Threat actors have started leveraging a new RMM platform called Action1. This RMM has useful features. Let's take a look at what these are and how they use them🧵:
👀Console visibility:
➡️Missing Updates view
➡️Apps installed
➡️Detail info about the OS & Hardware of the host
Using Action1, they are seen executing commands, scripts and binaries. To do that, they must first create a "policy" or an "app". The name of those will show up in the command line during execution:
⚙️App Deployment:
➡️action1_agent.exe -> <binary running as system>
⚙️Command/Script execution:
➡️action1_agent.exe -> powershell.exe/cmd.exe
💡The action1_agent.exe cmdline contains the name of the policy set by the TAs.(see screenshot for details)
💡Command/Script will run with SYSTEM privs
Surprise, surprise, Action1 RMM has "Remote Desktop" capabilities 😅:
⚙️Dropping Into a Remote Session:
➡️ action1_remote.exe will execute to initiate the remote session. (See detailed execution in the screenshot)
🎯#Threat_Hunting Tips:
If you are using Action1 in your env, you can use the information from this thread to baseline your environment. You can then create personalized alerts to monitor execution with new policy names/deployment app names.
Unfortunately, it is very easy and free for threat actors to use the Action1 RMM for up to 100 endpoints.
I think we will see more TAs using this RMM in the feature. I will be creating a Threat Hunting Sigma rule soon to help with the initial search queries based on the above.
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.