The severity of the impact depends on the nature of the transferred file and the subsequent actions performed by the attacker.

Recommendation

• Deploy the Sigma rule TeamViewer Remote File Copy to your SIEM and tune for your environment.
• Investigate any alerts generated by this rule by examining process execution chains and file origins.
• Block the file extensions listed in the file.extension field in the query at the network level to prevent the transfer of potentially malicious files.
• Enable Elastic Defend or SentinelOne Cloud Funnel to collect the necessary file creation events to trigger the detection.
• Review TeamViewer usage within your organization and restrict its use to authorized personnel only.

]]>mediumadvisorycommand-and-controlremote-accessteamviewer