Golang
Tactical RMM is an open source RMM tool to help IT pros manage and maintain systems remotely. Built with Django and Vue, it has a Go agent and integrates with MeshCentral. While it’s great for sysadmins, there have been cases where attackers have used Tactical RMM for unauthorized access and control of networks.
Tactical RMM has real time remote shell access, remote file browsing, script execution, event log viewing and Windows patch management. These features allow admins to manage and troubleshoot systems without being physically present. But the same features can be used by attackers to maintain persistence in compromised networks.
Misuse by Threat Actors
Attackers have been using legitimate RMM tools like Tactical RMM to avoid custom malware and reduce the chance of detection. By using these tools, attackers can create backdoors for persistent access and command-and-control (C2) operations. For example, the Iranian-linked threat actor MuddyWater has been known to abuse these tools for their campaigns.
Detection Challenges
The misuse of legitimate RMM software is a challenge for detection and mitigation. Since these tools are used by managed service providers (MSPs) and IT help desks for legitimate purposes, distinguishing between authorized and malicious use requires monitoring and analysis of network activity. Attackers can exploit the trust relationships within MSP networks and impact a large number of the MSP’s customers.
Limit RMM tool usage to only authorized users.
Use strong access controls and authentication.
Monitor for unusual network activity.
Review and update permissions and logs regularly.
