In July, Red Canary developed a number of analytics to detect the execution of administration utilities, like remote management and monitoring (RMM) tools. With so many detection opportunities around cutting-edge malware strains and complex adversary techniques, why are we looking for seemingly legitimate IT software in our customers’ environments?
What is an RMM tool?
MSPs, security vendors, and even internal IT departments rely on RMMs to perform important tasks on endpoints. You will often see these tools referred to by a variety of names—including the MITRE ATT&CK technique name for them—T1219: Remote Access Software—but also remote access tools, remote admin tools, and, if they’re being used by an adversary, remote access trojans (RAT). I worked at a Managed Services Provider (MSP) for over seven years, and I can speak to how powerful and critical RMMs are to the success of IT professionals.
I’ve seen RMMs used to apply system updates, manage asset inventories, deploy software to thousands of workstations, troubleshoot endpoints with privileged command-line access, schedule maintenance tasks, and monitor the overall health of networks and endpoints. All of this can be done securely from a remote location, via a small, but powerful agent installed on the endpoints you want to manage.
Some of the more popular RMMs include Atera, Connectwise, Kaseya, and TeamViewer.
Why detect RMMs if they aren’t inherently evil?
Even though they can be tuned, why, then, do we feel these detectors are important enough to warrant the initial noise? From the onset this seems counterproductive.
Adversaries use RMMs and remote utilities all the time
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) issued an advisory about the malicious use of RMMs. SCATTERED SPIDER, Royal, and Conti are just some of the big-name adversaries that perform lateral movement and establish command and control (C2) via legitimate RMMs. One particularly prominent example, NetSupport Manager, is a mainstay of the top 10 we report in our monthly Intelligence Insights, ranks 15th of the year among the threats we track, and is in fact the number one threat we detect when we include confirmed testing and legitimate use.
Adversaries don’t need to be sophisticated in order to leverage remote software to carry out attacks
When something isn’t working on my mom’s computer, I’ll usually remote into her PC to take a look. I have her go to teamviewer.com and download the remote utility for free. I choose TeamViewer because it’s fast to download and it has a straightforward installation wizard. I don’t need my mom to create an account or enter her email to get started. The download and install take maybe two minutes and then all I need is the nine-digit code to remotely access her PC. From there, I have full interactive control of her PC. If it’s that easy for me to provide IT support to my family, imagine how easy it is for adversaries to call up a victim, pretend that they are calling from IT and must “fix” something on the user’s computer, and then install a remote tool!
RMMs can enable supply chain attacks
In the last five years we’ve seen two of the largest worldwide cyber attacks happen via compromised RMM software companies. As we highlighted in our 2022 Red Canary Threat Detection Report, in December 2020 adversaries compromised SolarWinds, accessed the update infrastructure for its Orion IT management software, and sent backdoored updates to the company’s thousands of customers, affecting organizations well into 2021. Later, in July 2021, adversaries exploited vulnerabilities in Kaseya VSA IT Management software in a campaign ultimately designed to deploy Sodinokibi ransomware, also known as REvil.
Okay! I get it… It’s important to detect RMMs and remote utilities, but this is going to create a ton of noise for my security team, isn’t it?
Red Canary has built a series of detectors to identify these tools running on the endpoints in our customers’ environments. When activated, these may initially cause an increase in detections associated with permissible software in some organizations, which runs counter to our goal of reducing alert fatigue. Having said that, Red Canary customers have the ability to customize which remote utilities are sanctioned and where in their environment they are allowed to run. This means that you can tailor these new detectors to only alert you when they are running on unauthorized systems. With proper scoping, every alert will be a true positive warranting your security team’s time and effort to investigate.
Let’s look at setting up exceptions for applications that are used legitimately in a Red Canary customer environment. Exceptions can have various scopes;a global exception allows the software to run on any system, by any user, without generating any alerts. Alternatively, exceptions can be crafted so they apply to just one or a few systems or users to avoid an overly broad exception, missing true positive alerts that warrant immediate attention and response.
Application exceptions demo
Scenario: Let’s say that you have a vendor that remotely logs into a number of systems to perform troubleshooting on a regular basis. That vendor uses the standalone version of TeamViewer. In the Red Canary portal, you would first apply a reporting tag to the endpoints the vendor supports to easily scope detection rules around those systems.
You would not want an alert when TeamViewer runs on these select few endpoints, but you definitely do want to be alerted if TeamViewer is running anywhere else:
Detection opportunities
If you want to try your hand at developing your own custom detection analytics for rooting out common RMM tools, take a look at our Remote access tool or trojan blog for detector ideas. That article includes ideas for detecting some of the most commonly abused RMMs, including NetSupport, ScreenConnect, AnyDesk, and more. We’re also hosting an upcoming webinar covering remote access tools, which will include extensive guidance on how security teams can detect and respond to RMMs.
Establish a baseline with Surveyor
We recommend that defenders use this as an opportunity to collaborate with their governance, risk, and compliance (GRC) team, specifically to review and update your organization’s list of allowed software. You can then confirm the various software used throughout the enterprise and their corresponding business justifications. Once you have established that baseline allowed software, identifying anomalies within the environment becomes a much easier task.
If baselining your environment sounds like a daunting task, we recommend that you check out our Surveyor project. Surveyor is a free, cross-platform tool that provides baselining, threat hunting, and attack surface analysis capabilities. It is available to everyone–not just Red Canary customers. The remote-admin.json definitions file queries for numerous remote utilities, including RMMs, across all of your endpoints for supported EDR platforms. This can help make quick work of establishing a software inventory.
Related Articles
The Trainman’s Guide to overlooked entry points in Microsoft Azure