TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Insights: RMM Tools | Huntress

2024-03-04 · Read original ↗

ATT&CK techniques detected

5 predictions
T1219Remote Access Tools
99%
"insights : rmm tools | huntress huntress lives in the small - to medium - sized business ( smb ) space, partnering with managed service providers ( msps ), and as a result, sees a wide spectrum of remote monitoring and management ( rmm ) tool usage. while a great deal of this usa…"
T1078Valid Accounts
94%
"involved in legitimate access, especially those used to access the endpoint legitimately, so visibility is limited. as such, it ' s possible that credentials were obtained from an endpoint other than the one monitored by huntress. for example, credentials and information relevant…"
T1219Remote Access Tools
81%
"do have teamviewer installed and regularly used for legitimate business purposes, be sure to review the ‘ connections _ incoming. txt ’ log file to ensure that there are no suspicious or malicious logins."
T1078Valid Accounts
48%
"##g cryptocurrency miner, or used the native utility curl. exe to exfiltrate data from an endpoint, were distinctly different, and all have one thing in common : initial access was obtained via an already - installed instance of teamviewer. that is to say that the threat actor di…"
T1219.002Remote Desktop Software
47%
"do have teamviewer installed and regularly used for legitimate business purposes, be sure to review the ‘ connections _ incoming. txt ’ log file to ensure that there are no suspicious or malicious logins."

Summary

Over the past year, the Huntress team has posted a number of blog posts related to remote monitoring and management (RMM) tools being installed or abused by threat actors.