{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata ā€” refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/goto/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame","Sysmon","AA_v*.exe","AeroAdmin.exe","AnyDesk.exe","apc_Admin.exe","apc_host.exe","AteraAgent.exe","aweray_remote*.exe","AweSun.exe","AgentMon.exe","B4-Service.exe","BASupSrvc.exe","bomgar-scc.exe","domotzagent.exe","domotz-windows-x64-10.exe","dwagsvc.exe","DWRCC.exe","ImperoClientSVC.exe","ImperoServerSVC.exe","ISLLight.exe","ISLLightClient.exe","fleetdeck_commander*.exe","getscreen.exe","g2aservice.exe","GoToAssistService.exe","gotohttp.exe","jumpcloud-agent.exe","level.exe","LvAgent.exe","LMIIgnition.exe","LogMeIn.exe","Lunixar.exe","LunixarRemote.exe","LunixarUpdater.exe","ManageEngine_Remote_Access_Plus.exe","MeshAgent.exe","Mikogo-Service.exe","NinjaRMMAgent.exe","NinjaRMMAgenPatcher.exe","ninjarmm-cli.exe","parsec.exe","PService.exe","quickassist.exe","r_server.exe","radmin.exe","radmin3.exe","RCClient.exe","RCService.exe","RemoteDesktopManager.exe","RemotePC.exe","RemotePCDesktop.exe","RemotePCService.exe","rfusclient.exe","ROMServer.exe","ROMViewer.exe","RPCSuite.exe","rserver3.exe","rustdesk.exe","rutserv.exe","rutview.exe","saazapsc.exe","ScreenConnect*.exe","session_win.exe","Remote Support.exe","smpcview.exe","spclink.exe","Splashtop-streamer.exe","Syncro.Overmind.Service.exe","SyncroLive.Agent.Runner.exe","SRService.exe","strwinclt.exe","Supremo.exe","SupremoService.exe","tacticalrmm.exe","tailscale.exe","tailscaled.exe","teamviewer.exe","ToDesk_Service.exe","twingate.exe","TiClientCore.exe","TSClient.exe","tvn.exe","tvnserver.exe","tvnviewer.exe","UltraVNC*.exe","UltraViewer*.exe","vncserver.exe","vncviewer.exe","winvnc.exe","winwvc.exe","Zaservice.exe","ZohoURS.exe","Velociraptor.exe","ToolsIQ.exe","CagService.exe","ScreenConnect.ClientService.exe","TiAgent.exe","GoToResolveProcessChecker.exe","GoToResolveUnattended.exe","Syncro.Installer.exe"],"_cs_severities":["medium"],"_cs_tags":["remote-access","rmm","command-and-control","persistence"],"_cs_type":"advisory","_cs_vendors":["Elastic","Action1 Corporation","AeroAdmin LLC","Ammyy LLC","Atera Networks Ltd","AWERAY PTE. LTD.","BeamYourScreen GmbH","Bomgar Corporation","DUC FABULOUS CO.,LTD","DOMOTZ INC.","DWSNET OƜ","FleetDeck Inc","GlavSoft LLC","Hefei Pingbo Network Technology Co. Ltd","IDrive, Inc.","IMPERO SOLUTIONS LIMITED","Instant Housecall","ISL Online Ltd.","LogMeIn, Inc.","LUNIXAR SAS DE CV","MMSOFT Design Ltd.","Nanosystems S.r.l.","NetSupport Ltd","NinjaRMM, LLC","Parallels International GmbH","philandro Software GmbH","Pro Softnet Corporation","RealVNC","Remote Utilities LLC","Rocket Software, Inc.","SAFIB","Servably, Inc.","ShowMyPC INC","Splashtop Inc.","Superops Inc.","TeamViewer","Techinline Limited","uvnc bvba","Yakhnovets Denis Aleksandrovich IP","Zhou Huabing","ZOHO Corporation Private Limited","Connectwise, LLC","BreakingSecurity.net","Tailscale","Twingate","RustDesk","Zoho","JumpCloud","ScreenConnect","GoTo"],"content_html":"\u003cp\u003eAttackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.\u003c/li\u003e\n\u003cli\u003ePersistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the process creation rule to detect the execution of RMM tools on endpoints based on \u003ccode\u003eprocess.name\u003c/code\u003e and \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e criteria in the query.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-first-time-seen-rmm/","summary":"Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.","title":"First Time Seen Remote Monitoring and Management Tool Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AeroAdmin","AnyDesk","AteraAgent","AweSun","APC Admin","APC Host","BeyondTrust Remote Support","Bomgar","Remote Support","B4-Service","CagService","Domotz Agent","dwagsvc","DWRCC","FleetDeck Commander","GetScreen","GoToAssist","GoToResolve","ImperoClient","ImperoServer","ISLLight","ISLLightClient","JumpCloud Agent","Level","LvAgent","LMIIgnition","LogMeIn","Lunixar","ManageEngine Remote Access Plus","MeshAgent","Mikogo","NinjaRMM","parsec","PService","Radmin","RealVNC","RemotePC","RemoteDesktopManager","RCClient","RCService","RPCSuite","RustDesk","RemoteUtilities","saazapsc","ScreenConnect","Splashtop","Supremo","Syncro","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"_cs_severities":["medium"],"_cs_tags":["remote-access-tool","command-and-control","rmm","windows"],"_cs_type":"advisory","_cs_vendors":["AeroAdmin","AnyDesk","Atera","AweSun","APC","BeyondTrust","BarracudaRMM","Domotz","DWService","FleetDeck","GetScreen","GoTo","Impero","ISLOnline","JumpCloud","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Mikogo","NinjaOne","Parsec","Pulseway","Radmin","RealVNC","RemotePC","Devolutions","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"content_html":"\u003cp\u003eThis detection rule identifies Windows systems running multiple Remote Monitoring and Management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments might utilize several tools, the presence of multiple RMM solutions on a single host can signify a compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access points. The rule maps process names to vendor labels to avoid inflated counts from multiple binaries of the same vendor. This activity has been observed as a component of broader attack campaigns, including those leveraging compromised MSP infrastructure, and is described in CISA AA23-025A. The timeframe analyzed is \u0026ldquo;now-9m\u0026rdquo;, and the rule triggers if two or more different vendors are detected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, possibly through phishing, exploiting vulnerabilities, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys an initial RMM tool (e.g., AnyDesk, TeamViewer) for remote access and control.