SyncroMSP — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/syncromsp/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Suspicious DNS Queries to RMM Domains from Non-Browser Processeshttps://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.This detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.

Attack Chain

  1. An attacker gains initial access to a Windows host through unspecified means.
  2. The attacker deploys or leverages an existing RMM tool on the compromised host.
  3. The RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).
  4. The DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).
  5. The compromised host establishes a connection to the resolved IP address associated with the RMM domain.
  6. The attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.
  7. The attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.
  8. The attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.

Impact

Compromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.

Recommendation

  • Deploy the Sigma rule “DNS Queries to Known RMM Domains from Non-Browser Processes” to your SIEM and tune the RMM domain list for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.
  • Implement application control policies to restrict the execution of unauthorized RMM tools.
  • Enable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.
  • Correlate with other alerts to identify potential compromises.
  • Review process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.
]]>mediumadvisorycommand-and-controlremote-accesswindows