Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice

Attackers are now leveraging Remote Monitoring and Management (RMM) tools for initial access, not just for persistence and backup access. The primary reason is that Endpoint Detection and Response (EDR) and Antivirus (AV) solutions often do not flag these tools as malicious, making them an easy entry point for attackers. Proofpoint’s latest research highlights this trend, showing RMMs replacing traditional loaders in cyberattacks.

🔗 Read the article here: Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US

You Should Know:

1. Understanding RMM Tools:

• RMM tools are commonly used by IT professionals to remotely manage and monitor systems. However, attackers are now exploiting these tools for initial access.
• Popular RMM tools include TeamViewer, AnyDesk, and ConnectWise Control.

2. Why RMMs Are Attractive to Attackers:

• RMMs are often whitelisted by EDR and AV solutions to avoid false positives, making them a stealthy option for attackers.
• They provide persistent access to compromised systems, allowing attackers to maintain control over long periods.

3. Mitigation Strategies:

• Baseline Monitoring: Establish a baseline of normal RMM tool usage within your environment to detect anomalies.
• Restrict RMM Usage: Limit the use of RMM tools to specific, authorized users and systems.
• EDR Configuration: Ensure your EDR solution is configured to monitor and alert on unusual RMM tool activity.

4. Commands and Tools for Detection:

• Linux Command to Monitor Processes:

  ps aux | grep -E 'TeamViewer|AnyDesk|ConnectWise'
  

  This command helps identify if any RMM tools are running on a Linux system.

• Windows PowerShell Command to Check Installed Software:

  Get-WmiObject -Class Win32_Product | Select-Object -Property Name | Where-Object {$_ -match "TeamViewer|AnyDesk|ConnectWise"}
  

  This command lists installed software and checks for RMM tools.

• Sysmon Configuration for RMM Detection:
  Configure Sysmon to log process creation events and filter for RMM tools:

  <Sysmon schemaversion="4.22">
  <EventFiltering>
  <ProcessCreate onmatch="include">
  <Image condition="contains">TeamViewer</Image>
  <Image condition="contains">AnyDesk</Image>
  <Image condition="contains">ConnectWise</Image>
  </ProcessCreate>
  </EventFiltering>
  </Sysmon>
  

5. Steps to Secure Your Environment:

• Network Segmentation: Isolate critical systems from those that require RMM access.
• Multi-Factor Authentication (MFA): Implement MFA for all RMM tool access.
• Regular Audits: Conduct regular audits of RMM tool usage and access logs.

What Undercode Say:

The increasing use of RMM tools by attackers highlights the need for a more nuanced approach to endpoint security. Organizations must balance the operational benefits of RMM tools with the potential security risks they introduce. By implementing robust monitoring, restricting access, and configuring EDR solutions to detect unusual activity, organizations can mitigate the risks associated with RMM tool exploitation. Additionally, staying informed about emerging threats and adapting security strategies accordingly is crucial in the ever-evolving cybersecurity landscape.

Related Commands:

• Linux Command to Check Network Connections:

  netstat -tuln | grep -E 'TeamViewer|AnyDesk|ConnectWise'
  

• Windows Command to Check Active Connections:

  Get-NetTCPConnection | Where-Object { $_.OwningProcess -match "TeamViewer|AnyDesk|ConnectWise" }
  

Further Reading:

• Proofpoint’s RMM Research
• MITRE ATT&CK Framework – RMM Exploitation

References:

Reported By: Kostastsale Remote – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram