Erkennen von Fernzugriffs-Software auf einem System mithilfe von PowerShell

Mit der zunehmenden Verbreitung von Remote-Arbeitsplätzen und der weit verbreiteten Nutzung von Cloud-Technologien ist die Gewährleistung der Sicherheit von Endpunkten für IT-Experten auf der ganzen Welt von größter Bedeutung. Die Erkennung von Fernzugriffs-Software ist ein wachsendes Problem, da sie oft der Einstiegspunkt für bösartige Entitäten sein kann.

Hintergrund

Remote Access Tools (RATs) gibt es schon seit geraumer Zeit. Sie können zwar bei der Fehlersuche und bei administrativen Aufgaben aus der Ferne von großem Nutzen sein, können aber auch von Cyber-Angreifern ausgenutzt werden, um sich unbefugten Zugang zu Systemen zu verschaffen. Für IT-Experten und Managed Service Provider (MSPs) ist es wichtig zu wissen, wie man diese Tools auf einem System erkennt. Sie dienen als erste Verteidigungslinie gegen potenzielle Sicherheitsverletzungen und unbefugten Datenzugriff.

Das Skript:

#Requires -Version 5.1

<#
.SYNOPSIS
    This script will look for remote access tools installed on the system. It can be given a list of tools to ignore as well as grab the exclusion list from a designated custom field.
    
    DISCLAIMER: This script is provided as a best effort for detecting remote access software installed on an agent, but it is not guaranteed to be 100% accurate. 
    Some remote access software may not be detected, or false positives may be reported. Use this script at your own risk and verify its results with other methods where possible.
.DESCRIPTION
    This script will look for remote access tools installed on the system. Below is the full list of tools. Please note you can give it a list of tools to ignore and you can have
    it grab the list from a custom field of your choosing.

    DISCLAIMER: This script is provided as a best effort for detecting remote access software installed on an agent, but it is not guaranteed to be 100% accurate. 
    Some remote access software may not be detected, or false positives may be reported. Use this script at your own risk and verify its results with other methods where possible.

    Remote Tools: AeroAdmin, Ammyy Admin, AnyDesk, BeyondTrust, Chrome Remote Desktop, Connectwise Control, DWService, GoToMyPC, LiteManager, LogMeIn, ManageEngine,
    NoMachine, Parsec, Remote Utilities, RemotePC, Splashtop, Supremo, TeamViewer, TightVNC, UltraVNC, VNC Connect (RealVNC), Zoho Assist
    RMM's: Atera, Automate, Datto RMM, Kaseya, N-Able N-Central, N-Able N-Sight, Syncro

.EXAMPLE
    (No Parameters)
    Name                    CurrentlyRunning    HasRunningService   UninstallString
    ----                    ----------------    -----------------   ---------------
    Connectwise Control     Yes                 Yes                 MsiExec /X{examplestring}
    Chrome Remote Desktop   Yes                 Yes                 MsiExec /X{examplestring}

PARAMETER: -ExcludeTools "Chrome Remote Desktop,Connectwise Control"
    A comma seperated list of tools you'd like to exclude from alerting on.
.EXAMPLE
    -ExcludeTools "Chrome Remote Desktop,Connectwise Control"
    We couldn't find any active remote access tools!

PARAMETER: -ExclusionsFromCustomField "ReplaceMeWithAnyTextCustomField"
    The name of a custom field that contains a comma seperated list of tools to exclude from alerting. ex. "ApprovedRemoteTools"
.EXAMPLE
    -ExclusionsFromCustomField "ReplaceMeWithAnyTextCustomField"
    We couldn't find any active remote access tools!

PARAMETER: -ExportCSV "ReplaceMeWithAnyMultiLineCustomField"
    The name of a multiline custom field to export to in csv format. ex. "RemoteTools"
.EXAMPLE
    -ExportCSV "ReplaceMeWithAnyMultiLineCustomField"
    Name                    CurrentlyRunning    HasRunningService   UninstallString
    ----                    ----------------    -----------------   ---------------
    Connectwise Control     Yes                 Yes                 MsiExec /X{examplestring}
    Chrome Remote Desktop   Yes                 Yes                 MsiExec /X{examplestring}

PARAMETER: -ExportJSON "ReplaceMeWithAnyMultiLineCustomField"
    The name of a multiline custom field to export to in JSON format. ex. "RemoteTools"
.EXAMPLE
    -ExportJSON "ReplaceMeWithAnyMultiLineCustomField"
    Name                    CurrentlyRunning    HasRunningService   UninstallString
    ----                    ----------------    -----------------   ---------------
    Connectwise Control     Yes                 Yes                 MsiExec /X{examplestring}
    Chrome Remote Desktop   Yes                 Yes                 MsiExec /X{examplestring}

PARAMETER: -ShowNotFound
    Show the tools the script did not find as well.
.EXAMPLE
    -ShowNotFound
    Name                    CurrentlyRunning    HasRunningService   UninstallString
    ----                    ----------------    -----------------   ---------------
    AeroAdmin               No                  No
    Ammyy Admin             No                  No
    BeyondTrust             No                  No
    Connectwise Control     Yes                 Yes                 MsiExec /X{examplestring}
    Chrome Remote Desktop   Yes                 Yes                 MsiExec /X{examplestring}
    
.OUTPUTS
    None
.NOTES
    General notes: CustomFields must be multiline for export. Regular text is fine for ExclusionsFromCustomField
    Release notes:
    Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/de/nutzungsbedingungen
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>

[CmdletBinding()]
param (
    [Parameter()]
    [String]$ExcludeTools,
    [Parameter()]
    [String]$ExclusionsFromCustomField,
    [Parameter()]
    [String]$ExportCSV,
    [Parameter()]
    [String]$ExportJSON,
    [Parameter()]
    [Switch]$ShowNotFound
    <#
        ## ParameterName Requirement DefaultValue Type Options Description ##
        ExcludeTools Optional none TEXT Comma seperated list of tools you would not like to look for.
        ExclusionsFromCustomField Optional none TEXT Name of custom field you would like to grab exclusions from.
        ExportCSV Optional none TEXT Name of multi-line custom field you would like to export results to. It will export them in csv format.
        ExportJSON Optional none TEXT Name of multi-line custom field you would like to export results to. It will export them in json format.
        ShowNotFound Optional false CHECKBOX Show results even if it didn't find that specific tool.
    #>
)

begin {
    #DISCLAIMER: This script is provided as a best effort for detecting remote access software installed on an agent, but it is not guaranteed to be 100% accurate. 
    #Some remote access software may not be detected, or false positives may be reported. Use this script at your own risk and verify its results with other methods where possible.

    # Check's the two Uninstall registry keys to see if the app is installed. Needs the name as it would appear in Control Panel.
    function Find-UninstallKey {
        [CmdletBinding()]
        param (
            [Parameter(ValueFromPipeline)]
            [String]$DisplayName,
            [Parameter()]
            [Switch]$UninstallString
        )
        process {
            $UninstallList = New-Object System.Collections.Generic.List[Object]

            $Result = Get-ChildItem HKLM:SoftwareWow6432NodeMicrosoftWindowsCurrentVersionUninstall* | Get-ItemProperty | 
            Where-Object { $_.DisplayName -like "*$DisplayName*" }

            if($Result){ $UninstallList.Add($Result) }

            $Result = Get-ChildItem HKLM:SoftwareMicrosoftWindowsCurrentVersionUninstall* | Get-ItemProperty | 
            Where-Object { $_.DisplayName -like "*$DisplayName*" }

            if($Result){ $UninstallList.Add($Result) }

            # Programs don't always have an uninstall string listed here so to account for that I made this optional.
            if ($UninstallString) {
                # 64 Bit
                $UninstallList | Select-Object -ExpandProperty UninstallString -ErrorAction Ignore
            }
            else {
                $UninstallList
            }
        }
    }

    # This will see if the process is currently active. Some people may want to react sooner to these alerts if its currently running vs not.
    function Find-Process {
        [CmdletBinding()]
        param(
            [Parameter(ValueFromPipeline)]
            [String]$Name
        )
        process {
            Get-Process | Where-Object { $_.ProcessName -like "*$Name*" } | Select-Object -ExpandProperty Name
        }
    }

    # This will search C:ProgramFiles and C:ProgramFiles(x86) for the executable these tools use to run.
    function Find-Executable {
        [CmdletBinding()]
        param(
            [Parameter(ValueFromPipeline)]
            [String]$Path,
            [Parameter()]
            [Switch]$Special
        )
        process {
            if(!$Special){
                if (Test-Path "$env:ProgramFiles$Path") {
                    "$env:ProgramFiles$Path"
                }
        
                if (Test-Path "${Env:ProgramFiles(x86)}$Path") {
                    "${Env:ProgramFiles(x86)}$Path"
                }
    
                if (Test-Path "$env:ProgramData$Path") {
                    "$env:ProgramData$Path"
                }
            }else{
                if(Test-Path $Path){
                    $Path
                }
            }
        }
    }

    # Brought Get-CimInstance outside the function for better performance.

    $ServiceList = Get-CimInstance win32_service
    function Find-Service {
        [CmdletBinding()]
        param(
            [Parameter(ValueFromPipeline)]
            [String]$Name
        )
        process {
            # Get-Service will display an error everytime it has an issue reading a service. Ignoring them as they're not relevant.
            $ServiceList | Where-Object {$_.State -notlike "Disabled" -and $_.State -notlike "Stopped"} | 
            Where-Object {$_.PathName -Like "*$Name.exe*"}
        }
    }

    function Export-CustomField {
        [CmdletBinding()]
        param(
            [Parameter()]
            [String]$Name,
            [Parameter()]
            [ValidateSet("csv", "json")]
            [String]$Format,
            [Parameter()]
            [PSCustomObject]$Object
        )
        if ($Format -eq "csv") {
            $csv = $Object | ConvertTo-Csv -NoTypeInformation | Out-String
            Ninja-Property-Set $Name $csv
        }
        else {
            $json = $Object | ConvertTo-Json | Out-String
            Ninja-Property-Set $Name $json
        }
    }

