Detecting Unauthorized Remote Access Trigger

There has been a rash of bad actors leveraging public remoting services for persistence. Solutions like anydesk, teamviewer, goto and the like are being installed in an effort to thwart the assault by Threat Intel vendors on Cobalt Strike nodes. The trigger below is a rudimentary detection based on , IIRC, a @ryanc hacking tools detection (I’m sure he recognizes the code). If you know of other remoting services simply add them to the ras_unauth_domains.

It’s not pretty but it WILL alert you if Reveal(x) observes on of the domains below. Be sure to create a friendly name for the detection.

if(event == "HTTP_REQUEST" || event == "SSL_OPEN" ) {
var cip = Flow.client.ipaddr;
var sip = Flow.server.ipaddr;

if ( event == 'SSL_OPEN' ) {
    if(!SSL.host) {return;}
if ( ! SSL.host.toLowerCase() ) {
    //return;
}
} else if ( event == 'HTTP_REQUEST' ) {
if ( ! HTTP.host.toLowerCase() ) {
    return;
}
}

let now = Math.round(getTimestamp()); 
let proto = '';
let host = '';

let ras_unauth_domains = cache('unauth_ras_domains', () => ({
'teamviewer.com'                : 'TeamViewer Remote Access',
'gotomypc.com'                  : 'Goto My PC Remote Access',
'logmein.com'                   : "LogMeIn.com Remote Access",
'splashtop.com'                 : "Splashtop Remote Access",
'anydesk.com'                   : "Anydesk Remote Access",
'screenconnect.com'             : "ScreenConnect Remote Access",
'atera.com'                     : "Atera Remote Access Agent "             
}));

switch(event) {
case ('SSL_OPEN'):
    proto = 'ssl';
    if(!SSL.certificate) {
        host = "Unaccounted For";
    } else {
    host = SSL.host;
    }
    break;

case ('HTTP_REQUEST'):
    proto = 'http';
    host = HTTP.uri;
    break;

default:
    //debug("Unhandled event: " + event);
    return;
}

for ( let domain in ras_unauth_domains ) {
if ( new RegExp(domain ).test(host)) {

//### If you want a precision PCAP ###
//# capture(); //<--Kick off Capture #
//####################################

//Commit Detection
commitDetection('RASAbuse', { //<--Make sure you create a Friendly Detection Format 
categories: ['sec.exploit'],
title: event + ' of suspicious Host from ' + cip + ' for the name ' + host + ' via: ' + sip,
participants: [
    { role: 'offender', object: Flow.client.ipaddr },
    { role: 'victim', object: Flow.server.ipaddr }
],
description: '- **Reason: **' + ras_unauth_domains[domain], //+ "\n\n " //+ "[PCAP Link]("+ pcapUrl +")" ,
identityKey: [
    Flow.server.ipaddr,
    Flow.client.ipaddr,
    host
].join('!!'),
riskScore: 65
})
log(event + " " + host + "  Detection")
//--Not In Use at this Time tagDev();
}};
}


//Initiate packet capture each time a unauthorized domain is accessed
function capture() {

var pcapName =  'UNAUTH_RAS_'  
+ Flow.client.ipaddr + ':' + Flow.client.port  
+ '-'  
+ Flow.server.ipaddr + ':' + Flow.server.port;


var opts = {  
    maxPackets: 30,        // Capture up to 30 packets 
    maxPacketsLookback: 15, // Capture up to 15 lookback packets 
}
    Flow.captureStart(pcapName, opts);
    //Show capture activity in debug log  
    debug('Start MAL PCAP: ' + pcapName);    
}

3 Likes