
Uptick in Bomgar RMM Exploitation
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DETECTION
Unauthorized Domain Admin Account Creation via Bomgar | Windows Event Log (4720, 4728) · Command Execution · Active Directory Logs | net user /add /domain or net group "Domain Admins" /add executed under SYSTEM context via bomgar-scc.exe parent | |||
BYOVD Driver Load — Known Malicious Drivers | Kernel Driver Load Events · Sysmon EID 6 · EDR Telemetry | PoisonX.sys or hrwfpdrv.sys loaded; abrupt termination of AV/EDR processes following driver load | |||
Unauthorized RMM Deployment (AnyDesk / Atera / SimpleHelp) | T1133 — External Remote Services · T1036.005 — Masquerading: Match Legitimate Name | Process Creation · File Monitoring · Network Connection Logs | RMM binary (AnyDesk.exe, atera_agent.exe) launched via Bomgar; renamed SimpleHelp PE with mismatched metadata dropped to C:\ProgramData\ | ||
AteraAge Scheduled Task Creation | Windows Event Log (4698) · Task Scheduler Logs · Sysmon EID 11 | Scheduled task named AteraAge created outside approved IT management process; task executable path points to non-standard Atera binary location |