    # This define's what tools we're looking for and how the script can find them. Some don't actually install anywhere (portable app) others do. 
    # Some change their installation path everytime so not particularly worth it to find it that way.
    # Others store themselves in a super weird directory. Many don't list exactly where there .exe file is stored and suggest you exclude the whole folder from the av.
    $RemoteToolList = @(
        [PSCustomObject]@{Name = "AeroAdmin"; ProcessName = "AeroAdmin" }
        [PSCustomObject]@{Name = "Ammyy Admin"; ProcessName = "AA_v3" }
        [PSCustomObject]@{Name = "AnyDesk"; DisplayName = "AnyDesk"; ProcessName = "AnyDesk"; ExecutablePath = "AnyDeskAnyDesk.exe" }
        [PSCustomObject]@{Name = "BeyondTrust"; DisplayName = "Remote Support Jump Client", "Jumpoint"; ProcessName = "bomgar-jpt" }
        [PSCustomObject]@{Name = "Chrome Remote Desktop"; DisplayName = "Chrome Remote Desktop Host"; ProcessName = "remoting_host"; ExecutablePath = "GoogleChrome Remote Desktop112.0.5615.26remoting_host.exe" }
        [PSCustomObject]@{Name = "Connectwise Control"; DisplayName = "ScreenConnect Client"; ProcessName = "ScreenConnect.ClientService" }
        [PSCustomObject]@{Name = "DWService"; DisplayName = "DWAgent"; ProcessName = "dwagent","dwagsvc"; ExecutablePath = "DWAgentruntimedwagent.exe" }
        [PSCustomObject]@{Name = "GoToMyPC"; DisplayName = "GoToMyPC"; ProcessName = "g2comm", "g2pre", "g2svc", "g2tray"; ExecutablePath = "GoToMyPCg2comm.exe", "GoToMyPCg2pre.exe", "GoToMyPCg2svc.exe", "GoToMyPCg2tray.exe" }
        [PSCustomObject]@{Name = "LiteManager"; DisplayName = "LiteManager Pro - Server"; ProcessName = "ROMServer", "ROMFUSClient"; ExecutablePath = "LiteManager Pro - ServerROMFUSClient.exe", "LiteManager Pro - ServerROMServer.exe" }
        [PSCustomObject]@{Name = "LogMeIn"; DisplayName = "LogMeIn"; ProcessName = "LogMeIn"; ExecutablePath = "LogMeInx64LogMeIn.exe", "LogMeInx64LogMeInSystray.exe" }
        [PSCustomObject]@{Name = "ManageEngine"; DisplayName = "ManageEngine Remote Access Plus - Server", "ManageEngine UEMS - Agent"; ProcessName = "dcagenttrayicon", "UEMS", "dcagentservice"; ExecutablePath = "UEMS_Agentbindcagenttrayicon.exe", "UEMS_CentralServerbinUEMS.exe", "UEMS_Agentbindcagentservice.exe" }
        [PSCustomObject]@{Name = "NoMachine"; DisplayName = "NoMachine"; ProcessName = "nxd", "nxnode.bin", "nxserver.bin", "nxservice64"; ExecutablePath = "NoMachinebinnxd.exe", "NoMachinebinnxnode.bin", "NoMachinebinnxserver.bin", "NoMachinebinnxservice64.exe" }
        [PSCustomObject]@{Name = "Parsec"; DisplayName = "Parsec"; ProcessName = "parsecd", "pservice"; ExecutablePath = "Parsecparsecd.exe", "Parsecpservice.exe" }
        [PSCustomObject]@{Name = "Remote Utilities"; DisplayName = "Remote Utilities - Host"; ProcessName = "rutserv", "rfusclient"; ExecutablePath = "Remote Utilities - Hostrfusclient.exe" }
        [PSCustomObject]@{Name = "RemotePC"; DisplayName = "RemotePC"; ProcessName = "RemotePCHostUI","RPCPerformanceService"; ExecutablePath = "RemotePC HostRemotePCHostUI.exe", "RemotePC HostRemotePCPerformanceRPCPerformanceService.exe" }
        [PSCustomObject]@{Name = "Splashtop"; DisplayName = "Splashtop Streamer"; ProcessName = "SRAgent", "SRAppPB", "SRFeature", "SRManager", "SRService"; ExecutablePath = "SplashtopSplashtop RemoteServerSRService.exe" }
        [PSCustomObject]@{Name = "Supremo"; ProcessName = "Supremo", "SupremoHelper", "SupremoService"; ExecutablePath = "SupremoSupremoService.exe" }
        [PSCustomObject]@{Name = "TeamViewer"; DisplayName = "TeamViewer"; ProcessName = "TeamViewer", "TeamViewer_Service", "tv_w32", "tv_x64"; ExecutablePath = "TeamViewerTeamViewer.exe", "TeamViewerTeamViewer_Service.exe", "TeamViewertv_w32.exe", "TeamViewertv_x64.exe" }
        [PSCustomObject]@{Name = "TightVNC"; DisplayName = "TightVNC"; ProcessName = "tvnserver"; ExecutablePath = "TightVNCtvnserver.exe" }
        [PSCustomObject]@{Name = "UltraVNC"; DisplayName = "UltraVNC"; ProcessName = "winvnc"; ExecutablePath = "uvnc bvbaUltraVNCWinVNC.exe" }
        [PSCustomObject]@{Name = "VNC Connect (RealVNC)"; DisplayName = "VNC Server"; ProcessName = "vncserver"; ExecutablePath = "RealVNCVNC Servervncserver.exe" }
        [PSCustomObject]@{Name = "Zoho Assist"; DisplayName = "Zoho Assist Unattended Agent"; ProcessName = "ZohoURS", "ZohoURSService"; ExecutablePath = "ZohoMeetingUnAttendedZohoMeetingZohoURS.exe", "ZohoMeetingUnAttendedZohoMeetingZohoURSService.exe" }
        [PSCustomObject]@{Name = "Atera"; DisplayName = "AteraAgent"; ProcessName = "AteraAgent"; ExecutablePath = "ATERA NetworksAteraAgentAteraAgent.exe"}
        [PSCustomObject]@{Name = "Automate"; DisplayName = "Connectwise Automate"; ProcessName = "LTService", "LabTechService"; SpecialExecutablePath = "C:WindowsLTSvcLTSvc.exe"}
        [PSCustomObject]@{Name = "Datto RMM"; DisplayName = "Datto RMM"; ProcessName = "AEMAgent"; ExecutablePath = "CentraStageAEMAgentAEMAgent.exe", "CentraStagegui.exe"}
        [PSCustomObject]@{Name = "Kaseya"; DisplayName = "Kaseya Agent"; ProcessName = "AgentMon", "KaseyaRemoteControlHost", "Kasaya.AgentEndpoint"; ExecutablePath = "KaseyaAgentMonAgentMon.exe"}
        [PSCustomObject]@{Name = "N-Able N-Central"; DisplayName = "Windows Agent"; ProcessName = "winagent"; ExecutablePath = "N-able TechnologiesWindows Agentwinagent.exe"}
        [PSCustomObject]@{Name = "N-Able N-Sight"; DisplayName = "Advanced Monitoring Agent"; ProcessName = "winagent"; ExecutablePath = "Advanced Monitoring Agentwinagent.exe", "Advanced Monitoring Agent GPwinagent.exe"}
        [PSCustomObject]@{Name = "Syncro"; DisplayName = "Syncro","Kabuto"; ProcessName = "Syncro.App.Runner", "Kabuto.App.Runner", "Syncro.Service.Runner", "Kabuto.Service.Runner", "SyncroLive.Agent.Runner", "Kabuto.Agent.Runner", "SyncroLive.Agent.Service", "Syncro.Access.Service", "Syncro.Access.App"; ExecutablePath = "RepairTechSyncroSyncro.Service.Runner.exe", "RepairTechSyncroSyncro.App.Runner.exe"}
    )
}
process {

    # Lets see what tools we don't want to alert on.
    $ExcludedTools = New-Object System.Collections.Generic.List[String]

    if ($ExcludeTools) {
        $ExcludedTools.Add(($ExcludeTools.split(',')).Trim())
    }

    # Grabs the info we need from a textbox.
    if ($env:ExcludeTools) {
        $ExcludedTools.Add($env:ExcludeTools.split(','))
    }

    # For this kind of alert it might be worth it to create a whole custom field of ignorables.
    if ($ExclusionsFromCustomField) {
        $ExcludedTools.Add((Ninja-Property-Get $ExclusionsFromCustomField -split(',')).trim())
    }

    if ($env:ExclusionsFromCustomField) {
        $ExcludedTools.Add((Ninja-Property-Get $env:ExclusionsFromCustomField -split(',')).trim())
    }

    if ($ExportCSV -or $Env:ExportCSV) {
        $Format = "csv"

        if ($ExportCSV) {
            $ExportResults = $ExportCSV
        }

        if ($env:ExportCSV) {
            $ExportResults = $env:ExportCSV
        }
    }elseif ($ExportJSON -or $env:ExportJSON) {
        $Format = "json"

        if ($ExportJSON) {
            $ExportResults = $ExportJSON
        }

        if ($env:ExportJSON) {
            $ExportResults = $env:ExportJSON
        }
    }

    # This take's our list and begins searching by the 4 method's in the begin block. 
    $RemoteAccessTools = $RemoteToolList | ForEach-Object {

        $UninstallKey = if ($_.DisplayName) {
            $_.DisplayName | Find-UninstallKey
        }
        
