Listen to this Post
In a recent incident response case, the Remote Monitoring and Management (RMM) tool Parsec was discovered being misused by attackers. Although less known than tools like Atera or Splashtop, Mandiant has previously documented its abuse. Parsec isn’t listed in the LOLRMM project but appears in the RMM Catalogue, updated two months ago. Attackers frequently exploit legitimate RMM tools as backdoors, making asset inventory critical for security.
You Should Know:
1. Detecting Parsec Installations
Check for Parsec artifacts on Windows/Linux systems:
Windows:
Get-WmiObject -Query "SELECT FROM Win32_Product WHERE Name LIKE '%Parsec%'"
Linux:
ps aux | grep -i parsec
2. Monitoring RMM Tools
Use Sysmon to track RMM tool executions:
<RuleGroup name="RMM Detection" groupRelation="or"> <ProcessCreate onmatch="include"> <CommandLine condition="contains">parsec</CommandLine> <CommandLine condition="contains">atera</CommandLine> <CommandLine condition="contains">splashtop</CommandLine> </ProcessCreate> </RuleGroup>
3. Blocking Unauthorized RMM Tools
Deploy Firewall Rules to restrict RMM traffic:
iptables -A OUTPUT -p tcp --dport 443 -d parsec.app -j DROP
4. Hunting for Persistence
Check scheduled tasks and cron jobs:
Windows:
Get-ScheduledTask | Where-Object { $_.TaskName -like "Parsec" }
Linux:
crontab -l | grep -i parsec
5. Forensic Artifacts
- Windows: `%AppData%\Parsec\`
- Linux: `~/.parsec/`
6. YARA Rule for Parsec Malware
rule Parsec_RMM_Backdoor {
strings:
$parsec_str = "parsec" nocase
$rmm_func = "remote_monitoring" nocase
condition:
any of them
}
References:
- Parsec Official Site
- Mandiant Report on RMM Abuse
- LOLRMM Project
- RMM Catalogue
- Huntress on Asset Inventory
What Undercode Say:
Attackers increasingly abuse legitimate RMM tools like Parsec for persistence. Proactive monitoring, strict software inventory policies, and network segmentation are essential. Regularly audit installed software, enforce application whitelisting, and monitor outbound connections to RMM domains.
Prediction:
As RMM tools evolve, attackers will continue exploiting them for stealthy command-and-control. Expect more cases involving lesser-known RMM platforms like Parsec, requiring updated detection rules and threat-hunting methodologies.
Expected Output:
Parsec detected in process list → Investigate persistence (scheduled tasks, registry). Block Parsec domains at firewall level. Deploy YARA rules for memory scanning.
References:
Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
