The purpose of this report is to detail the artifacts left by a third-party remote access tool during its setup and use. A third-party remote access tool allows people not physically in contact with a device to control, interact with it, and see its screen. Tools that do not allow visual interaction such as PsExec are not included in this study.
The motivation to do this study came from a tweet made by @IcsNick, listing "Remote Admin Tools that are abused by threat actors"1. Indeed, threat actors leverage these legitimate tools to perform several actions: obtaining remote access on the device and a persistence, pushing scripts and other tools, as well as performing lateral movement towards other devices of linked corporate information systems (e.g. between an IT provider and its customers). Therefore, based on IcsNick's comprehensive list and other public investigation reports, we decided to analyse a few of them - as a starter - in order to fully understand what artefacts are generated from these tools. The results are used to automating their detection during our investigations in order to speed up the process and spot interesting log files. Of course, the forensic or SOC analyst would still have the task to determine whether those tools have been used legitimately by the IT team, or by malicious actors.
In this report, the artefacts of four remote admin tools will be described: TeamViewer, AnyDesk, Atera, and SplashTop. Also, the focus will be on the Windows platform. There might be a part 2 of this article describing other tools, and artefacts left on other platforms.
Link to full report: IR-23-102-001_LegitRATS.pdf
Comments