Analytics Story: Remote Monitoring and Management Software
Description
Fortify your remote access and unapproved software monitoring with searches that monitor for and help you investigate the use of unappoved or malicious remote monitoring and management softwares (RMM).
Why it matters
Attackers can leverage a variety of 3rd party software to establish unapproved remote access or c2 channels to an enterprise network. Common techniques include the installation of these remote access software via channels via phishing, scam, or driveby malware compromise situations. While this Analytic Story is not a comprehensive listing of all RMM software it provides a useful starting point for well known indicators.
Be sure to leverage the "RMM Software Tracking" dashboard provided with this story for a convienent way to vizualize RMM usage in your enviroment.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Palo Alto Network Threat |  Network |
pan:threat |
pan:threat |
| Palo Alto Network Traffic | Network |
pan:traffic |
screenconnect_palo_traffic |
| Sysmon EventID 1 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 12 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 13 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
- https://attack.mitre.org/techniques/T1219/
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
Source: GitHub | Version: 1