Remote monitoring and management abuse
Adversaries continue to use and abuse legitimate remote monitoring and management (RMM) software to move data and control infected hosts.
Pairs With This Song
By abusing legitimate tools such as ScreenConnect, Atera, and Anydesk, adversaries can gain access to victims’ environments from oceans away.
Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
Adversaries regularly abuse remote monitoring and management (RMM) tools because they’re widely used for legitimate reasons and seem benign. Along with the ability to blend in while moving laterally, these tools offer adversaries a reliable way to communicate with and pass information in and out of infected hosts.
In 2021 we identified an uptick of ransomware operators abusing RMM to remotely control victim machines and deploy additional malicious payloads. RMM has typically been used by help desk technicians to resolve issues on client computers. These software suites allow users to remotely control hosts, providing adversaries with a user-friendly graphical interface, secure network connections via cloud hosted infrastructure, and host persistence. This makes it a challenge for defenders to catch the early stages of intrusions. It became increasingly clear to us throughout the year that being able to initially detect abnormal installation and execution of these tools can help thwart ransomware or slow further deployment of malicious payloads.
Not all ransomware operators or affiliates use these tools as part of their intrusion chain, meaning other security controls are still important to cover other access paths. Community reporting has identified ransomware groups like REvil, Conti, Avos Locker, and Blackheart using software suites such as ScreenConnect, Atera, and Anydesk to gain persistent footholds to hosts after compromising them. In many instances, this led to the deployment of ransomware. Identifying rogue instances of these management tools is a great starting point to help understand and defend your endpoints.
We see the use of RMM tools as a way for adversaries to blend into the vast swath of endpoint telemetry that defenders rely on heavily for finding and eradicating evil. We all need to take a different approach when it comes to detecting this behavior. Rather than solely focusing on blocking known malware samples or writing detection logic surrounding built-in operating system tool abuse (e.g., living off-the-land binaries), keep legitimate third-party software inventory in mind as well.
Enterprises purchase and use hundreds, if not thousands, of software suites, but accounting for what’s legitimate in your organization is important. We’re not suggesting the near impossible, which is to keep tabs on all abnormal behavior of your numerous applications, but merely suggesting to stay up to date on the permissibility of their presence.
Correlating with the legendary Pyramid of Pain, malicious use of RMM tools finds itself near the top of the pyramid, under “Known Tools” and “TTPs.” Gathering laundry lists of legitimate software and comparing them against process execution logs will prove valuable for your defensive posture. SANS has a great white paper on how defenders can use open source utilities to collect this information remotely from their managed devices. We’ve also covered this topic more in-depth with multiple detection opportunities in our “Misbehaving RATs” blog post.