        $UninstallInfo = if ($_.DisplayName) {
            $_.DisplayName | Find-UninstallKey -UninstallString
        }
        
        $RunningStatus = if ($_.ProcessName) {
            $_.ProcessName | Find-Process
        }

        $ServiceStatus = if($_.ProcessName) {
            $_.ProcessName | Find-Service
        }
        
        $InstallPath = if ($_.ExecutablePath) {
            $_.ExecutablePath | Find-Executable
        }elseif($_.SpecialExecutablePath){
            $_.SpecialExecutablePath | Find-Executable -Special
        }

        if ($UninstallKey -or $RunningStatus -or $InstallPath -or $ServiceStatus) {
            $Installed = "Yes"
        }
        else {
            $Installed = "No"
        }

        [PSCustomObject]@{
            Name              = $_.Name
            Installed         = $Installed
            CurrentlyRunning  = if ($RunningStatus) { "Yes" }else { "No" }
            HasRunningService = if ($ServiceStatus) { "Yes" }else { "No" }
            UninstallString   = $UninstallInfo
            ExePath           = $InstallPath
        } | Where-Object { $ExcludedTools -notcontains $_.Name }
    }

    $ActiveRemoteAccessTools = $RemoteAccessTools | Where-Object {$_.Installed -eq "Yes"}

    # If we found anything in the three check's we're gonna indicate it's installed but we may also want to save our results to a custom field.
    # We also may want to output more than "We couldn't find any active remote access tools!" in the event we find nothing.
    if ($ShowNotFound -or $env:ShowNotFound) {

        $RemoteAccessTools | Format-Table -Property Name, Installed, CurrentlyRunning, HasRunningService, UninstallString -AutoSize -Wrap | Out-String | Write-Host

        if($ExportResults){
            Export-CustomField -Name $ExportResults -Format $Format -Object ($RemoteAccessTools | Select-Object Name, Installed, CurrentlyRunning, HasRunningService)
        }

    }else{
        if($ActiveRemoteAccessTools){

            $ActiveRemoteAccessTools | Format-Table -Property Name, CurrentlyRunning, HasRunningService, UninstallString -AutoSize -Wrap | Out-String | Write-Host

            if($ExportResults){
                Export-CustomField -Name $ExportResults -Format $Format -Object ($ActiveRemoteAccessTools | Select-Object Name, CurrentlyRunning, HasRunningService)
            }

        }else{
            Write-Host "We couldn't find any active remote access tools!"
        }
    }

    if($ActiveRemoteAccessTools){
        # We're going to set a failure status code in the event that we find something.
        exit 1
    }
    else {
        exit 0
    }
}

 |

#Requires -Version 5.1

<#
.SYNOPSIS
    This script will look for remote access tools installed on the system. It can be given a list of tools to ignore as well as grab the exclusion list from a designated custom field.
    
    DISCLAIMER: This script is provided as a best effort for detecting remote access software installed on an agent, but it is not guaranteed to be 100% accurate. 
    Some remote access software may not be detected, or false positives may be reported. Use this script at your own risk and verify its results with other methods where possible.
.DESCRIPTION
    This script will look for remote access tools installed on the system. Below is the full list of tools. Please note you can give it a list of tools to ignore and you can have
    it grab the list from a custom field of your choosing.

    DISCLAIMER: This script is provided as a best effort for detecting remote access software installed on an agent, but it is not guaranteed to be 100% accurate. 
    Some remote access software may not be detected, or false positives may be reported. Use this script at your own risk and verify its results with other methods where possible.

    Remote Tools: AeroAdmin, Ammyy Admin, AnyDesk, BeyondTrust, Chrome Remote Desktop, Connectwise Control, DWService, GoToMyPC, LiteManager, LogMeIn, ManageEngine,
    NoMachine, Parsec, Remote Utilities, RemotePC, Splashtop, Supremo, TeamViewer, TightVNC, UltraVNC, VNC Connect (RealVNC), Zoho Assist
    RMM's: Atera, Automate, Datto RMM, Kaseya, N-Able N-Central, N-Able N-Sight, Syncro

.EXAMPLE
    (No Parameters)
    Name                    CurrentlyRunning    HasRunningService   UninstallString
    ----                    ----------------    -----------------   ---------------
    Connectwise Control     Yes                 Yes                 MsiExec /X{examplestring}
    Chrome Remote Desktop   Yes                 Yes                 MsiExec /X{examplestring}

PARAMETER: -ExcludeTools "Chrome Remote Desktop,Connectwise Control"
    A comma seperated list of tools you'd like to exclude from alerting on.
.EXAMPLE
    -ExcludeTools "Chrome Remote Desktop,Connectwise Control"
    We couldn't find any active remote access tools!

PARAMETER: -ExclusionsFromCustomField "ReplaceMeWithAnyTextCustomField"
    The name of a custom field that contains a comma seperated list of tools to exclude from alerting. ex. "ApprovedRemoteTools"
.EXAMPLE
    -ExclusionsFromCustomField "ReplaceMeWithAnyTextCustomField"
    We couldn't find any active remote access tools!

PARAMETER: -ExportCSV "ReplaceMeWithAnyMultiLineCustomField"
    The name of a multiline custom field to export to in csv format. ex. "RemoteTools"
.EXAMPLE
    -ExportCSV "ReplaceMeWithAnyMultiLineCustomField"
    Name                    CurrentlyRunning    HasRunningService   UninstallString
    ----                    ----------------    -----------------   ---------------
    Connectwise Control     Yes                 Yes                 MsiExec /X{examplestring}
    Chrome Remote Desktop   Yes                 Yes                 MsiExec /X{examplestring}

PARAMETER: -ExportJSON "ReplaceMeWithAnyMultiLineCustomField"
    The name of a multiline custom field to export to in JSON format. ex. "RemoteTools"
.EXAMPLE
    -ExportJSON "ReplaceMeWithAnyMultiLineCustomField"
    Name                    CurrentlyRunning    HasRunningService   UninstallString
    ----                    ----------------    -----------------   ---------------
    Connectwise Control     Yes                 Yes                 MsiExec /X{examplestring}
    Chrome Remote Desktop   Yes                 Yes                 MsiExec /X{examplestring}

PARAMETER: -ShowNotFound
    Show the tools the script did not find as well.
.EXAMPLE
    -ShowNotFound
    Name                    CurrentlyRunning    HasRunningService   UninstallString
    ----                    ----------------    -----------------   ---------------
    AeroAdmin               No                  No
    Ammyy Admin             No                  No
    BeyondTrust             No                  No
    Connectwise Control     Yes                 Yes                 MsiExec /X{examplestring}
    Chrome Remote Desktop   Yes                 Yes                 MsiExec /X{examplestring}
    
