RMM Tools: The Trusted Backdoor Attackers Don't Have to Build

Attackers are abandoning custom malware in favor of tools your IT team already trusts. Remote monitoring and management (RMM) software abuse surged 277% year-over-year according to the Huntress 2026 Cyber Threat Report, and RMM abuse now factors into 24% of all incidents the company tracks [1]. The shift is structural, not opportunistic. Traditional hacking tool usage plummeted 53% over the same period, while RATs dropped 20% and malicious scripts fell 11.7% [1]. Threat actors aren't building backdoors anymore. They're downloading them from vendor websites.

The implications are serious. Over 50% of cases involving suspicious Atera RMM activity link directly to ransomware attacks, and when tools like RustDesk or Atera are abused, ransomware damage can unfold in as little as one to two hours [1]. That's the dwell-time window defenders get. For many organizations, it's not enough.

Why Attackers Made the Switch

The logic is straightforward. RMM tools are virtually ubiquitous in enterprise environments, and malicious activity blends in with legitimate usage [2]. A ConnectWise ScreenConnect session initiated by an attacker looks identical to one initiated by a helpdesk technician at the network layer. The binaries are signed by recognized vendors. The traffic is encrypted and often routed through vendor-controlled cloud relay infrastructure. Endpoint detection products that lean on signature-based analysis treat these tools as benign because, technically, they are.

Portable executables make things worse. Many RMM agents don't require installation, admin privileges, or persistent registry entries. An attacker can run a standalone binary, establish an encrypted session, and leave minimal forensic artifacts. No services registered. No install directories created. The process launches, the session opens, and your endpoint telemetry logs a legitimate signed binary that executed and terminated.

Healthcare and technology sectors saw the largest increases in RMM-related malicious activity through 2025, according to Huntress data [1]. These sectors tend to have complex IT environments with multiple managed service providers, each potentially running their own RMM stack. That sprawl creates the exact conditions attackers exploit.

The Tool Preferences

Not all RMM tools see equal abuse. Huntress observed attackers using ScreenConnect predominantly for credential harvesting, while NetSupport was favored for fast staging [2]. AnyDesk and Atera remain staples of post-exploitation playbooks. RustDesk, an open-source alternative, has gained traction among threat actors because it can be self-hosted, removing the vendor relay as a potential chokepoint for defenders [1].

This tool selection likely tells us something about attacker priorities. We assess that ScreenConnect's session recording and file transfer capabilities make it well-suited for slow, methodical data theft, while NetSupport's lightweight footprint and scripting support make it useful for rapid deployment scenarios where speed matters more than stealth. The choice of tool often signals the attacker's intent and timeline.

Historical Context: A Pattern Years in the Making

RMM abuse isn't new, but the scale is. CISA advisory AA23-025A, published in January 2023, documented a widespread campaign targeting federal civilian executive branch (FCEB) networks using ScreenConnect and AnyDesk. The attackers gained initial access through phishing emails, then deployed portable RMM executables to remotely access victim systems and conduct refund scams targeting bank accounts. CISA assessed the access could also lead to additional malicious activity against victim organizations. CISA noted that legitimate RMM software generally does not trigger antivirus or antimalware defenses, and that portable executables bypass common software controls and risk management assumptions.

The financially motivated group tracked as Scattered Spider used RMM tools extensively during their 2023 campaigns against commercial facilities, telecommunications, and entertainment targets. North Korean IT worker schemes, documented by the U.S. Department of Justice across 2023 and 2024, relied on unauthorized remote access software to maintain access to employer systems while operatives worked remotely under fabricated identities. Microsoft Threat Intelligence has confirmed DPRK IT workers use RMM tools and VPNs as part of these schemes. These weren't edge cases. They were indicators of a broad tactical shift that the 277% surge now confirms.

The Sanctioned vs. Unsanctioned Problem

Most organizations can't answer a basic question: which RMM tools are authorized on our network, and who is allowed to use them?

Unsanctioned RMM usage falls into two buckets. The first is employee-installed tools. A developer installs AnyDesk to access their workstation from home. No change request, no approval, no visibility. The second is attacker-deployed tools. After gaining initial access through phishing or an exploited vulnerability, a threat actor drops a portable RMM binary to establish persistent, encrypted remote access that blends into normal traffic.

