Detecting Unauthorized RMM Instances In Your MDE Environment

A recent Proofpoint blog highlights a growing trend: remote monitoring and management (RMM) tools are becoming a preferred choice for attackers. Increasingly, threat actors are leveraging legitimate RMM tools as the initial payload in email campaigns. These tools are being exploited for purposes such as data exfiltration, financial theft, lateral movement, and the deployment of secondary malware, including ransomware. The marked increase in the use of RMMs as a first-stage payload is particularly concerning.

Inspired by this research, I developed a KQL query that leverages Remote Management Monitoring tool artifacts from Microsoft’s GitHub repository. The query scans data within the MDE DeviceNetworkEvents schema to identify unsanctioned RMM activities. This approach enhances the detection of potential abuse by attackers who may use these tools to establish persistence or fallback command-and-control channels.

You Should Know:

To detect unauthorized RMM instances in your MDE environment, you can use the following KQL query:

[kql]
let AllowedRMM = dynamic(“TeamViewer”);
let RMMList=externaldata(URI: string, RMMTool: string)
[h’https://raw.githubusercontent.com/jischell-msft/RemoteManagementMonitoringTools/refs/heads/main/Network%20Indicators/RMM_SummaryNetworkURI.csv’];
let RMMUrl =
RMMList
| where not (RMMTool has_any(AllowedRMM))
| project URI;
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType == “ConnectionSuccess”
| where RemoteUrl has_any(RMMUrl)
| lookup kind=inner (RMMList) on $left.RemoteUrl == $right.URI
| summarize dcount(DeviceId), make_set(RemoteUrl), arg_max(Timestamp, *) by RMMTool
[/kql]

This query aggregates by RMM and counts the number of devices seen, which can help in identifying unauthorized RMM activities.

Steps to Implement:

Access Microsoft Defender for Endpoint (MDE): Ensure you have access to the MDE portal and the necessary permissions to run KQL queries.
Run the KQL Query: Copy and paste the provided KQL query into the Advanced Hunting section of the MDE portal.
Review Results: Analyze the results to identify any unauthorized RMM activities. Pay special attention to the `RMMTool` and `RemoteUrl` fields.
Take Action: If unauthorized RMM activities are detected, take appropriate action to mitigate the threat. This may include blocking the RMM tool, investigating the affected devices, and updating your security policies.

Additional Commands and Tools:

Windows Command to List Installed Software:
```
wmic product get name,version
```
This command can help you identify installed RMM tools on Windows devices.
Linux Command to Monitor Network Connections:
```
netstat -tuln
```
Use this command to monitor active network connections and identify any suspicious RMM-related connections.
PowerShell Command to List Running Processes:
```
Get-Process | Select-Object Name,Id,Path
```
This command can help you identify running processes that may be associated with RMM tools.

What Undercode Say:

The increasing use of RMM tools by attackers underscores the importance of robust detection mechanisms. By leveraging KQL queries and monitoring network activities, organizations can enhance their ability to detect and respond to unauthorized RMM instances. Implementing these practices, along with regular security audits and updates, can significantly reduce the risk of RMM tool exploitation.

For further reading, refer to the original Proofpoint blog post: Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice and the KQL query repository: Hunting-Queries-Detection-Rules.