This document serves to provide resources to help Prevent, Detect, and Respond to MS Teams-based Initial Access, with a heavy focus on MS Teams > RMM/QuickAssist attacks.
- IT Admins - Manage external meetings and chat with people and organizations using Microsoft identities
- Secure external access to Microsoft Teams, SharePoint, and OneDrive with Microsoft Entra ID
- Guess Access in Teams
-
If you'd like to receive
ChatCreatedaudit logs from MS, you'll want to review MS Purview audit logging, check your license type, and enable the relevant logs- See MS's Purview documentation for notes
- Temporal correlation: MS Teams > QA/RMM install/execution
- Can you correlate these activities?
- Does your E/XDR have window titles? Can you look for
help|support|desk|teamtypes window titles?
- External > Internal MS Teams calls
- Window titles often note "(EXTERNAL)" for external Teams-based comms
- Chat titles may contain a unicode character such as a checkmark (✓) to make the chat seem more official
- QuickAssist processes
- QuickAssist as parent process (
quickassist.exe)
- QuickAssist as parent process (
Anywho, some rules!
- Microsoft Blog rules (really good!)
- Microsoft's rules
- See "Hunting Queries" at https://for528.com/teams-threats
The following are the RMM-focused shortened links curently covered in FOR528. Our focus here is on MS Teams-based vishing that leads to RMM installation via social engineering. You can use the following resources to identify RMM tool names along with their process names, domain(s), and more for the purposes of blocking (prevention) and/or alerting (detection).
- for528.com/rmm --
splunk / security_content>remote_access_software.csv- Contains RMM names along with domain, process names, signer info, and commentary for reference
- for528.com/rmm2 --
svch0stz / velociraptor-detections-SuspiciousSoftware.csv- Includes RMM tool names along with process name regex patterns + references
- for528.com/rmm3 -- Trend Micro's "Analysis on legit tools abused in human operated ransomware" PDF
- 180+ pages covering a bevy of RMM tools and includes low level forensic analysis tips and tricks. SUPER useful if you run into one of the RMMs noted in this doc!
- for528.com/rmm4 --
0x706972686f / RMM-Catalogue-rmm.csv- RMM names w/ domains & process names
- for528.com/rmm5 --
brokensound77/RMM-detection.md- Detailed detection/hunting methodology along with plentiful process names, domains, and other metadata associated with top RMM tools
- for528.com/rmm6 --
redcanaryco / surveyor-remote-admin.json- JSON file with RMM names along with process names, domains, and signer names.
Do you have an APPROVED list? Great! Block everything else!
- NGFW -- Approve / block lists
- Start by approve listing the RMMs approved for use in your org
- Next, block RMMs or remote access tools just below your approvals using your NGFW's appropriate category name
- NGFW -- Block domains per RMM
- See provided shortened links below for associated domain names
- E/XDR -- Block by process name/signer name
- See below for details
Rather than just blocking the process name(s) associated with a given RMM, I recommend blocking by the OriginalFileName from the VERSIONINFO resource along with certificate signer name via your E/XDR, if you are able to do so.
- Example: Blocking Ninja RMM
- Block process name:
"?:\\*NinjaRMMAgent*.exe" - ALSO block OriginalFileName:
NinjaRMMAgent - ALSO block signer name:
NinjaRMM, LLC- NOTE: Blocking via signer name can be extremely useful, including helping blocking re-named RMM agents. However, since RMM developers may also provide non-RMM tools, you may cast a side net and start blocking non RMM tooling at first, requiring baselining/exceptions to hit maximum efficiency
- Block process name: