Detecting Unauthorized Remote Access Tools (ScreenConnect Case)

Understanding the Risks of Unauthorized Remote Access Tools

In today's digital landscape, cybersecurity is more critical than ever. Unauthorized remote access tools (RATs) pose a significant threat to organizations, as they can allow malicious actors to gain control over systems and sensitive data. These tools can be misused for spying, data exfiltration, or launching further attacks. The scenario described in this blog distinctly illustrates the risks associated with having unexpected remote access applications installed on endpoints.

Identifying the Unauthorized Installation

During a routine security operations center (SOC) investigation, analysts discovered an unexpected instance of a ScreenConnect client on one of the endpoints. The alarming finding originated from automated network monitoring solutions that flagged the installation due to its unusual path. Specifically, the application was located in a directory not authorized for such installations, raising immediate red flags about its legitimacy.

Steps Taken During the Investigation

The first action taken by the SOC involved a thorough review of processes running on the endpoint using the get-process command. Analysts scrutinized any third-party applications that were actively running, particularly those related to ScreenConnect. They also checked user sessions with the query user command to assess who accessed the machine last and when the application was launched.

Further investigation included examining the installation location and understanding how the application was introduced to the system. The unusual file paths indicated potential tampering or unauthorized deployments. However, the investigation faced challenges, such as limited access to some directories, leading to access being denied when attempts were made to stop the ScreenConnect process. This limitation underscored the importance of thorough privilege management and monitoring.

Outcome of the Investigation

After extensive analysis, the SOC traced the unauthorized installation back to a rogue internal employee who had used the ScreenConnect tool without proper authorization. The outcome led to immediate actions, such as revoking the individual's access rights and implementing stricter monitoring protocols for remote access tools across the organization. This situation served as a valuable lesson for the team regarding the need for comprehensive oversight on all access tools utilized within the network.

Takeaway: The Importance of Monitoring Remote Access Tools

Organizations must prioritize monitoring remote access tools, as unauthorized installations can lead to severe security risks. Having processes in place to identify, review, and restrict access to these tools is imperative. This case emphasizes that maintaining vigilance in monitoring remote access is a cornerstone of effective cybersecurity strategy.

Tools & Commands Used

• get-process

• query user

• Checking file paths

• Process Explorer