Third-party remote access software installed
Description
AlphaSOC observed network traffic to known third-party Remote Monitoring and Management (RMM) infrastructure online, indicating an RMM software installation. RMM tools (e.g., AnyDesk, ScreenConnect, and TeamViewer) are “dual-use” and employed by both system administrators and threat actors. Adversaries use RMM tools to access compromised systems and avoid detection as they are often not marked as malicious by security apparatus. As such, unapproved third-party RMM software use can indicate compromise.
Impact
Unauthorized RMM software installed by an adversary provides complete access to a system and acts as a powerful command and control (C2) mechanism. Threat actors use RMM platforms to execute commands, elevate privileges, move laterally, and exfiltrate data.
Investigation and Remediation
Upon identifying a system running RMM software it is important to distinguish whether the installation is legitimate or unapproved. Unapproved RMM software should be removed, and an investigation launched to understand the source of the installation (e.g., an external threat actor or an internal user) and how the software has been used.
Severity
Severity | Condition |
---|---|
Medium | Traffic to known RMM infrastructure online |
Known False Positives
- Legitimate administrators and external vendors may use RMM software to perform troubleshooting and maintenance tasks