“a series of unfortunate ( rmm ) events at this point, it ’ s no secret that threat actors are abusing remote monitoring and management ( rmm ) tools in their attacks for access to and persistence in victim environments. while businesses use rmms to increase efficiencies and reduc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
98%
“remote access \ jwappssharedconfig \ serviceconfig. xml this rogue simplehelp rmm was installed in the path : c : \ programdata \ jwrapper - remote access \ jwappssharedconfig \ restricted \ simpleservice. exe figure 3 : process tree showing the attack that involved both pdq and …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
97%
“in the attack, stopping the threat actor from escalating any further. a longer chain of rmm downloads in october, huntress observed a user at a car dealer execute the file openinvitation. exe, which is a rogue goto resolve rmm installer. the file was downloaded from the domain ab…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
95%
“check logs for instances where rmms were executed to weed out suspicious rmm use the incidents that we ' ve outlined above are only a small fraction of the cases that the huntress soc team experiences daily when it comes to rogue rmm deployments. the soc sees not only individual …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
94%
“to discern what stems from end user behavior versus what is malicious. this is where the value of a managed soc can help : soc analysts look at indicators like where instances are calling out to, where they ’ re being installed on the system, and how they ’ re being installed. fo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
93%
“continuously reassess past and present telemetries. for this specific case, we worked with the business to neutralize the rogue rmms. pdq to simplehelp instance we ’ ve seen multiple instances that start with the installation of pdq, and then use a secondary rmm in the next phase…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
90%
“fourth ) rmm tool can help ensure longer term access, even if the first tool is blocked. below are a few examples of what our soc is seeing, including some of the popular social engineering lures that threat actors are using to trick victims into downloading rogue rmms, and the u…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
87%
“to infect the victim with another rmm, screenconnect, via the file path : c : \ program files ( x86 ) \ screenconnect client ( fdeeb5df8057eef0 ) \ screenconnect. clientservice. exe a search for the screenconnect binary ( f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d39…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
86%
“user ’ s chrome browser history showed that the installer was downloaded from ssaaccount - helper [. ] icu. figure 4 shows that the lure linked to this domain had to do with a purported social security account statement. once the victim clicked “ download ssa documents, ” it kick…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
72%
“##ct client ( 2f193a6e5e15c3cc ) \ figure 5 : the threat actor used goto resolve, screenconnect, and simplehelp in one attack at this point, huntress soc analysts caught and stopped the threat actor before they could deploy any further processes or persistence mechanisms. continu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
70%
“( a classic ) : fake invitations are a popular type of lure used by threat actors, which we have seen across many different rogue rmm incidents. on november 3, a user was tricked into executing eviteinvitersolvelist. exe, which was actually a malicious goto resolve installer. int…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
49%
“##778bf91 [. ] r2 [. ] dev / thanksgiving - iv. exe. the malicious rmm then deployed a rogue screenconnect installer into the directoryc : \ program files ( x86 ) \ screenconnect client ( 3bf4055180e70e5b ), which was configured for the domainwilkensealsivc [. ] shop. - the fake …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
40%
“user ’ s chrome browser history showed that the installer was downloaded from ssaaccount - helper [. ] icu. figure 4 shows that the lure linked to this domain had to do with a purported social security account statement. once the victim clicked “ download ssa documents, ” it kick…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Recently, the Huntress SOC has observed threat actors increasingly use PDQ and GoTo Resolve to deploy further remote monitoring and management (RMM) tools in attacks.