← All Chokepoints HIGH

Renamed RMM Tools

Command and Control T1219.002 Detection difficulty: MEDIUM Prevalence: HIGH

Legitimate remote management and monitoring (RMM) tools are renamed or masqueraded to appear as trusted applications (tax documents, invoices, IT support tools) and delivered via browser download. Once executed, the RMM establishes persistent command-and-control to attacker infrastructure while appearing to be a signed, legitimate binary. Because the binary is legitimately signed by the vendor, many security tools will not flag it. The chokepoint is the browser download, file masquerading, user execution, and outbound connection to RMM infrastructure — all of which are required regardless of which RMM tool is used.

By @iimp0ster · Updated 2026-03-07 · View source YAML

Prerequisites (Environmental)

• ✓ User account can execute binaries from browser download paths (Downloads, Temp, AppData)
• ✓ RMM binary carries a valid vendor code-signing certificate — hash-based detection does not fire

Attack Chokepoints (3 invariant stages — click to expand)

Each stage is an invariant condition the attacker must satisfy — regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1

Browser Download

Hunt Active Hunt

Browser process creates an executable in a user-writable path (Downloads, Temp, AppData) with a campaign-themed or generic filename masking RMM software

The binary must land on disk before execution — no in-memory-only path exists for the initial delivery of a standalone RMM installer; the file must be hosted on an attacker-controlled or compromised site reachable by the victim's browser, so delivery cannot be skipped in any variant including TOAD phone-assisted delivery

• Sysmon Event ID 11 (File Creation)
• Browser download telemetry

View rule →

2

User Execution

Analyst SOC Alert

User executes the downloaded binary, which is a legitimately-signed RMM tool regardless of its filename — PE metadata (OriginalFilename, Company) betrays the mismatch

The binary must execute to establish C2 — no execution means no remote access regardless of delivery success

• Sysmon Event ID 1 (Process Creation)
• Windows Security Event ID 4688 (Process Creation)

View rule →

⚠ Bypass risk: CVE exploitation of internet-exposed RMM servers (ScreenConnect CVE-2024-1709, SimpleHelp CVE-2024-57727) bypasses all user-execution detection — monitor RMM server process telemetry separately

3

Outbound RMM Connection

Analyst SOC Alert

Executed binary establishes a persistent connection to RMM relay or attacker-controlled server on standard HTTPS ports

The C2 channel must be established — the entire purpose of RMM tool deployment is persistent remote access

• Sysmon Event ID 3 (Network Connection)
• Firewall / proxy egress logs

View rule →

⚠ Bypass risk: Self-hosted RMM infrastructure (RustDesk, MeshCentral) makes domain-based blocking ineffective — detect by behavior (browser download + execution + outbound), not by destination

Variations

Tools and methods that exploit this chokepoint — the list grows; the chokepoint doesn't change:

AnyDesk Declining

2020

Declining; February 2024 production breach revoked signing cert, driving actor migration

Common masquerade names: invoice.exe, tax_form.exe, SSN_verification.exe; February 2024 production server breach resulted in source code and code signing certificate theft — certificate revoked, driving threat actor migration to other tools

TeamViewer Active

2019

Common masquerade names: update.exe, system_check.exe

ScreenConnect (ConnectWise) Active

2022

Primary renamed-binary choice; CVE-2024-1709 also enables direct server exploitation

Common masquerade names: support_tool.exe, IT_access.exe; now primary choice for renamed-binary delivery; February 2024 CVE-2024-1709 (auth bypass) + CVE-2024-1708 (path traversal) enabled direct server exploitation by LockBit, Black Basta, and Bl00dy — 18,188 exposed instances globally at time of disclosure; dual vector: user-delivered binary AND direct server exploitation

Source →

UltraViewer Active

2023

Low name recognition makes it credible as a disguised security tool

Common masquerade names: security_scan.exe, verify.exe

RustDesk Active

2023

Open-source; self-hosted infrastructure makes domain-based blocking ineffective

Open-source; self-hosted infrastructure makes domain blocking ineffective; first documented in Akira ransomware and Scattered Spider operations mid-2023; broader adoption through 2024

SimpleHelp Active

2025-Q1

Three critical CVEs exploited as ransomware initial access since January 2025

CVE-2024-57727 (path traversal), CVE-2024-57726 (privilege escalation), CVE-2024-57728 (arbitrary file upload) disclosed January 2025; exploited in the wild since January 22, 2025 as ransomware initial access vector; DragonForce deployed via it; CISA advisory AA25-163A issued June 2025; CISA KEV listed February 2025

Source →

NetSupport Manager Active

2019

Long-abused via ClickFix clipboard delivery; remains common in commodity phishing

Long-abused RMM (the 'NetSupport RAT' name derives from this tool); TA571 and the ClearFake cluster began ClickFix clipboard delivery specifically in March 2024; remains one of the most common RMM payloads in commodity phishing operations through 2025

Atera Active

2022

Used by MuddyWater in nation-state campaigns since mid-2022

Used by MuddyWater (Iran/TA450) in nation-state campaigns since mid-2022; intense campaign wave October 2023–April 2024 targeting Israeli manufacturing, tech, and infosec sectors; also deployed post-compromise as secondary RMM after ScreenConnect CVE-2024-1709 exploitation in European targets

RMM-to-RMM Deployment Active

2024

First RMM deploys a second for redundancy; removes single point of C2 failure

One RMM (e.g., ScreenConnect) deploys a second RMM (e.g., AnyDesk) for redundancy — if one is removed, the other maintains access

Detection Strategy

Build detections iteratively. Start broad to understand your baseline, then tighten to production-ready.

Goal: Identify all RMM tool processes running in the environment

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Windows Security Event ID 4688 (Process Creation)
• Application inventory / software management telemetry

FP Rate: High

Use Case: Asset inventory; baseline of legitimate RMM usage by IT staff

Detection Logic

Process name matches known RMM tool executables:
  anydesk.exe OR screenconnect*.exe OR teamviewer*.exe OR
  ultraviewer.exe OR rustdesk.exe OR meshagent.exe OR
  connectwisecontrol*.exe

Sigma Rule — Research Level

View on GitHub Download

title: Known RMM Tool Process Execution
id: b8c2d4e6-f8a0-4b2c-9d3e-5f7a9b1c3d5e
status: experimental
description: >
  Detects execution of known Remote Management and Monitoring (RMM) tool processes.
  Research-level rule for baselining RMM tool usage across the environment. High false
  positive rate expected due to legitimate IT use. Use to establish a baseline of
  approved RMM instances before promoting to hunt-level detection.
references:
  - https://attack.mitre.org/techniques/T1219/
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.initial_access
  - attack.command_and_control
  - attack.t1219
  - detection.maturity.research
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\anydesk.exe'
      - '\AnyDesk.exe'
      - '\TeamViewer.exe'
      - '\teamviewer.exe'
      - '\ultraviewer.exe'
      - '\UltraViewer.exe'
      - '\rustdesk.exe'
      - '\RustDesk.exe'
      - '\meshagent.exe'
      - '\MeshAgent.exe'
    Image|contains:
      - '\ScreenConnect.'
      - '\connectwisecontrol'
      - '\ConnectWiseControl'
  condition: selection
falsepositives:
  - Legitimate IT helpdesk use of RMM tools
  - Authorized remote support sessions
  - Security testing environments
level: informational

Goal: Detect RMM tool binaries downloaded via browser and executed within minutes

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 11 (File Creation)
• Browser download telemetry

FP Rate: Medium

Use Case: Hunt for user-initiated RMM downloads; distinguishes IT-deployed from user-downloaded

Detection Logic

File Created: *.exe Creating Process: chrome.exe OR firefox.exe OR msedge.exe OR iexplore.exe OR brave.exe File Path: \Downloads\ OR \Temp\ OR \AppData\Local\Temp\ Then: Process execution within 5 minutes AND: Product metadata OR original filename matches known RMM vendor

