Hi All,

Anyone know of a scanner/utility that will hunt
down and identify all forms of remote assistance/control
software installed on Windows? Things like Secure Connect,
Any Desk, Go to Assist, etc..

Anti Virus products seem to ignore this threat.

Many thanks,
-T

On 12/12/2023 7:55 PM, T wrote:
> Hi All,
>
> Anyone know of a scanner/utility that will hunt
> down and identify all forms of remote assistance/control
> software installed  on Windows?  Things like Secure Connect,
> Any Desk, Go to Assist, etc..
>
> Anti Virus products seem to ignore this threat.
>
> Many thanks,
> -T

They use the word "RAT" for that kind of software.

This page will put up some hard-to-read license terms, before you
can copy the text. Not the best-coded website I've ever seen,
but we cannot let that stop us.

https://www.ninjaone.com/blog/detect-remote-access-software-using-powershell/

This is a slightly-edited list of the RATs it looks for. I tried
to shorten the lines a bit, so it won't scroll off the end of the
screen quite as bad. The lines need to be left as is, in the
actual script.

$RemoteToolList = @(
["AeroAdmin"; ProcessName = "AeroAdmin" }
["Ammyy Admin"; ProcessName = "AA_v3" }
["AnyDesk"; DisplayName = "AnyDesk"; ProcessName = "AnyDesk"; ExecutablePath = "AnyDesk\AnyDesk.exe" }
["BeyondTrust"; DisplayName = "Remote Support Jump Client", "Jumpoint"; ProcessName = "bomgar-jpt" }
["Chrome Remote Desktop"; DisplayName = "Chrome Remote Desktop Host"; ProcessName = "remoting_host"; ExecutablePath = remoting_host.exe }
["Connectwise Control"; DisplayName = "ScreenConnect Client"; ProcessName = "ScreenConnect.ClientService" }
["DWService"; DisplayName = "DWAgent"; ProcessName = "dwagent","dwagsvc"; ExecutablePath = "DWAgent\runtime\dwagent.exe" }
["GoToMyPC"; DisplayName = "GoToMyPC"; ProcessName = "g2comm", "g2pre", "g2svc", "g2tray"; ExecutablePath = g2comm.exe, g2pre.exe, g2svc.exe, g2tray.exe }
["LiteManager"; DisplayName = "LiteManager Pro - Server"; ProcessName = "ROMServer", "ROMFUSClient"; ExecutablePath = ROMFUSClient.exe, ROMServer.exe }
["LogMeIn"; DisplayName = "LogMeIn"; ProcessName = "LogMeIn"; ExecutablePath = LogMeIn.exe, LogMeInSystray.exe }
["ManageEngine"; DisplayName = "ManageEngine Remote Access Plus - Server", "ManageEngine UEMS - Agent"; ProcessName = "dcagenttrayicon", "UEMS", "dcagentservice"; ExecutablePath = dcagenttrayicon.exe, UEMS.exe, dcagentservice.exe }
["NoMachine"; DisplayName = "NoMachine"; ProcessName = "nxd", "nxnode.bin", "nxserver.bin", "nxservice64"; ExecutablePath = nxd.exe, nxnode.bin, nxserver.bin, nxservice64.exe }
["Parsec"; DisplayName = "Parsec"; ProcessName = "parsecd", "pservice"; ExecutablePath = parsecd.exe, pservice.exe }
["Remote Utilities"; DisplayName = "Remote Utilities - Host"; ProcessName = "rutserv", "rfusclient"; ExecutablePath = rfusclient.exe }
["RemotePC"; DisplayName = "RemotePC"; ProcessName = "RemotePCHostUI","RPCPerformanceService"; ExecutablePath = RemotePCHostUI.exe, RPCPerformanceService.exe }
["Splashtop"; DisplayName = "Splashtop Streamer"; ProcessName = "SRAgent", "SRAppPB", "SRFeature", "SRManager", "SRService"; ExecutablePath = SRService.exe }
["Supremo"; ProcessName = "Supremo", "SupremoHelper", "SupremoService"; ExecutablePath = SupremoService.exe}
["TeamViewer"; DisplayName = "TeamViewer"; ProcessName = "TeamViewer", "TeamViewer_Service", "tv_w32", "tv_x64"; ExecutablePath = TeamViewer.exe, TeamViewer_Service.exe, tv_w32.exe, tv_x64.exe }
["TightVNC"; DisplayName = "TightVNC"; ProcessName = "tvnserver"; ExecutablePath = tvnserver.exe }
["UltraVNC"; DisplayName = "UltraVNC"; ProcessName = "winvnc"; ExecutablePath = WinVNC.exe }
["VNC Connect (RealVNC)"; DisplayName = "VNC Server"; ProcessName = "vncserver"; ExecutablePath = vncserver.exe }
["Zoho Assist"; DisplayName = "Zoho Assist Unattended Agent"; ProcessName = "ZohoURS", "ZohoURSService"; ExecutablePath = ZohoURS.exe, ZohoURSService.exe }
["Atera"; DisplayName = "AteraAgent"; ProcessName = "AteraAgent"; ExecutablePath = AteraAgent.exe }
["Automate"; DisplayName = "Connectwise Automate"; ProcessName = "LTService", "LabTechService"; SpecialExecutablePath = "C:\Windows\LTSvc\LTSvc.exe"}
["Datto RMM"; DisplayName = "Datto RMM"; ProcessName = "AEMAgent"; ExecutablePath = AEMAgent.exe, gui.exe }
["Kaseya"; DisplayName = "Kaseya Agent"; ProcessName = "AgentMon", "KaseyaRemoteControlHost", "Kasaya.AgentEndpoint"; ExecutablePath = AgentMon.exe }
["N-Able N-Central"; DisplayName = "Windows Agent"; ProcessName = "winagent"; ExecutablePath = winagent.exe }
["N-Able N-Sight"; DisplayName = "Advanced Monitoring Agent"; ProcessName = "winagent"; ExecutablePath = winagent.exe, winagent.exe }
["Syncro"; DisplayName = "Syncro","Kabuto"; ProcessName = "Syncro.App.Runner"... ; ExecutablePath = Syncro.Service.Runner.exe, Syncro.App.Runner.exe }
)
}

Paul

On 12/12/23 19:57, Paul wrote:
> On 12/12/2023 7:55 PM, T wrote:
>> Hi All,
>>
>> Anyone know of a scanner/utility that will hunt
>> down and identify all forms of remote assistance/control
>> software installed  on Windows?  Things like Secure Connect,
>> Any Desk, Go to Assist, etc..
>>
>> Anti Virus products seem to ignore this threat.
>>
>> Many thanks,
>> -T
>
> They use the word "RAT" for that kind of software.
>
> This page will put up some hard-to-read license terms, before you
> can copy the text. Not the best-coded website I've ever seen,
> but we cannot let that stop us.
>
> https://www.ninjaone.com/blog/detect-remote-access-software-using-powershell/
>
> This is a slightly-edited list of the RATs it looks for. I tried
> to shorten the lines a bit, so it won't scroll off the end of the
> screen quite as bad. The lines need to be left as is, in the
> actual script.
>

Paul! Dude! You are awesome!!! Thank you!

It caught my AnyDesk as soon as I ran it.

It does need
Set-ExecutionPolicy Unrestricted ("A" for all)
to run before it.

-T