Create microsoft365_teams_guest_rmm_deployment.yml #5066
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| title: Potential Malicious Guest Accounts and RMM Tool Deployment via Teams | ||
| id: aed9c24f-097a-4505-af85-74b4b83982b0 | ||
| status: experimental | ||
| description: Detects potential malicious guest accounts using onmicrosoft.com and deployment of RMM tools via Teams messages. | ||
| references: | ||
| - https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/ | ||
| - https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-linked-to-black-basta-ransomware-operators/ | ||
| author: Saiprashanth Pulisetti ( @pulisettis ) | ||
| date: 2024-11-01 | ||
| tags: | ||
| - attack.initial-access | ||
| - attack.t1078 | ||
| - attack.execution | ||
| - attack.persistence | ||
| - attack.t1133 | ||
| - attack.defense-evasion | ||
| - attack.t1070 | ||
| - attack.collection | ||
| - attack.t1114 | ||
| logsource: | ||
| product: m365 | ||
| service: audit | ||
| detection: | ||
| selection_domain: | ||
| user.email: '*@*.onmicrosoft.com' | ||
| selection_extensions: | ||
| MessageURLs|endswith: | ||
| - .exe | ||
| - .msi | ||
| - .js | ||
|
Comment on lines
+28
to
+30
There was a problem hiding this comment. What's the reasoning behind selecting these extensions and not something else? There was a problem hiding this comment. Hi @nasbench ; recently I was working with a client and they had a massive email bombing attack followed by an teams guest message and then they sent a payload which contains a fake RMM tool so there are two messages the attacker sent via teams one is directly https://anydesk.com which is something similar to
and there is another message with IP as their URL ( could be a C2C ) :
So this is the reason why I've kept with .exe, .msi or .js. |
||
| selection_rmm: | ||
| MessageURLs|contains: | ||
| - ninjaone.com | ||
| - atera.com | ||
| - syncroweb.com | ||
| - superops.com | ||
| - n-able.com | ||
| - gotoremember.com | ||
| - barracudamsp.com | ||
| - manageengine.com | ||
| - site24x7.com | ||
| - paessler.com | ||
| - compuware.com | ||
| - teamviewer.com | ||
| - rippling.com | ||
| - msp360.com | ||
| - pulseway.com | ||
| - optimtune.com | ||
| - connectwise.com | ||
| - domotz.com | ||
| - anydesk.com | ||
| condition: selection_domain and (selection_extensions or selection_rmm) | ||
| falsepositives: | ||
| - Legitimate guest users | ||
| - Valid RMM tool deployments | ||
| level: high | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't really makes a lot of sense, can you please rephrase it. What's the relation between guest accounts and deployment of RMMs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I mentioned in the notes below, attackers are using Teams channels to send Remote Monitoring and Management (RMM) software, posing as fake Microsoft support agents and asking end users to download these RMM tools under the guise of troubleshooting assistance.