DFIR Next Steps: Suspicious Pulseway Use

Welcome back to the next post in our DFIR Next Steps series on remote monitoring and management (RMM) tools. This post will focus on Pulseway. Pulseway is a newer RMM that we have recently seen used by threat actors. 

Check out our previous posts in the series: 

• Overview of investigating suspicious RMMs 
• Investigating suspicious TeamViewer use
• Investigating suspicious LogMeIn use
• Investigating suspicious AnyDesk use

Now, let’s analyze Pulseway!

Jump to…

Pulseway Overview
Pulseway DFIR Artifacts
What It Means: The Impact of Malicious Pulseway Use
What to Do Next: How to Investigate Suspicious Pulseway Activity
How to Investigate Suspicious Pulseway Use with Cyber Triage

Pulseway Overview

What is Pulseway?

Pulseway describes itself as “An IT Management Solution That You Can Take Anywhere,” with one of the key advertised features being the ability to manage endpoints from a mobile device. 

Pulseway is an agent-based SaaS solution. One interesting/concerning feature of the agent is the ability to run a silent install, provided you have administrator access. This means that once a threat actor has access to the system, they could install Pulseway in order to maintain persistence without causing any notifications to the user. 

From a threat actor’s perspective, the SaaS side of things makes Pulseway a less attractive option, as logs are retained on the Pulseway server and traces of their actions will be recorded (more on that later).

Pulseway Features

The feature list is too big to list here, but we will include some significant remote features relevant to incident response.

These include:

Feature	Notes
Remote access	Via Pulseway remote console or starting an RDP session.
Remote execution	Both CMD terminal and PowerShell.
Remote stopping/starting of processes and services	Includes terminating EDR and other security products.
Automation scripts	If looking to deploy ransomware, this would make it easy.
Remote file viewing and copying
Registry viewer
Application installation
Remote screen viewing	With no notification to the user

Example Log Data	Description
Received Request Start Remote Control RC	A remote connection was requested. This record will include the GUID of the requesting host.
Received Request Get screens from device Id: ‘1-f43fbae6-34d9-4e8e-b64a-4c1aec36b9d9’	Remote viewing of current screens.
Received Request Run command: ‘see fb472da4-6dbf-44cb-b052-a86127d68b88 in Pulseway-CommandAudit log’ from device Id: ‘1-f43fbae6-34d9-4e8e-b64a-4c1aec36b9d9’	A remote command was executed. Note that the command itself is not displayed in the application log. It can be found in the Command Audit log, by cross-referencing the supplied GUID.
Received Request Run PowerShell command: ‘see 16535d8d-e03c-4e49-b5c1-dadbe638d431 in Pulseway-CommandAudit log’ from device Id: ‘1-f43fbae6-34d9-4e8e-b64a-4c1aec36b9d9’	A remote powershell command was executed, as with the “Run command” the command itself will be saved to the Command Audit log.

Command Audit Log

Entries in the command audit log will include the commands or PowerShell cmdlets run from the management console.

An example is shown below:

Arguments for 57e457d5-23fd-46d8-9c44-4719def4c499: ‘netstat’

Domains

When a pulseway account is created, a subdomain of pulseway.com will be created using the domain of the registered email address.

In our example, that was reynholmenterprises.pulseway.com.

Remote Access Domains

https://rd-us-east-1.pulseway.com/remote https://rd-us-east-1-2.pulseway.com/remote https://rd-us-west-1.pulseway.com/remote https://rd-us-west-1-2.pulseway.com/remote https://rd-us-east-2.pulseway.com/remote https://rd-us-east-2-2.pulseway.com/remote https://rd-eu-ie-1.pulseway.com/remote https://rd-eu-ie-1-2.pulseway.com/remote https://rd-eu-de-1.pulseway.com/remote https://rd-eu-de-1-2.pulseway.com/remote https://rd-asia-au-1.pulseway.com/remote https://rd-asia-au-1-2.pulseway.com/remote https://rd-af-south-1-1.pulseway.com/remote https://rd-af-south-1-2.pulseway.com/remote

What It Means: The Impact of Malicious Pulseway Use

Pulseway is a powerful RMM tool. Once installed, a remote user has complete control of the compromised system. They are able to perform more actions than a locally logged-on Administrator can, as the remote PowerShell and command execution is run as the SYSTEM user. 

Because the PowerShell commands are run as the SYSTEM user, the PowerShell console log is not updated, and PowerShell commands are not logged to the PowerShell event log. However, they will appear in the Pulseway Command Audit Log. 

Other remote commands – for example, downloading of files – also leave no trace on the target system other than entries in the Command Audit log. 

What to Do Next: How to Investigate Suspicious Pulseway Activity

The goal of this section is to provide some investigative questions that should be answered to help determine if the Pulseway activity on the system is expected.

We’ll review: 

1. Does the organization use Pulseway?
2. Is Pulseway expected to be on the endpoint?
3. What commands were executed with Pulseway?
4. Is the activity expected?

Now let’s dig into each:

#1 Does the organization use Pulseway?
Yes	Go to question 2
No	Unauthorized Pulseway tool found and should most likely be removed. Proceed to question 4 to determine the impact. Ex: Did a threat actor bring it in, did a disgruntled IT administrator use it for nefarious activity, or was it an employee using it without bad intentions?

#2 Is Pulseway expected to be on the endpoint?
Yes	Go to question 3
No	Unauthorized Pulseway tool found and should most likely be removed. Proceed to question 4 to determine the impact. Ex: Did a threat actor bring it in, did a disgruntled IT administrator use it for nefarious activity, or was it an employee using it without bad intentions?

#3 What commands were executed using Pulseway?
Search the Application event log for Event ID 24001 records containing the string “Received Request” in the data.  Review these entries and if powershell or commands were executed review the Pulseway-CommandAudit log for commands or commandlets that were run on the system.
#4 Is the activity expected?
There are a lot of subquestions that need to be answered to answer the bigger question of if the activity is expected. Questions like: Has Pulseway been on the system for a long time, or is it new? Check timestamps on Pulseway data folder to get an idea when it was first ran. Are the users associated with Pulseway activity expected? Review the audit log Are there new or suspicious outgoing connections from the device in question? Review the audit log Are there new or suspicious incoming connections to the device in question? Review the audit log Is there other suspicious activity that happened before? Check the device timeline to see if other suspicious activity happened before Pulseway was brought onto the system. Is there other suspicious activity that happened after? Check the device timeline to see if other suspicious activity happened after Pulseway connections were made. Check Pulseway audit log to see what files were uploaded and downloaded. Check for use of file transfer tools (both within the audit log and standard locations)

How to Investigate Suspicious Pulseway Use with Cyber Triage

Cyber Triage will score the existence of Pulseway as suspicious. Cyber Triage will also collect the application log, which can be extracted from the collection for deeper analysis.

Another option is to write sigma rules to score Pulseway log entries as suspicious and a file collection rule to collect the Pulseway-CommandAudit log. 

The next release of Cyber Triage will include rules for scoring Pulseway event log entries and collecting the Command Audit log.

If you’d like to try Cyber Triage on an RMM investigation — or just to see if it speeds up your process in general — you can free for 7 days.