.OUTPUTS
    None
.NOTES
    General notes: CustomFields must be multiline for export. Regular text is fine for ExclusionsFromCustomField
    Release notes:
    Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>

[CmdletBinding()]
param (
    [Parameter()]
    [String]$ExcludeTools,
    [Parameter()]
    [String]$ExclusionsFromCustomField,
    [Parameter()]
    [String]$ExportCSV,
    [Parameter()]
    [String]$ExportJSON,
    [Parameter()]
    [Switch]$ShowNotFound
    <#
        ## ParameterName Requirement DefaultValue Type Options Description ##
        ExcludeTools Optional none TEXT Comma seperated list of tools you would not like to look for.
        ExclusionsFromCustomField Optional none TEXT Name of custom field you would like to grab exclusions from.
        ExportCSV Optional none TEXT Name of multi-line custom field you would like to export results to. It will export them in csv format.
        ExportJSON Optional none TEXT Name of multi-line custom field you would like to export results to. It will export them in json format.
        ShowNotFound Optional false CHECKBOX Show results even if it didn't find that specific tool.
    #>
)

begin {
    #DISCLAIMER: This script is provided as a best effort for detecting remote access software installed on an agent, but it is not guaranteed to be 100% accurate. 
    #Some remote access software may not be detected, or false positives may be reported. Use this script at your own risk and verify its results with other methods where possible.

    # Check's the two Uninstall registry keys to see if the app is installed. Needs the name as it would appear in Control Panel.
    function Find-UninstallKey {
        [CmdletBinding()]
        param (
            [Parameter(ValueFromPipeline)]
            [String]$DisplayName,
            [Parameter()]
            [Switch]$UninstallString
        )
        process {
            $UninstallList = New-Object System.Collections.Generic.List[Object]

            $Result = Get-ChildItem HKLM:SoftwareWow6432NodeMicrosoftWindowsCurrentVersionUninstall* | Get-ItemProperty | 
            Where-Object { $_.DisplayName -like "*$DisplayName*" }

            if($Result){ $UninstallList.Add($Result) }

            $Result = Get-ChildItem HKLM:SoftwareMicrosoftWindowsCurrentVersionUninstall* | Get-ItemProperty | 
            Where-Object { $_.DisplayName -like "*$DisplayName*" }

            if($Result){ $UninstallList.Add($Result) }

            # Programs don't always have an uninstall string listed here so to account for that I made this optional.
            if ($UninstallString) {
                # 64 Bit
                $UninstallList | Select-Object -ExpandProperty UninstallString -ErrorAction Ignore
            }
            else {
                $UninstallList
            }
        }
    }

    # This will see if the process is currently active. Some people may want to react sooner to these alerts if its currently running vs not.
    function Find-Process {
        [CmdletBinding()]
        param(
            [Parameter(ValueFromPipeline)]
            [String]$Name
        )
        process {
            Get-Process | Where-Object { $_.ProcessName -like "*$Name*" } | Select-Object -ExpandProperty Name
        }
    }

    # This will search C:ProgramFiles and C:ProgramFiles(x86) for the executable these tools use to run.
    function Find-Executable {
        [CmdletBinding()]
        param(
            [Parameter(ValueFromPipeline)]
            [String]$Path,
            [Parameter()]
            [Switch]$Special
        )
        process {
            if(!$Special){
                if (Test-Path "$env:ProgramFiles$Path") {
                    "$env:ProgramFiles$Path"
                }
        
                if (Test-Path "${Env:ProgramFiles(x86)}$Path") {
                    "${Env:ProgramFiles(x86)}$Path"
                }
    
                if (Test-Path "$env:ProgramData$Path") {
                    "$env:ProgramData$Path"
                }
            }else{
                if(Test-Path $Path){
                    $Path
                }
            }
        }
    }

    # Brought Get-CimInstance outside the function for better performance.

    $ServiceList = Get-CimInstance win32_service
    function Find-Service {
        [CmdletBinding()]
        param(
            [Parameter(ValueFromPipeline)]
            [String]$Name
        )
        process {
            # Get-Service will display an error everytime it has an issue reading a service. Ignoring them as they're not relevant.
            $ServiceList | Where-Object {$_.State -notlike "Disabled" -and $_.State -notlike "Stopped"} | 
            Where-Object {$_.PathName -Like "*$Name.exe*"}
        }
    }

    function Export-CustomField {
        [CmdletBinding()]
        param(
            [Parameter()]
            [String]$Name,
            [Parameter()]
            [ValidateSet("csv", "json")]
            [String]$Format,
            [Parameter()]
            [PSCustomObject]$Object
        )
        if ($Format -eq "csv") {
            $csv = $Object | ConvertTo-Csv -NoTypeInformation | Out-String
            Ninja-Property-Set $Name $csv
        }
        else {
            $json = $Object | ConvertTo-Json | Out-String
            Ninja-Property-Set $Name $json
        }
    }

    # This define's what tools we're looking for and how the script can find them. Some don't actually install anywhere (portable app) others do. 
    # Some change their installation path everytime so not particularly worth it to find it that way.
    # Others store themselves in a super weird directory. Many don't list exactly where there .exe file is stored and suggest you exclude the whole folder from the av.
    $RemoteToolList = @(
        [PSCustomObject]@{Name = "AeroAdmin"; ProcessName = "AeroAdmin" }
        [PSCustomObject]@{Name = "Ammyy Admin"; ProcessName = "AA_v3" }
        [PSCustomObject]@{Name = "AnyDesk"; DisplayName = "AnyDesk"; ProcessName = "AnyDesk"; ExecutablePath = "AnyDeskAnyDesk.exe" }
        [PSCustomObject]@{Name = "BeyondTrust"; DisplayName = "Remote Support Jump Client", "Jumpoint"; ProcessName = "bomgar-jpt" }
        [PSCustomObject]@{Name = "Chrome Remote Desktop"; DisplayName = "Chrome Remote Desktop Host"; ProcessName = "remoting_host"; ExecutablePath = "GoogleChrome Remote Desktop112.0.5615.26remoting_host.exe" }
        [PSCustomObject]@{Name = "Connectwise Control"; DisplayName = "ScreenConnect Client"; ProcessName = "ScreenConnect.ClientService" }
        [PSCustomObject]@{Name = "DWService"; DisplayName = "DWAgent"; ProcessName = "dwagent","dwagsvc"; ExecutablePath = "DWAgentruntimedwagent.exe" }
        [PSCustomObject]@{Name = "GoToMyPC"; DisplayName = "GoToMyPC"; ProcessName = "g2comm", "g2pre", "g2svc", "g2tray"; ExecutablePath = "GoToMyPCg2comm.exe", "GoToMyPCg2pre.exe", "GoToMyPCg2svc.exe", "GoToMyPCg2tray.exe" }
        [PSCustomObject]@{Name = "LiteManager"; DisplayName = "LiteManager Pro - Server"; ProcessName = "ROMServer", "ROMFUSClient"; ExecutablePath = "LiteManager Pro - ServerROMFUSClient.exe", "LiteManager Pro - ServerROMServer.exe" }
        [PSCustomObject]@{Name = "LogMeIn"; DisplayName = "LogMeIn"; ProcessName = "LogMeIn"; ExecutablePath = "LogMeInx64LogMeIn.exe", "LogMeInx64LogMeInSystray.exe" }
        [PSCustomObject]@{Name = "ManageEngine"; DisplayName = "ManageEngine Remote Access Plus - Server", "ManageEngine UEMS - Agent"; ProcessName = "dcagenttrayicon", "UEMS", "dcagentservice"; ExecutablePath = "UEMS_Agentbindcagenttrayicon.exe", "UEMS_CentralServerbinUEMS.exe", "UEMS_Agentbindcagentservice.exe" }
        [PSCustomObject]@{Name = "NoMachine"; DisplayName = "NoMachine"; ProcessName = "nxd", "nxnode.bin", "nxserver.bin", "nxservice64"; ExecutablePath = "NoMachinebinnxd.exe", "NoMachinebinnxnode.bin", "NoMachinebinnxserver.bin", "NoMachinebinnxservice64.exe" }
        [PSCustomObject]@{Name = "Parsec"; DisplayName = "Parsec"; ProcessName = "parsecd", "pservice"; ExecutablePath = "Parsecparsecd.exe", "Parsecpservice.exe" }
        [PSCustomObject]@{Name = "Remote Utilities"; DisplayName = "Remote Utilities - Host"; ProcessName = "rutserv", "rfusclient"; ExecutablePath = "Remote Utilities - Hostrfusclient.exe" }
        [PSCustomObject]@{Name = "RemotePC"; DisplayName = "RemotePC"; ProcessName = "RemotePCHostUI","RPCPerformanceService"; ExecutablePath = "RemotePC HostRemotePCHostUI.exe", "RemotePC HostRemotePCPerformanceRPCPerformanceService.exe" }
        [PSCustomObject]@{Name = "Splashtop"; DisplayName = "Splashtop Streamer"; ProcessName = "SRAgent", "SRAppPB", "SRFeature", "SRManager", "SRService"; ExecutablePath = "SplashtopSplashtop RemoteServerSRService.exe" }
        [PSCustomObject]@{Name = "Supremo"; ProcessName = "Supremo", "SupremoHelper", "SupremoService"; ExecutablePath = "SupremoSupremoService.exe" }
        [PSCustomObject]@{Name = "TeamViewer"; DisplayName = "TeamViewer"; ProcessName = "TeamViewer", "TeamViewer_Service", "tv_w32", "tv_x64"; ExecutablePath = "TeamViewerTeamViewer.exe", "TeamViewerTeamViewer_Service.exe", "TeamViewertv_w32.exe", "TeamViewertv_x64.exe" }
        [PSCustomObject]@{Name = "TightVNC"; DisplayName = "TightVNC"; ProcessName = "tvnserver"; ExecutablePath = "TightVNCtvnserver.exe" }
        [PSCustomObject]@{Name = "UltraVNC"; DisplayName = "UltraVNC"; ProcessName = "winvnc"; ExecutablePath = "uvnc bvbaUltraVNCWinVNC.exe" }
        [PSCustomObject]@{Name = "VNC Connect (RealVNC)"; DisplayName = "VNC Server"; ProcessName = "vncserver"; ExecutablePath = "RealVNCVNC Servervncserver.exe" }
        [PSCustomObject]@{Name = "Zoho Assist"; DisplayName = "Zoho Assist Unattended Agent"; ProcessName = "ZohoURS", "ZohoURSService"; ExecutablePath = "ZohoMeetingUnAttendedZohoMeetingZohoURS.exe", "ZohoMeetingUnAttendedZohoMeetingZohoURSService.exe" }
        [PSCustomObject]@{Name = "Atera"; DisplayName = "AteraAgent"; ProcessName = "AteraAgent"; ExecutablePath = "ATERA NetworksAteraAgentAteraAgent.exe"}
        [PSCustomObject]@{Name = "Automate"; DisplayName = "Connectwise Automate"; ProcessName = "LTService", "LabTechService"; SpecialExecutablePath = "C:WindowsLTSvcLTSvc.exe"}
        [PSCustomObject]@{Name = "Datto RMM"; DisplayName = "Datto RMM"; ProcessName = "AEMAgent"; ExecutablePath = "CentraStageAEMAgentAEMAgent.exe", "CentraStagegui.exe"}
        [PSCustomObject]@{Name = "Kaseya"; DisplayName = "Kaseya Agent"; ProcessName = "AgentMon", "KaseyaRemoteControlHost", "Kasaya.AgentEndpoint"; ExecutablePath = "KaseyaAgentMonAgentMon.exe"}
        [PSCustomObject]@{Name = "N-Able N-Central"; DisplayName = "Windows Agent"; ProcessName = "winagent"; ExecutablePath = "N-able TechnologiesWindows Agentwinagent.exe"}
        [PSCustomObject]@{Name = "N-Able N-Sight"; DisplayName = "Advanced Monitoring Agent"; ProcessName = "winagent"; ExecutablePath = "Advanced Monitoring Agentwinagent.exe", "Advanced Monitoring Agent GPwinagent.exe"}
        [PSCustomObject]@{Name = "Syncro"; DisplayName = "Syncro","Kabuto"; ProcessName = "Syncro.App.Runner", "Kabuto.App.Runner", "Syncro.Service.Runner", "Kabuto.Service.Runner", "SyncroLive.Agent.Runner", "Kabuto.Agent.Runner", "SyncroLive.Agent.Service", "Syncro.Access.Service", "Syncro.Access.App"; ExecutablePath = "RepairTechSyncroSyncro.Service.Runner.exe", "RepairTechSyncroSyncro.App.Runner.exe"}
    )
}
process {

    # Lets see what tools we don't want to alert on.
    $ExcludedTools = New-Object System.Collections.Generic.List[String]

    if ($ExcludeTools) {
        $ExcludedTools.Add(($ExcludeTools.split(',')).Trim())
    }

    # Grabs the info we need from a textbox.
    if ($env:ExcludeTools) {
        $ExcludedTools.Add($env:ExcludeTools.split(','))
    }

    # For this kind of alert it might be worth it to create a whole custom field of ignorables.
    if ($ExclusionsFromCustomField) {
        $ExcludedTools.Add((Ninja-Property-Get $ExclusionsFromCustomField -split(',')).trim())
    }

    if ($env:ExclusionsFromCustomField) {
        $ExcludedTools.Add((Ninja-Property-Get $env:ExclusionsFromCustomField -split(',')).trim())
    }

    if ($ExportCSV -or $Env:ExportCSV) {
        $Format = "csv"

        if ($ExportCSV) {
            $ExportResults = $ExportCSV
        }

        if ($env:ExportCSV) {
            $ExportResults = $env:ExportCSV
        }
    }elseif ($ExportJSON -or $env:ExportJSON) {
        $Format = "json"

        if ($ExportJSON) {
            $ExportResults = $ExportJSON
        }

        if ($env:ExportJSON) {
            $ExportResults = $env:ExportJSON
        }
    }

    # This take's our list and begins searching by the 4 method's in the begin block. 
    $RemoteAccessTools = $RemoteToolList | ForEach-Object {

        $UninstallKey = if ($_.DisplayName) {
            $_.DisplayName | Find-UninstallKey
        }
        
        $UninstallInfo = if ($_.DisplayName) {
            $_.DisplayName | Find-UninstallKey -UninstallString
        }
        
        $RunningStatus = if ($_.ProcessName) {
            $_.ProcessName | Find-Process
        }

        $ServiceStatus = if($_.ProcessName) {
            $_.ProcessName | Find-Service
        }
        
        $InstallPath = if ($_.ExecutablePath) {
            $_.ExecutablePath | Find-Executable
        }elseif($_.SpecialExecutablePath){
            $_.SpecialExecutablePath | Find-Executable -Special
        }

        if ($UninstallKey -or $RunningStatus -or $InstallPath -or $ServiceStatus) {
            $Installed = "Yes"
        }
        else {
            $Installed = "No"
        }

        [PSCustomObject]@{
            Name              = $_.Name
            Installed         = $Installed
            CurrentlyRunning  = if ($RunningStatus) { "Yes" }else { "No" }
            HasRunningService = if ($ServiceStatus) { "Yes" }else { "No" }
            UninstallString   = $UninstallInfo
            ExePath           = $InstallPath
        } | Where-Object { $ExcludedTools -notcontains $_.Name }
    }

    $ActiveRemoteAccessTools = $RemoteAccessTools | Where-Object {$_.Installed -eq "Yes"}

    # If we found anything in the three check's we're gonna indicate it's installed but we may also want to save our results to a custom field.
    # We also may want to output more than "We couldn't find any active remote access tools!" in the event we find nothing.
    if ($ShowNotFound -or $env:ShowNotFound) {

        $RemoteAccessTools | Format-Table -Property Name, Installed, CurrentlyRunning, HasRunningService, UninstallString -AutoSize -Wrap | Out-String | Write-Host

        if($ExportResults){
            Export-CustomField -Name $ExportResults -Format $Format -Object ($RemoteAccessTools | Select-Object Name, Installed, CurrentlyRunning, HasRunningService)
        }

    }else{
        if($ActiveRemoteAccessTools){

            $ActiveRemoteAccessTools | Format-Table -Property Name, CurrentlyRunning, HasRunningService, UninstallString -AutoSize -Wrap | Out-String | Write-Host

            if($ExportResults){
                Export-CustomField -Name $ExportResults -Format $Format -Object ($ActiveRemoteAccessTools | Select-Object Name, CurrentlyRunning, HasRunningService)
            }

        }else{
            Write-Host "We couldn't find any active remote access tools!"
        }
    }

    if($ActiveRemoteAccessTools){
        # We're going to set a failure status code in the event that we find something.
        exit 1
    }
    else {
        exit 0
    }
}

 

Zugriff auf über 300 Skripte im NinjaOne Dojo

Zugang erhalten

Detailansicht

Die Erkennung von Fernzugriffs-Software umfasst einige wichtige Schritte:

  • Überwachung des Netzwerkverkehrs: Beginnen Sie mit der Überwachung des Netzwerkverkehrs. Ungewöhnliche Muster oder unbekannte IP-Adressen können ein Hinweis sein.
  • Systemprozesse und -aufgaben: Die regelmäßige Überprüfung aktiver Systemprozesse kann dabei helfen, nicht autorisierte Tools zu identifizieren. Jeder ungewöhnliche Prozess erfordert weitere Untersuchungen.
  • Software-Audit: Mit integrierten Systemwerkzeugen wie dem “Task-Manager” für Windows oder dem “Aktivitätsmonitor” für macOS kann man eine Liste aller installierten Anwendungen erhalten. Die Suche nach unbekannter Software kann manchmal das Vorhandensein von Fernzugriffs-Tools preisgeben.

Potenzielle Anwendungsfälle

Nehmen wir Alex, eine IT-Fachfrau in einem mittelständischen Unternehmen. Sie stellt fest, dass die Netzwerkbandbreite während der arbeitsfreien Zeit stark ansteigt. Bei weiteren Untersuchungen stellt sie fest, dass eine unbekannte IP-Adresse ständig auf ihr Netzwerk zugreift. Mit Hilfe von System-Audit-Tools entdeckt sie eine Fernzugriffs-Software, die auf mehreren Bürosystemen installiert ist und an deren Installation sich niemand erinnern kann. Indem sie diese Software identifizierte und entfernte, vereitelte Alex eine mögliche Datenverletzung.

Vergleiche

Herkömmliche Methoden zur Erkennung von Fernzugriffs-Tools umfassen manuelle Audits, die Überprüfung von Firewall-Protokollen oder die Verwendung von Antiviren-Software. Diese Methoden können zwar wirksam sein, aber sie sind nicht narrensicher. Der Ansatz des Skripts automatisiert den Erkennungsprozess und macht ihn sowohl umfassend als auch zeitsparend. Mit dieser proaktiven Methode können häufig neuere, ausgefeiltere RATs abgefangen werden, die mit herkömmlichen Methoden umgangen werden könnten.