Both create the same detection problem. Your SOC can't write a meaningful detection rule for "unauthorized ScreenConnect" when nobody has documented what authorized ScreenConnect looks like. Which user accounts should be running it? From which source IPs? During which hours? Without that baseline, every alert is noise.

Warning signs include logins from multiple geographic regions within short timeframes, RMM agent installations on systems that don't belong to IT-managed asset groups, and sessions initiated outside normal business hours [1]. These behavioral indicators matter more than signature-based detection for this threat category.

The Post-Exploitation Playbook

The typical attack chain follows a consistent pattern:

1. Initial access via phishing, credential stuffing, or exploitation of a public-facing service
2. Enumeration and privilege escalation using built-in OS tools
3. Deployment of a portable RMM binary to establish persistent access independent of the initial foothold
4. Lateral movement and objective completion through the RMM session: data exfiltration, ransomware deployment, or credential harvesting

Step 3 is the critical pivot. Even when incident response teams identify and burn the initial access vector, the attacker retains access through the RMM channel. This explains a persistent pattern in ransomware investigations: evidence of RMM tool usage appearing days or weeks before the ransomware payload detonates. The attackers were operating quietly through a tool the organization's own security stack considered trusted.

The one-to-two-hour ransomware timeline Huntress documented for Atera and RustDesk abuse [1] represents the fast end of this spectrum. In those cases, the attacker moves directly from RMM deployment to ransomware execution without an extended dwell period. That compressed timeline eliminates most detection opportunities that depend on human analysis.

MITRE ATT&CK Mapping

Based on the documented behaviors in the source material, the following techniques apply:

Detection and Hunting

Detecting RMM abuse requires shifting from signature-based approaches to behavioral and inventory-based methods.

Software Inventory Auditing: Maintain an authoritative list of approved RMM tools, including specific versions, authorized user accounts, and approved installation paths. Anything outside that list is an anomaly worth investigating. Application whitelisting tools (AppLocker, WDAC on Windows) can enforce this at the endpoint level.

Process Execution Monitoring: Hunt for RMM-related process names executing from unusual directories. Legitimate IT deployments install to standard paths (C:\Program Files\ or equivalent). Portable RMM binaries running from %TEMP%, %APPDATA%, user Downloads folders, or recycling bin paths are strong indicators of abuse.

Example Splunk query for anomalous RMM execution:

index=endpoint process_name IN ("AnyDesk.exe", "ScreenConnect.ClientService.exe", "rustdesk.exe", "atera_agent.exe", "NetSupport*.exe") 
| where NOT match(process_path, "(?i)C:\\Program Files")
| stats count by host, user, process_path, process_name

Network Traffic Analysis: Monitor for connections to known RMM vendor relay domains and infrastructure. DNS queries for .anydesk.com, .screenconnect.com, .rustdesk.com, and .atera.com subdomains should be correlated against your authorized tool list. Connections to RMM infrastructure from servers, production systems, or other assets that should never initiate remote desktop sessions are high-fidelity signals.

Note on NetSupport: Malicious NetSupport Manager deployments typically use attacker-controlled gateway addresses rather than vendor domains at *.netsupport.com. Monitor for the NetSupport Manager/1.3 User-Agent string and client32.exe execution from unusual paths (e.g., C:\Users\Public\) as more reliable indicators of malicious NetSupport activity.

Geographic and Temporal Anomalies: Flag RMM sessions originating from unexpected geolocations or occurring outside business hours [1]. A ScreenConnect session authenticated from a country where your organization has no employees, at 3 AM local time, warrants immediate investigation regardless of whether ScreenConnect is an approved tool.

Rapid Deployment Correlation: Given the one-to-two-hour ransomware timeline documented by Huntress [1], any newly installed or newly executed RMM binary should trigger an elevated priority alert. The detection window is extremely narrow, so automation matters. Consider automated containment (network isolation) for endpoints where an unapproved RMM binary executes.

Analysis

The 277% surge in RMM abuse represents a rational economic decision by attackers. Custom malware requires development, testing, and ongoing maintenance to evade detection. RMM tools provide the same capabilities for free, come pre-signed with trusted certificates, and generate network traffic that most security stacks pass without inspection. The cost-benefit analysis overwhelmingly favors abuse of legitimate software.

