Remote Assistance Tools - T1219
Let's talk about remote assistance tools! As you would expect, a remote assistance tool is used to assist end-users from a remote location. These tools are great and are widely used by helpdesk and IT support staff to help users with various workstations issues. If allowed within the settings of the host computer, the remote user can also share control of the host computer, opening files, accessing information, and inputting data by mouse and keyboard. This is extremely helpful for an IT professional who can remotely troubleshoot a problem. This type of access would also be beneficial for an attacker as well!
Standardize your remote assistance software
Identifying a remote assistance tool and standardizing it across your environment is essential. In addition, limiting access to those that need it and enabling MFA across the platform is just as important. When a threat actor enters an environment, they look to establish persistence. Persistence is obtained in various ways; however, remote assistance tools are often the tool of choice. Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system. They may also be used as a malware component to establish a reverse connection or back-connect to a service or adversary-controlled system. These tools provide the operator with unfettered access to the host on which the software is installed. In addition, these tools often have file transfer features. As a result, we often see these tools used to facilitate data exfiltration and as a medium to get malicious files on a host. Since many organizations do not have a standard remote assistance tool, detecting rouge installations can be challenging. We can help your organization detect remote assistance tool installations and put an action plan together to get them removed.
Block non-standard remote assistance software
Once the organization chooses a standard remote assistance tool, the next step would be to proactively block common remote assistance tools that are not standard in your organization. There are many ways remote assistance tools can be blocked within your network. A few examples would be.
We decided to create a running list of remote assistance tools that are common or that we have seen firsthand used by a threat actor to maintain persistence during an incident response engagement.
We are here to help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, and small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.