Israel G

RMM hunting is one of those areas where defenders get stuck because the answer is rarely “just block it.” On a day-to-day basis, from the intrusions we see, 𝗦𝗰𝗿𝗲𝗲𝗻𝗖𝗼𝗻𝗻𝗲𝗰𝘁, 𝗦𝗽𝗹𝗮𝘀𝗵𝘁𝗼𝗽, 𝗔𝗻𝘆𝗗𝗲𝘀𝗸, and 𝗥𝘂𝘀𝘁𝗗𝗲𝘀𝗸 are some of the most abused RMMs. All of these can be legitimate. All of these are also regularly abused. That makes them annoying to detect, especially if you work in an MSSP or an environment where remote admin tooling is everywhere. But there is a useful hunting angle here. ScreenConnect is still one of the most common by far. A pattern I’ve noticed recently is threat actors installing multiple ScreenConnect clients on the same host with different profile configurations, each connecting to different domains. That looks a lot like access staging or access resale. The interesting part is that this creates artifacts defenders can hunt for. 𝘐𝘯 𝘵𝘩𝘦 𝘧𝘪𝘳𝘴𝘵 𝘴𝘤𝘳𝘦𝘦𝘯𝘴𝘩𝘰𝘵, 𝘺𝘰𝘶 𝘤𝘢𝘯 𝘴𝘦𝘦 𝘩𝘰𝘸 𝘥𝘪𝘧𝘧𝘦𝘳𝘦𝘯𝘵 𝘚𝘤𝘳𝘦𝘦𝘯𝘊𝘰𝘯𝘯𝘦𝘤𝘵 𝘪𝘯𝘴𝘵𝘢𝘭𝘭𝘢𝘵𝘪𝘰𝘯 𝘱𝘳𝘰𝘧𝘪𝘭𝘦𝘴 𝘸𝘰𝘶𝘭𝘥 𝘭𝘰𝘰𝘬. 𝘐𝘯 𝘵𝘩𝘪𝘴 𝘤𝘢𝘴𝘦, 𝘵𝘩𝘦 𝘱𝘢𝘵𝘵𝘦𝘳𝘯 𝘪𝘴 𝘣𝘢𝘴𝘪𝘤𝘢𝘭𝘭𝘺 𝙎𝙘𝙧𝙚𝙚𝙣𝘾𝙤𝙣𝙣𝙚𝙘𝙩 𝘾𝙡𝙞𝙚𝙣𝙩 𝘧𝘰𝘭𝘭𝘰𝘸𝘦𝘥 𝘣𝘺 𝘢 𝘳𝘢𝘯𝘥𝘰𝘮 𝘶𝘯𝘪𝘲𝘶𝘦 16-𝘤𝘩𝘢𝘳𝘢𝘤𝘵𝘦𝘳 𝘢𝘭𝘱𝘩𝘢𝘯𝘶𝘮𝘦𝘳𝘪𝘤 𝘷𝘢𝘭𝘶𝘦. That is a very useful hunting signal. Red flags: - Multiple ScreenConnect profiles on one host - Multiple ScreenConnect installations - Installs under both 𝗖:\𝗣𝗿𝗼𝗴𝗿𝗮𝗺 𝗙𝗶𝗹𝗲𝘀*\ and 𝗔𝗽𝗽𝗗𝗮𝘁𝗮 - Different configured remote domains - Suspicious or unexpected 𝘀𝘆𝘀𝘁𝗲𝗺.𝗰𝗼𝗻𝗳𝗶𝗴 files The 𝘀𝘆𝘀𝘁𝗲𝗺.𝗰𝗼𝗻𝗳𝗶𝗴 file is especially useful. It exists inside the ScreenConnect installation directory and can expose the domain and certificate information used by the client to connect back to the remote server. This is the main point: Don’t hunt only for the presence of RMM, hunt for RMM drift. Unexpected profiles -> Unexpected paths -> Unexpected domains. Unexpected configs. That is where RMM abuse starts becoming visible.