Michalis Michalos

SecOps, DFIR & Threat Intelligence

Detecting RMM tools using Microsoft Defender for Endpoint

Introduction

It’s no secret that Remote Monitoring and Management (RMM) software is being used by Threat Actors (TAs) for lateral movement and to establish command and control (C2). The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC), released a joint Cybersecurity Advisory (CSA), highlighting the malicious use of legitimate RMM software.

Red Canary has also shed some light on the malicious use of RMM software in recent blogs, emphasizing on the importance of detecting relevant activity given that:

  • RMM software doesn’t require extensive technical knowledge to be used.
  • RMM software has been used in supply chain attacks.

Adding to the above:

  • It’s possible that companies lack effective monitoring mechanisms to identify questionable activity via remote management technologies. Because of this oversight gap, attackers may be able to go unnoticed.
  • The attack surface grows as more remote management technologies are used by enterprises to support distant work or streamline operations. This allows TAs to have greater opportunities identify and take advantage of vulnerabilities.

Detection Considerations

With a ton of RMM software out there, utilizing a dozen of techniques, including different console connection methods, it seems impossible to prepare a common hypothesis for a highly effective analytic.

On the other hand, RMM software is widely used from enterprises for common operation procedures. Given the establishment of work-from-home or work-from-everywhere after Covid19 outbreak, remote support software has been fundamental to streamline operations for IT teams throughout the world.

Be that as it may, by experimenting with RMMs and Microsoft Defender for Endpoint (MDE) a common ground can be identified to build a relatively high precision analytic.

Detection Opportunities

First things first, let’s have a look at the pyramid of pain.

Criticalstart

It is needless to say that building analytics, should primarily aim as higher as possible so that it would provide concrete and efficient results. Recently surfaced Trend Micro’s publication “Analysis on legit tools abused in human operated ransomware” is a great resource to deep dive into artifacts from RMM tools that could help build queries looking from file names, to network connections and security event logs.

JSAC2023_1_1_yamashige-nakatani-tanaka_en1Download

KQL Queries to keep an eye on

  • CJ May has developed a great query that sinkholes domains used by RMM software which you may find here.
  • Daniel Card has also collected filenames from RMM software which are used in this query.

What about MDE?

I decided to try and run some of the most prominent RMM tools based on Red Canary’s reports and try and find common ground for good detection analytics. I came across many tables that collect artifacts towards this, including:

  • DeviceNetworkEvents (Domains and IPs)
  • DeviceNetworkEvents along with SslConnectionInspected ActionType (Certificates used for communication)
  • DeviceProcessEvents (Filenames and file hashes)

But one that caught my eye, was the following:

Software running in Windows has hardcoded ProcessVersionInfoCompanyName and ProcessVersionInfoProductName on it. Hence, it seems that we might not be on top of the Pyramid of Pain, but we are very close. After running a dozen of RMM tools locally, I came down to this artifact collection which can be used along with the following query to detect for RMM activity. 

let RMMSoftware = externaldata(RMMSoftware: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/rmm-software.csv"] with (format="csv", ignoreFirstRecord=True);
let ExclDevices = datatable(excludeddev :string)  // Add as many devices you would like to exclude
 ["DeviceName1",
  "DeviceName2",
  "DeviceName3"];
let Timeframe = 7d; // Choose the best timeframe for your investigation
DeviceProcessEvents
    | where Timestamp > ago(Timeframe)
    | where ProcessVersionInfoCompanyName has_any (RMMSoftware)
    | where not(DeviceName in (['ExclDevices']))
    | project Timestamp, DeviceName, ActionType, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessCommandLine, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
    | sort by Timestamp desc

Check out this, and further queries at my Github repo.

The query above reflects the tests with RMM tools I have done so far, this is an ongoing project and I will be updating the hunting list accordingly.

Bonus query

MDE already tracks some RMM tools as suspicious and hence, it raises an alert. Taking into account the MITRE ATT&CK T1229 technique, you can identify whether a relevant alert has been raised in your environment.

AlertInfo
| where Timestamp > ago(30d) // Define timerange
| where AttackTechniques contains "T1219" // Reference: https://attack.mitre.org/techniques/T1219/

Closing remarks

RMM tools have been going under the radar given that its legitimate software and who would have thought that TAs would use it? But hey, why make things complicated when they can be so simple?

While MDE offers detection opportunities for RMM tools, and it’s always good to know what’s moving in your environment, you should also consider hardening this kind of posture in further ways as well. Proxies, UAC, firewall communication, deep packet inspection, just to name a few.

Happy hunting!

Posted

in

, , ,

by

cyb3rmik3

Tags:

, , , ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *