{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/syncro/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ConnectWise ScreenConnect","Syncro RMM","TightVNC","RealVNC"],"_cs_severities":["medium"],"_cs_tags":["remote-access","rmm","msi","command-and-control"],"_cs_type":"advisory","_cs_vendors":["ConnectWise","Syncro","TightVNC","RealVNC"],"content_html":"\u003cp\u003eThis threat involves the abuse of MSI installers to deploy and launch remote management software (RMM) on Windows systems. The observed behavior consists of an MSI installer executing, followed by the execution of commonly abused RMM tools like ScreenConnect, Syncro, or VNC. This activity often signifies unauthorized access, where attackers trigger an MSI installation and then connect via a guest link or preconfigured session key. This technique allows attackers to gain persistent remote access to compromised systems. The activity is typically observed within a short timeframe (1 minute) between the MSI installation and the RMM launch. This allows threat actors to bypass traditional access controls and establish a foothold for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser executes a seemingly legitimate MSI installer package (e.g., downloaded from a malicious link or delivered via social engineering).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emsiexec.exe\u003c/code\u003e process starts with the \u003ccode\u003e/i\u003c/code\u003e argument, initiating the installation process. Parent process is typically \u003ccode\u003eexplorer.exe\u003c/code\u003e or \u003ccode\u003esihost.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe MSI installer may drop additional files or modify registry settings as part of its installation routine.\u003c/li\u003e\n\u003cli\u003eWithin one minute of the MSI installation, a remote management software client (e.g., \u003ccode\u003eScreenConnect.ClientService.exe\u003c/code\u003e, \u003ccode\u003eSyncro.Installer.exe\u003c/code\u003e, \u003ccode\u003etvnserver.exe\u003c/code\u003e, or \u003ccode\u003ewinvnc.exe\u003c/code\u003e) is executed.\u003c/li\u003e\n\u003cli\u003eThe RMM software connects to a remote server controlled by the attacker. ScreenConnect connection strings are commonly observed with parameters such as \u003ccode\u003e?e=Access\u0026amp;y=Guest\u0026amp;h*\u0026amp;k=*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM software to gain remote access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, privilege escalation, or lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys additional malware, exfiltrates sensitive data, or performs other malicious activities based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized remote access, data theft, malware deployment, and system compromise. This technique can impact organizations across various sectors, especially those relying on remote access solutions. The ability to remotely control compromised systems can enable attackers to perform a wide range of malicious activities, including data exfiltration, ransomware deployment, and intellectual property theft.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Remote Management Access Launch After MSI Install\u0026quot; to your SIEM and tune it for your environment to detect suspicious RMM launches after MSI installations.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003emsiexec.exe\u003c/code\u003e executing with the \u003ccode\u003e/i\u003c/code\u003e parameter followed by the launch of RMM tools, as detected by the Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eScreenConnect.ClientService.exe\u003c/code\u003e, \u003ccode\u003eSyncro.Installer.exe\u003c/code\u003e, \u003ccode\u003etvnserver.exe\u003c/code\u003e, and \u003ccode\u003ewinvnc.exe\u003c/code\u003e using process creation logs.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for connections initiated by the aforementioned RMM tools to external IPs.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized RMM tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-rmm-after-msi/","summary":"Attackers are leveraging MSI installers to deploy remote management software (RMM) such as ScreenConnect, Syncro, and VNC, potentially indicating unauthorized access and control over compromised systems.","title":"Remote Management Software Launch After MSI Install","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-after-msi/"}],"language":"en","title":"CraftedSignal Threat Feed - Syncro","version":"https://jsonfeed.org/version/1.1"}