<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Syncro - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/syncro/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/syncro/feed.xml" rel="self" type="application/rss+xml"/><item><title>Remote Management Software Launch After MSI Install</title><link>https://feed.craftedsignal.io/briefs/2024-01-rmm-after-msi/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-rmm-after-msi/</guid><description>Attackers are leveraging MSI installers to deploy remote management software (RMM) such as ScreenConnect, Syncro, and VNC, potentially indicating unauthorized access and control over compromised systems.</description><content:encoded><![CDATA[<p>This threat involves the abuse of MSI installers to deploy and launch remote management software (RMM) on Windows systems. The observed behavior consists of an MSI installer executing, followed by the execution of commonly abused RMM tools like ScreenConnect, Syncro, or VNC. This activity often signifies unauthorized access, where attackers trigger an MSI installation and then connect via a guest link or preconfigured session key. This technique allows attackers to gain persistent remote access to compromised systems. The activity is typically observed within a short timeframe (1 minute) between the MSI installation and the RMM launch. This allows threat actors to bypass traditional access controls and establish a foothold for further malicious activities.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>User executes a seemingly legitimate MSI installer package (e.g., downloaded from a malicious link or delivered via social engineering).</li>
<li><code>msiexec.exe</code> process starts with the <code>/i</code> argument, initiating the installation process. Parent process is typically <code>explorer.exe</code> or <code>sihost.exe</code>.</li>
<li>The MSI installer may drop additional files or modify registry settings as part of its installation routine.</li>
<li>Within one minute of the MSI installation, a remote management software client (e.g., <code>ScreenConnect.ClientService.exe</code>, <code>Syncro.Installer.exe</code>, <code>tvnserver.exe</code>, or <code>winvnc.exe</code>) is executed.</li>
<li>The RMM software connects to a remote server controlled by the attacker. ScreenConnect connection strings are commonly observed with parameters such as <code>?e=Access&amp;y=Guest&amp;h*&amp;k=*</code>.</li>
<li>The attacker uses the RMM software to gain remote access to the compromised system.</li>
<li>The attacker performs reconnaissance, privilege escalation, or lateral movement within the network.</li>
<li>The attacker deploys additional malware, exfiltrates sensitive data, or performs other malicious activities based on their objectives.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized remote access, data theft, malware deployment, and system compromise. This technique can impact organizations across various sectors, especially those relying on remote access solutions. The ability to remotely control compromised systems can enable attackers to perform a wide range of malicious activities, including data exfiltration, ransomware deployment, and intellectual property theft.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Remote Management Access Launch After MSI Install&quot; to your SIEM and tune it for your environment to detect suspicious RMM launches after MSI installations.</li>
<li>Investigate any instances of <code>msiexec.exe</code> executing with the <code>/i</code> parameter followed by the launch of RMM tools, as detected by the Sigma rule.</li>
<li>Monitor process creation events for <code>ScreenConnect.ClientService.exe</code>, <code>Syncro.Installer.exe</code>, <code>tvnserver.exe</code>, and <code>winvnc.exe</code> using process creation logs.</li>
<li>Review network connection logs for connections initiated by the aforementioned RMM tools to external IPs.</li>
<li>Implement application control policies to restrict the execution of unauthorized RMM tools.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>remote-access</category><category>rmm</category><category>msi</category><category>command-and-control</category></item></channel></rss>