The simultaneous 53% decline in traditional hacking tool usage [1] suggests this is unlikely to be a temporary trend. Attackers are likely structurally reorganizing their toolkits around living-off-the-land techniques, and RMM abuse is the most prominent expression of that shift. Organizations that have invested heavily in malware detection capabilities without corresponding investment in software asset management and behavioral analytics are exposed.

The concentration of RMM-linked ransomware activity around Atera (over 50% of suspicious Atera cases leading to ransomware [1]) likely reflects Atera's ease of deployment and its agent-based architecture, which provides reliable persistent access. Defenders should treat Atera installations on non-IT-managed systems as high-confidence indicators of compromise.

References

[1] https://www.huntress.com/blog/rmm-abuse-when-it-convenience-bites-back

[2] https://www.darkreading.com/application-security/rmm-abuse-explodes-hackers-ditch-malware

Competing Hypotheses

Multiple sources offer competing assessments on key analytic questions in this report. The body above reflects the assessed primary line; alternative hypotheses and the indicators that would shift the assessment are surfaced below for analyst review.

China

Question 1.

Primary assessment. Does the downgraded Taiwan invasion timeline reduce or increase the cyber threat?

Alternative hypothesis. View A: The IC assessment that China doesn't plan a 2027 invasion suggests reduced near-term military risk. Source: [22] | View B: The briefing argues (and sources support) that below-threshold cyber and influence operations may intensify as substitutes for kinetic action. Sources: [19], [22], [17]

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 2.

Primary assessment. Is Storm-1175 a state-directed Chinese APT or a financially motivated cybercriminal group?

Alternative hypothesis. View A: The Hacker News [12] labels Storm-1175 as 'China-Linked,' implying state nexus. The briefing places it alongside state-directed infrastructure pre-positioning activities. | View B: Microsoft's primary source describes Storm-1175 as a 'financially motivated cybercriminal' actor, which is distinct from state-directed espionage groups. Web verification confirms Microsoft's characterization.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 3.

Primary assessment. Have PLA purges degraded China's military capabilities?

Alternative hypothesis. View A: The IISS assessed the purges left the military with 'serious deficiencies in its command structure' and PLA exercises took substantially longer to implement in 2025. Sources: [28], [14] | View B: The leadership purges have 'not significantly disrupted the PLA's normal functions or operations' and the effects are temporary, with some arguing the PLA may compensate with more aggressive activity. Sources: [28]

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 4.

Primary assessment. Why did PLAAF incursions into Taiwan's ADIZ decline in early 2026?

Alternative hypothesis. View A: Beijing may be trying to avoid escalating tensions ahead of the Trump-Xi summit (diplomatic signal). Sources: [17] | View B: The decline could relate to ongoing PLA leadership purges that have had a 'paralyzing effect' on the military (operational disruption). Sources: [17], [14], [28]

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 5.

Primary assessment. How many organizations has Salt Typhoon compromised?

Alternative hypothesis. View A: Source [10] and FBI officials cite 'at least 200 companies' worldwide (August 2025 figure). | View B: The Global Cyber Alliance and Nextgov/FCW (August 2025) report that 600+ organizations were notified by the FBI of Salt Typhoon interest in their systems, across 80+ countries, suggesting a much larger scope than 200 confirmed compromises.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 6.

Primary assessment. Will the SCOTUS IEEPA ruling lead to reduced tariffs on China?

Alternative hypothesis. View A: The ruling invalidates all IEEPA tariffs, potentially leading to lower tariff rates on Chinese goods [24]. | View B: The President immediately imposed replacement tariffs under Section 122 of the Trade Act of 1974 (confirmed via web search), with administration officials stating the goal is 'virtually unchanged tariff revenue.' The briefing's Outlook scenario that 'the ruling leads to a reduction in tariffs' may already be overtaken by events.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 7.

Primary assessment. What is the impact of PLA purges on China's cyber capabilities?

Alternative hypothesis. View A: Purges cause 'serious deficiencies' in PLA command structure that are 'likely to be a temporary disturbance' (IISS via [17]). | View B: Red Sheep assessment suggests purges may be motivated by operational security failures related to cyber operation exposure (I-Soon, Expedition Cloud leaks), which could lead to tighter compartmentalization. Source [16] quotes Xi on disloyalty but doesn't specify cyber-related concerns.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 8.

Primary assessment. Has Salt Typhoon been remediated from major U.S. telecom networks?

