https://feed.craftedsignal.io/vendors/tailscale/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 24 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/Wed, 24 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.Attackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.

Attack Chain

1. Initial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.
2. Tool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.
3. Persistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.
4. Command and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.
5. Lateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.
6. Data Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.
7. Cleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.

Impact

Compromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.

Recommendation

• Deploy the process creation rule to detect the execution of RMM tools on endpoints based on process.name and process.code_signature.subject_name criteria in the query.
• Enable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.
• Investigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.

]]>mediumadvisoryremote-accessrmmcommand-and-controlpersistencehttps://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.This detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.

Attack Chain

1. An attacker gains initial access to a Windows host through unspecified means.
2. The attacker deploys or leverages an existing RMM tool on the compromised host.
3. The RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).
4. The DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).
5. The compromised host establishes a connection to the resolved IP address associated with the RMM domain.
6. The attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.
7. The attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.
8. The attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.

Impact

Compromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.

Recommendation

• Deploy the Sigma rule “DNS Queries to Known RMM Domains from Non-Browser Processes” to your SIEM and tune the RMM domain list for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.
• Implement application control policies to restrict the execution of unauthorized RMM tools.
• Enable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.
• Correlate with other alerts to identify potential compromises.
• Review process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.

]]>mediumadvisorycommand-and-controlremote-accesswindowshttps://feed.craftedsignal.io/briefs/2024-01-multiple-rmm-vendors/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-multiple-rmm-vendors/This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.This detection rule identifies Windows systems running multiple Remote Monitoring and Management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments might utilize several tools, the presence of multiple RMM solutions on a single host can signify a compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access points. The rule maps process names to vendor labels to avoid inflated counts from multiple binaries of the same vendor. This activity has been observed as a component of broader attack campaigns, including those leveraging compromised MSP infrastructure, and is described in CISA AA23-025A. The timeframe analyzed is “now-9m”, and the rule triggers if two or more different vendors are detected.

Attack Chain

1. Initial Access: The attacker gains initial access to the system, possibly through phishing, exploiting vulnerabilities, or stolen credentials.
2. Tool Deployment: The attacker deploys an initial RMM tool (e.g., AnyDesk, TeamViewer) for remote access and control.
3. Persistence: The attacker establishes persistence by configuring the RMM tool to start automatically on system boot.
4. Lateral Movement: The attacker uses the initial access to discover other systems on the network.
5. Additional RMM Deployment: The attacker deploys a second RMM tool (e.g., ScreenConnect, Splashtop) from a different vendor to create a redundant access method.
6. Privilege Escalation: The attacker escalates privileges using the compromised RMM tools, if necessary.
7. Remote Control: The attacker uses the RMM tools to remotely control the system, execute commands, and access sensitive data.
8. Data Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or uses the compromised system to launch further attacks on the network.

Impact

A successful attack leveraging multiple RMM tools can result in unauthorized access to sensitive data, system compromise, and lateral movement within the network. The presence of multiple RMM tools increases the attacker’s resilience, making it harder to detect and remediate the intrusion. Affected systems can be used as a staging ground for further attacks, leading to significant financial and reputational damage. This can impact any Windows-based system, and the CISA advisory AA23-025A specifically highlights the risk of MSP infrastructure compromise.

Recommendation

• Deploy the Sigma rule Multiple RMM Vendors on Same Host to your SIEM and tune for your environment.
• Investigate hosts triggering the rule to confirm legitimate use of multiple RMM tools. Check Esql.vendors_seen and Esql.processes_name_values for insight into the involved tools.
• Review asset inventory and change tickets to verify authorized RMM software installations.
• Isolate any unauthorized or unexplained hosts and remove unapproved RMM tools.
• Enforce a single approved RMM stack per asset class where possible.
• Enable Sysmon process creation logging (Event ID 1) on Windows endpoints to enhance detection capabilities as described in the rule’s setup instructions.

]]>mediumadvisoryremote-access-toolcommand-and-controlrmmwindowshttps://feed.craftedsignal.io/briefs/2024-01-02-multiple-rmm-vendors/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-multiple-rmm-vendors/This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.This detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.

Attack Chain

1. Initial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.
2. Tool Deployment: The attacker deploys an initial RMM tool for remote access and control.
3. Secondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.
4. Privilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.
5. Lateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.
6. Data Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.

Impact

A successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.

Recommendation

• Deploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.
• Investigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.
• Enforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.
• Tune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.
• Review asset inventory and change tickets for approved RMM software to identify unauthorized installations.

]]>mediumadvisorycommand-and-controlrmmwindowsthreat-detection