Listen to this Post
2025-02-09
Detecting the malicious use of Remote Monitoring Management (RMM) tools by threat actors is a critical task for defenders and Cyber Threat Intelligence (CTI) professionals. Tom Alexandrovich and his team at the Israel National Cyber Directorate (מערך הסייבר הלאומי) have released a comprehensive guide to aid in hunting for RMM artifacts. Below, we’ll explore practical steps, commands, and techniques to detect and mitigate such threats.
1. Identifying RMM Tools in Your Environment
RMM tools like TeamViewer, AnyDesk, and Splashtop are often exploited by attackers. To identify their presence, use the following commands:
- Linux:
ps aux | grep -E 'teamviewer|anydesk|splashtop'
This command lists running processes and filters for common RMM tools.
Windows:
Get-Process | Where-Object { $_.ProcessName -match 'teamviewer|anydesk|splashtop' }
2. Monitoring Network Traffic
Attackers often use RMM tools to establish persistent connections. Monitor network traffic for suspicious activity:
- Linux:
sudo tcpdump -i eth0 -n | grep -E 'teamviewer.com|anydesk.com|splashtop.com'
This captures traffic to known RMM tool domains.
- Windows:
Use Wireshark with a filter:
ip.addr == <RMM_tool_IP> && tcp.port == 5938
3. Analyzing Logs for RMM Artifacts
Check system logs for unusual activity:
- Linux:
grep -i 'teamviewer|anydesk|splashtop' /var/log/syslog
Windows:
Get-WinEvent -LogName Security | Where-Object { $_.Message -match 'teamviewer|anydesk|splashtop' }
4. Blocking RMM Tools
To prevent unauthorized use, block RMM tools at the firewall level:
- Linux:
sudo iptables -A OUTPUT -p tcp --dport 5938 -j DROP
Windows:
Use Windows Firewall to block outbound connections to RMM tool IPs.
5. Enforcing Application Control
Restrict the execution of RMM tools:
- Linux:
Use SELinux or AppArmor to create policies:
sudo aa-genprof /usr/bin/teamviewer
- Windows:
Use AppLocker to block RMM tool executables.
6. Regular Audits
Conduct regular audits to ensure no unauthorized RMM tools are installed:
- Linux:
sudo dpkg -l | grep -E 'teamviewer|anydesk|splashtop'
Windows:
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -match 'teamviewer|anydesk|splashtop' }
What Undercode Say
Detecting and mitigating the malicious use of RMM tools requires a multi-layered approach. Start by identifying the presence of RMM tools in your environment using process and network monitoring commands. Regularly analyze system logs for suspicious activity and enforce strict application control policies. Blocking RMM tools at the firewall level and conducting regular audits are essential steps to ensure your systems remain secure.
For Linux users, leveraging tools like tcpdump, grep, and `iptables` can provide deep insights into network and process activity. Windows users can rely on PowerShell cmdlets like `Get-Process` and `Get-WinEvent` for similar purposes. Additionally, using SELinux, AppArmor, or AppLocker can help restrict unauthorized applications.
To further enhance your defenses, consider implementing Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) solutions. These tools can provide real-time alerts and automated responses to potential threats.
For more detailed guidance, refer to the Israel National Cyber Directorate’s guide on RMM artifact hunting. Stay vigilant and proactive in your cybersecurity efforts to stay ahead of threat actors.
Useful Resources:
- Israel National Cyber Directorate
- Wireshark Documentation
- Microsoft AppLocker Guide
- Linux Firewall (iptables) Tutorial
References:
Hackers Feeds, Undercode AI
