Hi All,

Anyone know of a scanner/utility that will hunt
down and identify all forms of remote assistance/control
software installed on Windows? Things like Secure Connect,
Any Desk, Go to Assist, etc..

Anti Virus products seem to ignore this threat.

Many thanks,
-T

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/12/2023 7:55 PM, T wrote:

Hi All,

Anyone know of a scanner/utility that will hunt
down and identify all forms of remote assistance/control
software installed  on Windows?  Things like Secure Connect,
Any Desk, Go to Assist, etc..

Anti Virus products seem to ignore this threat.

Many thanks,
-T

They use the word "RAT" for that kind of software.

This page will put up some hard-to-read license terms, before you
can copy the text. Not the best-coded website I've ever seen,
but we cannot let that stop us.

https://www.ninjaone.com/blog/detect-remote-access-software-using-powershell/

This is a slightly-edited list of the RATs it looks for. I tried
to shorten the lines a bit, so it won't scroll off the end of the
screen quite as bad. The lines need to be left as is, in the
actual script.

$RemoteToolList = @(
["AeroAdmin"; ProcessName = "AeroAdmin" }
["Ammyy Admin"; ProcessName = "AA_v3" }
["AnyDesk"; DisplayName = "AnyDesk"; ProcessName = "AnyDesk"; ExecutablePath = "AnyDesk\AnyDesk.exe" }
["BeyondTrust"; DisplayName = "Remote Support Jump Client", "Jumpoint"; ProcessName = "bomgar-jpt" }
["Chrome Remote Desktop"; DisplayName = "Chrome Remote Desktop Host"; ProcessName = "remoting_host"; ExecutablePath = remoting_host.exe }
["Connectwise Control"; DisplayName = "ScreenConnect Client"; ProcessName = "ScreenConnect.ClientService" }
["DWService"; DisplayName = "DWAgent"; ProcessName = "dwagent","dwagsvc"; ExecutablePath = "DWAgent\runtime\dwagent.exe" }
["GoToMyPC"; DisplayName = "GoToMyPC"; ProcessName = "g2comm", "g2pre", "g2svc", "g2tray"; ExecutablePath = g2comm.exe, g2pre.exe, g2svc.exe, g2tray.exe }
["LiteManager"; DisplayName = "LiteManager Pro - Server"; ProcessName = "ROMServer", "ROMFUSClient"; ExecutablePath = ROMFUSClient.exe, ROMServer.exe }
["LogMeIn"; DisplayName = "LogMeIn"; ProcessName = "LogMeIn"; ExecutablePath = LogMeIn.exe, LogMeInSystray.exe }
["ManageEngine"; DisplayName = "ManageEngine Remote Access Plus - Server", "ManageEngine UEMS - Agent"; ProcessName = "dcagenttrayicon", "UEMS", "dcagentservice"; ExecutablePath = dcagenttrayicon.exe, UEMS.exe, dcagentservice.exe }
["NoMachine"; DisplayName = "NoMachine"; ProcessName = "nxd", "nxnode.bin", "nxserver.bin", "nxservice64"; ExecutablePath = nxd.exe, nxnode.bin, nxserver.bin, nxservice64.exe }
["Parsec"; DisplayName = "Parsec"; ProcessName = "parsecd", "pservice"; ExecutablePath = parsecd.exe, pservice.exe }
["Remote Utilities"; DisplayName = "Remote Utilities - Host"; ProcessName = "rutserv", "rfusclient"; ExecutablePath = rfusclient.exe }
["RemotePC"; DisplayName = "RemotePC"; ProcessName = "RemotePCHostUI","RPCPerformanceService"; ExecutablePath = RemotePCHostUI.exe, RPCPerformanceService.exe }
["Splashtop"; DisplayName = "Splashtop Streamer"; ProcessName = "SRAgent", "SRAppPB", "SRFeature", "SRManager", "SRService"; ExecutablePath = SRService.exe }
["Supremo"; ProcessName = "Supremo", "SupremoHelper", "SupremoService"; ExecutablePath = SupremoService.exe}
["TeamViewer"; DisplayName = "TeamViewer"; ProcessName = "TeamViewer", "TeamViewer_Service", "tv_w32", "tv_x64"; ExecutablePath = TeamViewer.exe, TeamViewer_Service.exe, tv_w32.exe, tv_x64.exe }
["TightVNC"; DisplayName = "TightVNC"; ProcessName = "tvnserver"; ExecutablePath = tvnserver.exe }
["UltraVNC"; DisplayName = "UltraVNC"; ProcessName = "winvnc"; ExecutablePath = WinVNC.exe }
["VNC Connect (RealVNC)"; DisplayName = "VNC Server"; ProcessName = "vncserver"; ExecutablePath = vncserver.exe }
["Zoho Assist"; DisplayName = "Zoho Assist Unattended Agent"; ProcessName = "ZohoURS", "ZohoURSService"; ExecutablePath = ZohoURS.exe, ZohoURSService.exe }
["Atera"; DisplayName = "AteraAgent"; ProcessName = "AteraAgent"; ExecutablePath = AteraAgent.exe }
["Automate"; DisplayName = "Connectwise Automate"; ProcessName = "LTService", "LabTechService"; SpecialExecutablePath = "C:\Windows\LTSvc\LTSvc.exe"}
["Datto RMM"; DisplayName = "Datto RMM"; ProcessName = "AEMAgent"; ExecutablePath = AEMAgent.exe, gui.exe }
["Kaseya"; DisplayName = "Kaseya Agent"; ProcessName = "AgentMon", "KaseyaRemoteControlHost", "Kasaya.AgentEndpoint"; ExecutablePath = AgentMon.exe }
["N-Able N-Central"; DisplayName = "Windows Agent"; ProcessName = "winagent"; ExecutablePath = winagent.exe }
["N-Able N-Sight"; DisplayName = "Advanced Monitoring Agent"; ProcessName = "winagent"; ExecutablePath = winagent.exe, winagent.exe }
["Syncro"; DisplayName = "Syncro","Kabuto"; ProcessName = "Syncro.App.Runner"... ; ExecutablePath = Syncro.Service.Runner.exe, Syncro.App.Runner.exe }
)
}

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 12/12/23 19:57, Paul wrote:

On 12/12/2023 7:55 PM, T wrote:

Hi All,

Anyone know of a scanner/utility that will hunt
down and identify all forms of remote assistance/control
software installed  on Windows?  Things like Secure Connect,
Any Desk, Go to Assist, etc..

Anti Virus products seem to ignore this threat.

Many thanks,
-T

They use the word "RAT" for that kind of software.

This page will put up some hard-to-read license terms, before you
can copy the text. Not the best-coded website I've ever seen,
but we cannot let that stop us.

https://www.ninjaone.com/blog/detect-remote-access-software-using-powershell/

This is a slightly-edited list of the RATs it looks for. I tried
to shorten the lines a bit, so it won't scroll off the end of the
screen quite as bad. The lines need to be left as is, in the
actual script.

Paul! Dude! You are awesome!!! Thank you!

It caught my AnyDesk as soon as I ran it.

It does need
Set-ExecutionPolicy Unrestricted ("A" for all)
to run before it.

-T

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)