The old adage “you can’t protect what you can’t see” has become ubiquitous in cybersecurity over the years and for good reason. Visibility remains a top concern for defenders; without establishing a clear expectation of what’s expected in an environment, it can be difficult to detect unwanted and anomalous activity.
Establishing a baseline of what software is and isn’t allowed on your organization’s system can go a long way when it comes to identifying abnormal behavior in your environment. Surveyor—a free, cross-platform tool that queries endpoint detection and response (EDR) products and summarizes the results—can make quick work of this.
In a recent talk at Wild West Hackin’ Fest @ Mile High, Red Canary Threat Researcher Tre Wilkins walked through the importance of baselining, how legitimate software—like remote monitoring and management (RMM) tools—can be abused, and how to leverage Surveyor to confirm expected RMM tool activity, identify anomalies, and investigate findings.
You can watch the full recording here:
Don’t have time to watch right now? Let’s recap three of the talk’s takeaways.
Baselining an environment is important
Taking inventory of your environment—who’s running what software and why—is crucial when it comes to establishing a normal behavior profile within your environment. It can also enable more accurate threat detection and response. As Tre explains, these big-picture insights can help organizations assess trends, adoption rates, and risks at scale. Is someone on your network using PsExec? A network-sniffing application like Wireshark? If so, why and how often? This context can be essential in the event of a security incident.
Surveyor can help!
Surveyor—a cybersecurity Swiss Army knife—can be instrumental when it comes to baselining; it’s also helpful for alert validation and asset discovery. The tool was designed to be easy to use, even if you’re not an EDR connoisseur. Defenders can build straightforward detection rules based on definition files; some even come prebuilt in Surveyor’s GitHub definition repository, including the ability to search for remote-admin, scripting, scanners, sniffers, and file-sharing-and-backup use in your environment.
Looking to identify connections to AnyDesk, TeamViewer, or NetSupport Manager in your environment? Here’s an example of what a query would look like:
“AnyDesk”:{
“process_name”:[“anydesk.exe”],
“domain”:[“anydesk.com”]
},
“TeamViewer”:{
“process_name”:[“teamviewer.exe”,
“teamviewerhost”]
},
“NetSupportManager”:{
“query”:[“process_name:client32.exe AND
internal_name:client32”, “domain:geo.
netsupportsoftware.com”]
You can also search via Sigma rules, YAML files that contain whatever information you require to detect something awry in your environment, as well as by indicators of compromise (IOC) and ad-hoc queries.
Keep an eye on RMM tools
While use of RMM tools alone may not be inherently malicious, like anything that increases your organization’s attack surface, it’s worth keeping track of.
Using the remote-admin definition file in Surveyor can help detect legitimate binaries that could be abused. You can leverage the .json
file to look for common network connections, digital signers, as well as internal process names to help uncover unpermitted tool use. While the remote-admin file is a good place to start, administrators looking for a well–curated list of commonly abused RMM tools may want to head to lolrmm.io for a prebuilt Sigma list.
Red Canary frequently observes adversaries abusing RMM tools for initial access and lateral movement. In some instances, threat actors—like Storm-1811 last year—have been observed using the tools and in turn, deploying ransomware like Black Basta.
Having a controlled environment, one in which you’ve established which RMM tools are allowed to run and why, can help when it comes to reducing risk across your organization—it can also make suspicious-looking outliers easier to identify.
Take the next step
Looking to learn more about how to get started with Surveyor? Watch Tre’s talk, read the Surveyor Getting Started Wiki on GitHub and refer to this blog post for further context on how to use the tool. Because it’s open source, you can also fork the tool to customize it to your environment’s needs or contribute to the tool to expand its capabilities.