How to Defend Against Routine Access Abuse in Modern Cyberattacks

A recent threat report by Blackpoint Cyber highlights a paradigm shift in the cybersecurity landscape. The era of sophisticated zero-day exploits as the primary initial access vector is waning. In its place, attackers are increasingly leveraging "routine access"—valid credentials, VPNs, and Remote Monitoring and Management (RMM) tools—to breach organizations.

For defenders, this is a critical realization. It means the perimeter isn't just being bypassed; it is being walked through the front door with a stolen key. This post analyzes the mechanics of routine access abuse and provides detection strategies to help your security team identify these threats before they escalate to ransomware.

Technical Analysis

The "routine access" threat model relies on abusing trusted mechanisms rather than exploiting software vulnerabilities. The primary vectors identified in recent reports include:

1. VPN Abuse: Attackers compromise valid user credentials (often via phishing or credential stuffing) to access corporate VPNs. Since the connection is authenticated, traditional perimeter defenses often allow the traffic without flagging it as malicious.
2. RMM Tool Hijacking: Managed Service Providers (MSPs) and internal IT teams use RMM software (e.g., ScreenConnect, AnyDesk, Datto) for remote administration. Attackers obtain credentials for these tools or exploit unpatched vulnerabilities in them to gain remote control over endpoints. This activity often appears as legitimate administrative behavior.
3. Social Engineering: The initial foothold is frequently achieved through business email compromise (BEC) or phishing, prompting users to hand over credentials or install malware under the guise of a routine task.

Severity: High. These attacks bypass standard signature-based antivirus and exploit-based detection.

Affected Systems:

• VPN Concentrators (GlobalProtect, Pulse Secure, OpenVPN)
• Remote Management Tools (ConnectWise, AnyDesk, TeamViewer)
• Active Directory / Identity Providers (Entra ID, Okta)

Defensive Monitoring

To detect routine access abuse, organizations must shift focus from blocking malicious files to monitoring for anomalous behavior involving trusted tools. Defenders should look for RMM tools spawning unexpected shells (like cmd.exe or powershell.exe) or VPN logins from unusual geographic locations.

SIGMA Detection Rules

The following SIGMA rules are designed to detect suspicious usage patterns of RMM tools and common post-exploitation activity often following credential theft.

---
title: Suspicious RMM Tool Spawning Shell
id: 1a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects when a known Remote Monitoring and Management (RMM) tool spawns a command shell or PowerShell, which may indicate a takeover of the administrative session.
references:
  - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.command_and_control
  - attack.t1219
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - 'AnyDesk.exe'
      - 'teamviewer.exe'
      - 'ConnectWiseControl.Client.exe'
      - 'ScreenConnect.ClientService.exe'
      - 'RemoteDesktopManager.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative troubleshooting by IT staff
level: medium
---
title: Potential LSASS Memory Access by Non-System Account
id: f0e1d2c3-b4a5-4f6e-7d8e-9f0a1b2c3d4e
status: experimental
description: Detects processes accessing LSASS memory, often indicative of credential dumping following an initial intrusion via valid credentials.
references:
  - https://attack.mitre.org/techniques/T1003/001/
author: Security Arsenal
date: 2024/05/22
tags:
  - attack.credential_access
  - attack.t1003.001
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess contains:
      - '0x1010'
      - '0x143a'
      - '0x1410'
      - '0x1018'
    SourceImage|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\rundll32.exe'
      - '\wmiprvse.exe'
  filter:
    SubjectUserName: 'SYSTEM'
  condition: selection and not filter
falsepositives:
  - Antivirus scanning
  - System backup processes
level: high

KQL Queries for Sentinel/Defender

Use these queries in Microsoft Sentinel or Microsoft Defender to hunt for suspicious RMM activity and VPN anomalies.

// Hunt for RMM tools spawning shells (DeviceProcessEvents)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("AnyDesk", "TeamViewer", "ConnectWise", "ScreenConnect", "Datto")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
| order by Timestamp desc

// Hunt for suspicious VPN sign-in anomalies (SigninLogs)
SigninLogs
| where Timestamp > ago(3d)
| where AppDisplayName contains "VPN" or AppDisplayName contains "Remote"
| where ResultDescription == "Success"
| extend Location = strcat(Location, "-", LocationDetails)
| summarize Count = count() by UserPrincipalName, Location, AppDisplayName
| where Count < 5 // Filter for low-frequency or one-off logins from new locations
| project-away Count

Velociraptor VQL Hunt Queries

These Velociraptor VQL artifacts hunt for installed RMM tools and suspicious network connections associated with remote access abuse.

-- Hunt for installed RMM tools on endpoints
SELECT FullName, Size, Mtime
FROM glob(globs='C:/Program Files/**/*.exe')
WHERE FullName =~ 'AnyDesk' 
   OR FullName =~ 'TeamViewer'
   OR FullName =~ 'ConnectWise'
   OR FullName =~ 'ScreenConnect'

-- Hunt for processes connecting to non-standard ports (potential reverse shells via RMM)
SELECT Pid, Name, Cmdline, RemoteAddr, RemotePort
FROM netstat()
WHERE RemotePort > 1024 
   AND Name NOT IN ("chrome.exe", "firefox.exe", "msedge.exe", "svchost.exe")
   AND RemoteAddr != "127.0.0.1"

PowerShell Remediation Verification

This script helps identify local users who are members of high-privilege groups, a common target for attackers leveraging routine access.

# Audit Local Administrators Group Membership
$ComputerName = $env:COMPUTERNAME
$Group = "Administrators"

try {
    $Members = Get-LocalGroupMember -Group $Group -ErrorAction Stop
    Write-Host " auditing $ComputerName : $Group Group Members" -ForegroundColor Cyan
    
    foreach ($Member in $Members) {
        $Object = [PSCustomObject]@{
            ComputerName = $ComputerName
            GroupName    = $Group
            MemberName   = $Member.Name
            MemberClass  = $Member.ObjectClass
            Source       = $Member.SID
        }
        Write-Output $Object
    }
}
catch {
    Write-Error "Failed to retrieve group membership: $_"
}

Remediation

To protect against the abuse of routine access, organizations must adopt a Zero Trust mindset:

1. Enforce MFA Everywhere: Implement Multi-Factor Authentication (MFA) for VPNs, RMM tools, and all cloud-based admin consoles. This is the single most effective control against credential theft.
2. Implement Just-In-Time (JIT) Access: Remove standing admin rights. Use Privileged Access Management (PAM) solutions to grant elevated permissions only when needed and for a limited time.
3. RMM Tool Hardening: Ensure RMM tools are updated to the latest versions. Require MFA for accessing the RMM consoles and monitor all sessions initiated by these tools.
4. Network Segmentation: Segment critical servers and backup repositories from the general network. If an attacker compromises a workstation via RMM, they should not be able to easily move laterally to the crown jewels.
5. User Education: Train users to recognize social engineering attempts, particularly those requesting urgent access or credentials.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub