What are "dual-use tool" detection rules?
NAVIGATION Alerts
SECURITY Datto EDR subscription with administrator or analyst-level platform access or Datto AV subscription with administrator or analyst-level platform access
IMPORTANT Specific retention periods apply to all record types in Datto EDR and Datto AV. For more information, refer to Datto EDR and Datto AV data retention policies.
This article describes the purpose of the Dual-use tools detection rule and provides examples of business applications that may trigger the rule within a client's environment.
What are dual-use tools?
Dual-use tools are software applications that threat actors employ to facilitate their attacks. These programs are legitimate software applications capable of performing network, service, and process discovery, facilitating remote support sessions between a service desk and an endpoint, copying files, and carrying out many other remote activities. However, malicious individuals can employ these tools to perform reconnaissance of a target, breach its network, and carry out post-exploitation activities such as data exfiltration and malware deployment.
How does the detection rule work?
The Dual-use tools rule watches monitored endpoints for the execution of any processes known to be associated with dual-use applications. In their default configuration, these rules use observable behavior only; the Endpoint Security agent logs its observations of the process but does not raise alerts or deploy response actions. When using dual-use tool rules in your environment, we recommend reviewing the settings and enabling alerting and response actions as needed.
When transitioning a rule to an actionable stance, it's important to understand that the default response recommendations are aggressive and not intended for organizations that permit the use of these programs. Although the Endpoint Security platform categorizes the severity of dual-use tool activity as "medium," potential response actions include terminating the application's processes, quarantining its executable files, and isolating the endpoint from the network to prevent threat actors from engaging in post-exploitation activities.
Dual-use applications
The Endpoint Security solution includes detection rules that you can leverage to monitor for activity from the following dual-use tools:
Process Hacker
Process Hacker is a process and service discovery tool. Threat actors can also use it to dump process memory or detect and avoid sandboxed, virtualized, or debugged environments.
Learn more
TeamViewer
TeamViewer is a remote desktop application that malicious actors have leveraged to access networks and conduct post-exploitation activities. It is often used legitimately as technical support software and may be allowed by application control.
Learn more
UltraVNC
UltraVNC is a free remote access program that malicious actors have used to gain access to target networks and conduct post-exploitation activities.
Learn more
ScreenConnect
ScreenConnect is a remote desktop application that malicious actors have used to access target networks and conduct post-exploitation activities. It is often used legitimately as technical support software and may be allowed by application control.
Learn more
Advanced IP Scanner
Advanced IP Scanner scans a target network and provides information about available devices, shared folders, and more. Threat actors have used it to gain intelligence for further compromise.
Learn more
AdFind
AdFind is a command-line Active Directory query tool. Threat actors have used it to conduct post-exploitation reconnaissance and discovery activities.
Learn more
AnyDesk
AnyDesk is a remote desktop application frequently leveraged by malicious actors in post-exploitation activities.
Learn more
Protecting your users
Implement strict controls over which dual-use tools are allowed in your environment, the purposes for which they may be used, and who can use them. Regularly audit and approve remote control applications. Employ the principle of least privilege to keep your users and infrastructure safe.
