Skip to main content

Third-party remote access software installed

ID:remote_access_software
Data type:DNS, IP, HTTP
Severity:
Medium
MITRE ATT&CK:TA0003:T1133

Description

AlphaSOC observed network traffic to known third-party Remote Monitoring and Management (RMM) infrastructure online, indicating an RMM software installation. RMM tools (e.g., AnyDesk, ScreenConnect, and TeamViewer) are “dual-use” and employed by both system administrators and threat actors. Adversaries use RMM tools to access compromised systems and avoid detection as they are often not marked as malicious by security apparatus. As such, unapproved third-party RMM software use can indicate compromise.

Impact

Unauthorized RMM software installed by an adversary provides complete access to a system and acts as a powerful command and control (C2) mechanism. Threat actors use RMM platforms to execute commands, elevate privileges, move laterally, and exfiltrate data.

Investigation and Remediation

Upon identifying a system running RMM software it is important to distinguish whether the installation is legitimate or unapproved. Unapproved RMM software should be removed, and an investigation launched to understand the source of the installation (e.g., an external threat actor or an internal user) and how the software has been used.

Severity

SeverityCondition
Medium
Traffic to known RMM infrastructure online

Known False Positives

  • Legitimate administrators and external vendors may use RMM software to perform troubleshooting and maintenance tasks