FAQs

  • Wie oft sollte ich einen Check auf Fernzugriffs-Tools durchführen?
    Regelmäßig, besonders wenn Sie in einer Umgebung arbeiten, in der häufig neue Software installiert und getestet wird.
  • Kann diese Erkennungsmethode alle Fernzugriffs-Software identifizieren?
    Sie ist zwar umfassend, aber keine Methode ist zu 100 % sicher. Es ist von entscheidender Bedeutung, mehrere Ansätze zu kombinieren, um robuste Sicherheit zu gewährleisten.

Gavin’s Meinung

Die Fähigkeit, zu erkennen, wenn nicht zugelassene Fernzugriffs-Software auf einem Computer installiert wird, ist entscheidend für die Sicherheit der Geräte, des gesamten Netzwerks und der Daten Ihres Unternehmens.

Schatten-IT bezieht sich auf Systeme, Geräte, Software oder Anwendungen, die außerhalb des offiziellen Zuständigkeitsbereichs der IT-Abteilung Ihres Unternehmens verwendet und verwaltet werden. Dies ist in der Regel der Fall, wenn Mitarbeiter eigene Programme oder Technologien ohne ausdrückliche Genehmigung oder Aufsicht verwenden. In diesem Fall ist jede Fernzugriffs-Software, die ohne Wissen der Organisation installiert wird, ein Beispiel für Schatten-IT. Wenn dies geschieht, ergeben sich mehrere kritische Herausforderungen:

  • Fehlende Aufsicht durch die IT-Abteilung: Wenn Fernzugriffs-Software unwissentlich auf einem oder mehreren Geräten installiert wird, umgeht sie häufig die Standardprotokolle für Sicherheit, Datenaufsicht und Compliance, die im Unternehmen eingerichtet sind.
  • Sicherheitsrisiken: Da die Fernzugriffs-Software nicht denselben Sicherheitsmaßnahmen unterliegt wie autorisierte IT-Ressourcen, kann sie Schwachstellen aufweisen (die IT-Abteilung kann keine Software patchen, von der sie nichts weiß), die möglicherweise zu Datenverletzungen oder Sicherheitsvorfällen führen können
  • Anbieterrisiko: Einige Anbieter haben bessere Sicherheitsebenen als andere. Die Einführung von Software, insbesondere von Fernzugriffs-Software, deren Anbieter nicht angemessen geprüft wurde, kann zusätzliche Risiken für das Unternehmen mit sich bringen und sogar das Risiko bergen, dass Ihr Unternehmen bei Compliance- oder Sicherheitsbewertungen durchfällt

Dieses Skript kann helfen, indem es aus einer Liste Fernzugriffs-Software erkennt, und eingreift, wenn es etwas erkennt, das nicht in der autorisierten Liste enthalten ist. Neben den Sicherheitsaspekten bietet diese Art der Erkennung noch weitere Vorteile:

  • Für MSPs kann dies ein frühes Anzeichen dafür sein, dass Ihr Kunde sich an einen anderen MSP oder ein anderes IT-Unternehmen wendet
  • Es kann helfen, Überbleibsel alter Fernzugriffs-Software zu identifizieren, die im Netzwerk installiert ist

Abschließende Überlegungen

Unentdeckte Fernzugriffs-Software kann zu erheblichen Sicherheitsverletzungen, Datendiebstahl oder sogar Ransomware-Angriffenführen. Da immer mehr Unternehmen online gehen, wird die Gewährleistung der Sicherheit aller Endpunkte zu einer grundlegenden Aufgabe. Wird dies nicht ernst genommen, kann dies finanzielle, betriebliche und rufschädigende Auswirkungen haben.

Nächste Schritte

Der Aufbau eines effizienten und effektiven IT-Teams erfordert eine zentralisierte Lösung, die als einheitliches Tool zur Bereitstellung von IT-Dienstleistungen fungiert. NinjaOne ermöglicht es IT-Teams, alle Geräte zu überwachen, zu verwalten, zu sichern und zu unterstützen, unabhängig vom Standort, ohne dass eine komplexe Infrastruktur vor Ort erforderlich ist.

Erfahren Sie mehr über NinjaOne Remote Script Deployment, sehen Sie sich eine Live-Tour an oder starten Sie Ihre kostenlose Testversion unserer NinjaOne Plattform.

Kategorien:

Das könnte Sie auch interessieren

×

Sehen Sie NinjaOne in Aktion!

Mit dem Absenden dieses Formulars akzeptiere ich die Datenschutzerklärung von NinjaOne.

NinjaOne Allgemeine Geschäftsbedingungen für Skripte

Indem Sie unten auf die Schaltfläche “Ich akzeptiere” klicken, erklären Sie Ihr Einverständnis mit den folgenden rechtlichen Bedingungen sowie mit unseren Nutzungsbedingungen:

  • Eigentumsrechte: NinjaOne besitzt und wird weiterhin alle Rechte, Titel und Interessen an dem Skript (einschließlich des Urheberrechts) behalten. NinjaOne gewährt Ihnen eine eingeschränkte Lizenz zur Nutzung des Skripts in Übereinstimmung mit diesen rechtlichen Bedingungen.
  • Einschränkung der Nutzung: Sie dürfen das Skript nur für Ihre legitimen persönlichen oder internen Geschäftszwecke verwenden und es nicht an Dritte weitergeben.
  • Verbot der Wiederveröffentlichung: Sie sind unter keinen Umständen berechtigt, das Skript in einer Skriptbibliothek, die einem anderen Softwareanbieter gehört oder von diesem kontrolliert wird, erneut zu veröffentlichen.
  • Gewährleistungsausschluss: Das Skript wird “wie gesehen” und “wie verfügbar” bereitgestellt, ohne jegliche Garantie. NinjaOne gibt keine Versprechen oder Garantien, dass das Skript frei von Fehlern ist oder dass es Ihre speziellen Bedürfnisse oder Erwartungen erfüllt.
  • Risikoübernahme: Die Verwendung des Skripts erfolgt auf eigene Gefahr. Sie erkennen an, dass die Nutzung des Skripts mit bestimmten Risiken verbunden ist, und Sie verstehen und übernehmen jedes dieser Risiken.
  • Verzicht und Freigabe: Sie machen NinjaOne nicht für nachteilige oder unbeabsichtigte Folgen verantwortlich, die sich aus Ihrer Nutzung des Skripts ergeben, und Sie verzichten auf alle gesetzlichen oder billigkeitsrechtlichen Rechte oder Rechtsmittel, die Sie gegen NinjaOne im Zusammenhang mit Ihrer Nutzung des Skripts haben könnten.
  • EULA: Wenn Sie ein NinjaOne-Kunde sind, unterliegt Ihre Nutzung des Skripts dem für Sie geltenden Endbenutzer-Lizenzvertrag (EULA).