Sigma Rule — Hunt Level

View on GitHub Download

title: RMM Tool Downloaded via Browser and Executed
id: c9d3e5f7-a9b1-4c3d-5e6f-7a8b9c0d1e2f
status: experimental
description: >
  Detects RMM tool executables created by a web browser in a download location
  (Downloads or Temp directory). Hunt-level rule targeting the renamed RMM tool
  chokepoint: legitimate but renamed RMM binaries delivered via browser download
  as part of social engineering campaigns. Distinguishes user-initiated downloads
  from IT-deployed RMM installations.
references:
  - https://attack.mitre.org/techniques/T1219/
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.initial_access
  - attack.command_and_control
  - attack.t1219
  - detection.maturity.hunt
logsource:
  category: file_event
  product: windows
detection:
  selection_download_path:
    TargetFilename|contains:
      - '\Downloads\'
      - '\AppData\Local\Temp\'
      - '\Temp\'
      - '\AppData\Roaming\Temp\'
  selection_browser_creator:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\iexplore.exe'
      - '\opera.exe'
      - '\brave.exe'
      - '\vivaldi.exe'
  selection_executable:
    TargetFilename|endswith:
      - '.exe'
      - '.msi'
  condition: selection_download_path and selection_browser_creator and selection_executable
falsepositives:
  - Legitimate software downloads by users (any browser-downloaded executable)
  - IT staff downloading RMM tools for authorized deployment
level: low

Goal: Masqueraded RMM tool with campaign-themed name, downloaded by browser, with immediate outbound connection

Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 3 (Network Connection)
• Sysmon Event ID 11 (File Creation)
• File metadata / version info analysis

FP Rate: Low

Use Case: SOC alerting; campaign-themed file name detection catches targeted pretexts

Detection Logic

File Created: *.exe via browser (see Hunt logic above) AND one of:
  - File Name contains: "tax" OR "invoice" OR "SSN" OR "SSA" OR "support" OR "verify" OR "secure"
  - File Metadata: OriginalFilename = "anydesk.exe" (or other RMM) but current name differs
  - File Signer: Known RMM vendor certificate on file with non-RMM name
Network: Outbound connection to RMM infrastructure within 2 minutes of execution UserContext: Standard user account (not in IT admin group)

Sigma Rule — Analyst Level

View on GitHub Download

title: Masqueraded RMM Tool with Campaign-Themed Filename Downloaded via Browser
id: d0e4f6a8-b0c2-4d4e-6f7a-8b9c0d1e2f3a
status: experimental
description: >
  High-fidelity detection for renamed RMM tools delivered via browser download using
  social engineering pretexts (tax, invoice, SSN/SSA, IT support). Detects when an
  executable with a campaign-themed name is downloaded by a browser and contains
  file metadata (OriginalFilename or signer) matching a known RMM vendor. This
  combination of deceptive naming and legitimate signing is a strong indicator of
  the renamed RMM tool technique.
references:
  - https://attack.mitre.org/techniques/T1219/
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.initial_access
  - attack.command_and_control
  - attack.t1219
  - detection.maturity.analyst
logsource:
  category: process_creation
  product: windows
detection:
  # Executable downloaded from browser to user-writable location
  selection_path:
    Image|contains:
      - '\Downloads\'
      - '\AppData\Local\Temp\'
      - '\Temp\'
      - '\Desktop\'
  # Campaign-themed filename patterns (tax season, invoice, IT support pretexts)
  selection_campaign_name:
    Image|contains:
      - 'tax'
      - 'invoice'
      - 'Invoice'
      - 'Tax'
      - 'SSN'
      - 'SSA'
      - 'W-2'
      - 'W2'
      - '1099'
      - 'refund'
      - 'Refund'
      - 'support'
      - 'Support'
      - 'verify'
      - 'Verify'
      - 'secure'
      - 'Secure'
      - 'helpdesk'
      - 'HelpDesk'
      - 'IT_'
      - 'remote_'
  # Original filename or description matches known RMM vendors
  # (requires file metadata enrichment — Sysmon FileVersion fields or EDR metadata)
  selection_rmm_metadata:
    OriginalFileName|contains:
      - 'AnyDesk'
      - 'anydesk'
      - 'ScreenConnect'
      - 'screenconnect'
      - 'TeamViewer'
      - 'teamviewer'
      - 'UltraViewer'
      - 'ultraviewer'
      - 'RustDesk'
      - 'rustdesk'
      - 'MeshAgent'
      - 'meshagent'
  condition: selection_path and selection_campaign_name and selection_rmm_metadata
falsepositives:
  - Legitimate tax or invoice software that happens to have RMM integration
  - IT staff downloading RMM tools with descriptive names for asset tracking
level: high

Early Detection Layers

Detect before the user pastes or executes — earlier in the kill chain than the Sysmon-based rules above, using different data sources.