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by configuring the RMM tool to start automatically on system boot.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the initial access to discover other systems on the network.\u003c/li\u003e\n\u003cli\u003eAdditional RMM Deployment: The attacker deploys a second RMM tool (e.g., ScreenConnect, Splashtop) from a different vendor to create a redundant access method.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges using the compromised RMM tools, if necessary.\u003c/li\u003e\n\u003cli\u003eRemote Control: The attacker uses the RMM tools to remotely control the system, execute commands, and access sensitive data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or uses the compromised system to launch further attacks on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging multiple RMM tools can result in unauthorized access to sensitive data, system compromise, and lateral movement within the network. The presence of multiple RMM tools increases the attacker\u0026rsquo;s resilience, making it harder to detect and remediate the intrusion. Affected systems can be used as a staging ground for further attacks, leading to significant financial and reputational damage. This can impact any Windows-based system, and the CISA advisory AA23-025A specifically highlights the risk of MSP infrastructure compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMultiple RMM Vendors on Same Host\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate hosts triggering the rule to confirm legitimate use of multiple RMM tools. Check \u003ccode\u003eEsql.vendors_seen\u003c/code\u003e and \u003ccode\u003eEsql.processes_name_values\u003c/code\u003e for insight into the involved tools.\u003c/li\u003e\n\u003cli\u003eReview asset inventory and change tickets to verify authorized RMM software installations.\u003c/li\u003e\n\u003cli\u003eIsolate any unauthorized or unexplained hosts and remove unapproved RMM tools.\u003c/li\u003e\n\u003cli\u003eEnforce a single approved RMM stack per asset class where possible.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) on Windows endpoints to enhance detection capabilities as described in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-multiple-rmm-vendors/","summary":"This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.","title":"Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-rmm-vendors/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AeroAdmin","AnyDesk","Atera Agent","AweSun","APC Admin","APC Host","BeyondTrust","Remote Support","BarracudaRMM","Domotz Agent","DWService","FleetDeck Commander","GetScreen","GoTo","Impero Client","Impero Server","ISLLight","ISLLightClient","JumpCloud Agent","Level","LvAgent","LogMeIn","Lunixar","ManageEngine Remote Access Plus","MeshAgent","Mikogo","NinjaRMMAgent","NinjaRMMAgenPatcher","ninjarmm-cli","Parsec","Pulseway","Radmin","RealVNC","RemotePC","RemoteDesktopManager","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","SyncroLive","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","rmm","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["AeroAdmin","AnyDesk","Atera","AweSun","APC","BeyondTrust","BarracudaRMM","Domotz","DWService","FleetDeck","GetScreen","GoTo","Impero","ISLOnline","JumpCloud","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Mikogo","NinjaOne","Parsec","Pulseway","Radmin","RealVNC","RemotePC","Devolutions","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"content_html":"\u003cp\u003eThis detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys an initial RMM tool for remote access and control.\u003c/li\u003e\n\u003cli\u003eSecondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.\u003c/li\u003e\n\u003cli\u003eInvestigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.\u003c/li\u003e\n\u003cli\u003eEnforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.\u003c/li\u003e\n\u003cli\u003eReview asset inventory and change tickets for approved RMM software to identify unauthorized installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-multiple-rmm-vendors/","summary":"This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.","title":"Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2024-01-02-multiple-rmm-vendors/"}],"language":"en","title":"CraftedSignal Threat Feed ā€” GoTo","version":"https://jsonfeed.org/version/1.1"}