Evolution Timeline (7 events — click to expand)

Techniques and tooling evolve; the underlying detection chokepoint does not.

2024-H2

RMM-to-RMM deployment pattern emerges

Change: First RMM used to deploy a second as backup persistence; Hunters International documented AnyDesk + ScreenConnect deployed simultaneously.

Detection impact: Process creation chain detection required; single-RMM detection insufficient

2025-Q1

SimpleHelp CVE exploitation as ransomware initial access

Change: Three critical SimpleHelp CVEs (CVE-2024-57727/57726/57728) exploited by ransomware actors beginning January 2025 as a server-side initial access vector.

Detection impact: RMM server vulnerability exploitation requires monitoring of RMM server logs and network egress, not just endpoint process/file telemetry

2023

RustDesk adoption as self-hosted alternative

Change: Open-source self-hosted RMM adopted in Akira and Scattered Spider operations; domain-based blocking no longer effective.

Detection impact: Domain/IP-based blocking bypassed; behavior detection essential

2024-Q1

AnyDesk breach + ScreenConnect mass CVE exploitation

Change: AnyDesk code signing cert stolen and revoked; CVE-2024-1709 enables direct exploitation of 18,000+ exposed ScreenConnect instances by ransomware groups.

Detection impact: Browser-download detection insufficient for direct server exploitation; must also monitor RMM server processes for unexpected outbound sessions and lateral movement

2023

UltraViewer campaigns emerge

Change: Shift to less-known tools to evade AnyDesk-specific detections; tool-agnostic detection becomes critical.

Detection impact: Tool-agnostic detection becomes critical; vendor name can no longer be relied on

2022-Q3

ScreenConnect becomes primary campaign tool

Change: Shift to ConnectWise ScreenConnect for professional appearance; CISA AA23-025A documents first large-scale malicious campaigns.

Detection impact: No change to core detection pattern

2019

TeamViewer and AnyDesk adoption in social engineering campaigns

Change: Legitimate RMM binaries adopted as initial access alternative to malware; signed binaries evade hash-based detection.

Detection impact: New pattern — signed binaries evading hash-based detection

Raw Log Samples (3 samples — click to expand)

Real-world log events produced by this technique and which sigma rules they trigger.

Sysmon EID 11

Hunt Analyst

Renamed RMM binary dropped to Downloads folder by browser process

EventID: 11 (FileCreate)
UtcTime: 2024-10-15 09:34:12.881
ProcessGuid: {c3d4e5f6-3456-7890-cdef-012345678901}
ProcessId: 3284
Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
TargetFilename: C:\Users\jsmith\Downloads\tax-document-2024.exe
CreationUtcTime: 2024-10-15 09:34:12.881
# Browser drops .exe directly to Downloads — combined with execution signals Hunt/Analyst rules

Sysmon EID 1

Research Hunt Analyst

Renamed RMM binary executed — OriginalFilename mismatch is the Analyst signal

EventID: 1 (Process Create)
UtcTime: 2024-10-15 09:34:28.103
ProcessGuid: {c3d4e5f6-3456-7890-cdef-012345678902}
ProcessId: 9876
Image: C:\Users\jsmith\Downloads\tax-document-2024.exe
OriginalFileName: AnyDesk.exe
CommandLine: "C:\Users\jsmith\Downloads\tax-document-2024.exe"
CurrentDirectory: C:\Users\jsmith\Downloads\
ParentProcessId: 3284
ParentImage: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
FileVersion: 8.0.8.0
Description: AnyDesk
Company: AnyDesk Software GmbH
# KEY SIGNAL: Image=tax-document-2024.exe but OriginalFileName=AnyDesk.exe
# File signer: AnyDesk Software GmbH certificate on a file named "tax-document-2024.exe"

Sysmon EID 3

Analyst

Renamed AnyDesk binary connects to AnyDesk relay infrastructure

EventID: 3 (NetworkConnect)
UtcTime: 2024-10-15 09:34:29.441
ProcessGuid: {c3d4e5f6-3456-7890-cdef-012345678902}
ProcessId: 9876
Image: C:\Users\jsmith\Downloads\tax-document-2024.exe
User: CORP\jsmith
Protocol: tcp
Initiated: true
SourceIp: 10.10.5.22
SourcePort: 51876
DestinationIp: 195.201.29.30
DestinationHostname: relay.anydesk.com
DestinationPort: 443
# Non-RMM-named binary connecting to relay.anydesk.com within 2 min of browser download

Emulation Script (click to expand)

⚠ Lab use only. Run in isolated lab VM only. Uses a benign Windows binary renamed to a campaign filename.

powershell ATT&CK: T1219.002 Simulates renamed RMM binary drop, execution with metadata mismatch, and outbound connection

POWERSHELL

View on GitHub Download

#Requires -Version 5.1
# MITRE ATT&CK: T1219.002 — Remote Access Tools
# Simulates browser-downloaded RMM binary renamed to a campaign-themed filename.

[CmdletBinding()]
param(
    [string]$CampaignName  = 'tax-document-2024',
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'

# Use a legitimate signed Windows binary as the "RMM" stand-in for safe emulation.
# In a real engagement, replace this with actual AnyDesk.exe for full fidelity.
$RmmSourceBinary = Join-Path $env:WINDIR 'System32\notepad.exe'
$DownloadsPath   = Join-Path $env:USERPROFILE 'Downloads'
$RenamedBinary   = Join-Path $DownloadsPath "$CampaignName.exe"
$RmmPort         = 443    # AnyDesk relay uses 443/80/6568; use 443 for lab (less likely blocked)
$RmmHost         = 'relay.anydesk.com'

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

function Remove-Artefacts {
    if (Test-Path $RenamedBinary) {
        Remove-Item $RenamedBinary -Force -ErrorAction SilentlyContinue
        Write-Ok "Removed: $RenamedBinary"
    }
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

Write-Host ""
Write-Host "=== Renamed RMM Tool Emulation ===" -ForegroundColor Magenta
Write-Host "    T1219.002 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

Write-Step "Step 1/3 — Dropping renamed binary to Downloads (browser-download simulation)"
Write-Verbose "  Source binary: $RmmSourceBinary"
Write-Verbose "  Renamed to:    $RenamedBinary"

# Ensure Downloads directory exists
if (-not (Test-Path $DownloadsPath)) {
    New-Item -ItemType Directory -Path $DownloadsPath -Force | Out-Null
}

Copy-Item -Path $RmmSourceBinary -Destination $RenamedBinary -Force
Write-Ok "Binary copied to: $RenamedBinary"
Write-Ok "File name: $CampaignName.exe (social engineering name)"

# Report OriginalFilename vs current name mismatch (the key detection signal)
try {
    $versionInfo = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($RenamedBinary)
    Write-Host ""
    Write-Host "  File metadata (key detection signal):" -ForegroundColor White
    Write-Host "    CurrentName:       $CampaignName.exe" -ForegroundColor DarkGray
    Write-Host "    OriginalFilename:  $($versionInfo.OriginalFilename)" -ForegroundColor DarkGray
    Write-Host "    ProductName:       $($versionInfo.ProductName)" -ForegroundColor DarkGray
    Write-Host "    FileDescription:   $($versionInfo.FileDescription)" -ForegroundColor DarkGray
    if ($versionInfo.OriginalFilename -and $versionInfo.OriginalFilename -ne "$CampaignName.exe") {
        Write-Ok "MISMATCH CONFIRMED: OriginalFilename != current name — Analyst rule will fire"
    }
} catch {
    Write-Warn "Could not read version info: $_"
}

Start-Sleep -Milliseconds 500

Write-Step "Step 2/3 — Executing renamed binary (brief run to generate process telemetry)"
Write-Verbose "  Note: In real scenario, OriginalFilename=AnyDesk.exe vs. CurrentName=$CampaignName.exe"

try {
    # Start notepad briefly then kill it — generates EID 1 with the renamed image path
    $proc = Start-Process -FilePath $RenamedBinary -PassThru -ErrorAction Stop
    Start-Sleep -Milliseconds 800
    if (-not $proc.HasExited) {
        $proc.Kill()
        $proc.WaitForExit(2000) | Out-Null
    }
    Write-Ok "Renamed binary executed (PID $($proc.Id)) and terminated — Sysmon EID 1 generated"
} catch {
    Write-Warn "Binary execution failed: $_"
}

Start-Sleep -Milliseconds 300

Write-Step "Step 3/3 — Outbound connection to RMM relay port (network telemetry)"
Write-Verbose "  Target: $RmmHost`:$RmmPort"
Write-Warn "Note: real AnyDesk connects to relay.anydesk.com:443/80/6568; using TCP connect test only"

try {
    $tcp = New-Object System.Net.Sockets.TcpClient
    $async = $tcp.BeginConnect($RmmHost, $RmmPort, $null, $null)
    $connected = $async.AsyncWaitHandle.WaitOne(5000, $false)
    if ($connected) {
        $tcp.EndConnect($async)
        Write-Ok "TCP connection to $RmmHost`:$RmmPort succeeded — Sysmon EID 3 generated"
    } else {
        Write-Warn "TCP connect timed out (connection attempt still generated EID 3)"
    }
    $tcp.Close()
} catch {
    Write-Warn "Network connection failed (telemetry may still have fired): $_"
}

Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  Sysmon EID 1 — process name matches known RMM tool OR OriginalFilename" -ForegroundColor DarkCyan
Write-Host "  [Hunt]      EID 11 (file in Downloads) + EID 1 (execution within 5 min)"            -ForegroundColor DarkYellow
Write-Host "  [Analyst]   Campaign filename + OriginalFilename mismatch + EID 3 to RMM infra"     -ForegroundColor DarkGreen
Write-Host ""
Write-Host "Higher fidelity: replace source binary with actual AnyDesk.exe for real metadata" -ForegroundColor DarkGray
Write-Host "  OriginalFilename=AnyDesk.exe vs. CurrentName=$CampaignName.exe is the key signal" -ForegroundColor DarkGray
Write-Host ""

OSINT Sources

URLScan filename:tax*.exe OR filename:invoice*.exe OR filename:ssn*.exe OR filename:support*.exe OR filename:verify*.exe

Finds download pages serving tax/invoice/support-themed executables; extend with seasonal pretexts during relevant periods.

Shodan product:"ScreenConnect"

Find internet-exposed ScreenConnect instances; cross-reference against known legitimate MSP infrastructure to identify attacker-controlled deployments.

Censys services.tls.certificate.parsed.subject.common_name: "SimpleHelp"

Finds infrastructure presenting SimpleHelp TLS certificates — currently the most actively exploited RMM platform per CISA AA25-163A.

VirusTotal Intelligence have:itw tag:peexe (metadata:"AnyDesk" OR metadata:"ScreenConnect" OR metadata:"SimpleHelp" OR metadata:"NetSupport")

Requires VT Intelligence subscription; finds PE executables in the wild whose internal metadata references known RMM vendors — the core renamed-binary delivery mechanism.

LOLRMM

Community-maintained catalog of every known RMM tool with file metadata, network indicators, and detection heuristics for building renamed-binary analyst rules.

Intel Resources

• CISA AA23-025A — Protecting Against Malicious Use of RMM Software — Foundational joint advisory from CISA, NSA, and MS-ISAC documenting malicious RMM use; specifically covers portable executable delivery bypassing software installation controls, AnyDesk and ScreenConnect campaign mechanics
• Huntress — A Series of Unfortunate (RMM) Events — Covers RMM-to-RMM chaining, detection evasion patterns, and the broader RMM abuse landscape from an MSP incident response perspective
• Microsoft — Keys to the kingdom: RMM exploits enabling human-operated intrusions in 2024–25 — Microsoft Security Experts analysis of RMM exploitation patterns across incident response engagements; covers both social engineering delivery and direct CVE exploitation vectors
• MITRE ATT&CK — T1219.002 Remote Desktop Software — Technique definition, procedure examples including RMM tool abuse, and detection guidance for remote desktop software used as C2

Related Chokepoints

ClickFix Techniques HIGH Remote Execution Tools (HackTools) HIGH