Alternative hypothesis. View A: Salt Typhoon has NOT been fully remediated: Senate expert testimony, TechCrunch reporting, and FBI officials indicate hackers are 'likely still inside U.S. networks' [9][10]. The FBI's top cyber official said threats are 'still very much ongoing' (confirmed via web search from CyberScoop, Feb 2026). | View B: Major telecoms claim remediation: AT&T stated in late 2024 it detected 'no activity by nation-state actors' and Verizon claimed to have 'contained the cyber incident' (per web search results). However, both companies have refused to provide documentation to the Senate [9].

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

North Korea

Question 1.

Primary assessment. What is the accurate scale of the Bybit theft: $1.46 billion or $1.5 billion?

Alternative hypothesis. View A: FBI IC3 PSA [3] states 'approximately $1.5 billion' — the official government attribution figure. | View B: CyberScoop [4] reports '$1.46B' based on market valuations at time of reporting. The Wilson Center [5] says 'more than $1.5 billion.'

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 2.

Primary assessment. Are DPRK financial theft operations and supply chain compromise converging into a unified strategy or operating as separate tracks?

Alternative hypothesis. View A: The Red Sheep Assessment argues they are converging, citing the Bybit attack path through Safe{Wallet} [5], Contagious Interview's targeting of developer environments [9], and npm package poisoning at scale [10]. | View B: The conventional framing, acknowledged by the briefing, treats these as separate threat categories. Financial theft (Lazarus/TraderTraitor) and developer supply chain compromise (Contagious Interview/Famous Chollima) may operate under different RGB sub-units with different objectives. No source explicitly confirms organizational or strategic convergence.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 3.

Primary assessment. Does the US National Security Strategy omission of North Korea signal reduced attention or is it a deliberate strategic choice?

Alternative hypothesis. View A: The omission signals to Pyongyang that its cyber operations face reduced strategic-level attention, potentially emboldening further operations [30]. This is the briefing's framing. | View B: The omission could reflect a deliberate strategy to avoid elevating North Korea's status or could signal that the administration plans to address DPRK through the China relationship rather than directly. Source [27] notes Trump remains 'positive about dialogue' with Kim, suggesting engagement rather than neglect.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 4.

Primary assessment. Is Russian technology transfer to DPRK producing immediate offensive cyber/EW capability or is it a future risk?

Alternative hypothesis. View A: Technology transfer is already underway and producing results: 3,000 soldiers returned with hands-on experience [24], $5.6-9.8B in Russian capital flowing to DPRK defense industry [25], and the 9th Party Congress formalized EW/AI as priorities [21]. Supported by the Red Sheep Assessment. | View B: Most analysis frames Russian technology transfer as a future risk rather than a current capability. The Lowy Institute [22] notes the EW/AI emphasis 'may stem from' battlefield experience — hedged language suggesting the causal chain is not yet confirmed. Combat experience in drone/artillery operations does not necessarily translate to offensive cyber or EW capability development.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Hunt Guide: RMM Tool Abuse for Persistent Access and Ransomware Deployment

Attribution: Detection logic below credits its original author. Rules adapted, ported, or quoted from a public source retain that source's author (e.g. SigmaHQ / Florian Roth, Elastic, Emerging Threats, Abuse.ch, or the cited vendor/researcher). Only rules explicitly marked RedSheep Security/Stone (original) were authored in-house. If you reuse a rule, preserve its stated attribution.

Hypothesis: If threat actors are abusing legitimate Remote Monitoring and Management (RMM) tools for persistent access and ransomware staging in our environment, we expect to observe unauthorized RMM process executions from non-standard directories, DNS queries to RMM vendor relay infrastructure from non-IT-managed systems, RMM agent installations outside change management windows, and geographic/temporal anomalies in RMM sessions — detectable in endpoint telemetry (Sysmon, EDR), DNS logs, proxy logs, and authentication logs.

Intelligence Summary: Attackers have structurally shifted from custom malware to abusing legitimate RMM tools such as AnyDesk, ScreenConnect, RustDesk, Atera, and NetSupport, with RMM abuse surging 277% year-over-year while traditional hacking tool usage dropped 53%. Over 50% of suspicious Atera activity links directly to ransomware with dwell times as short as one to two hours. Healthcare and technology sectors are disproportionately targeted, and the technique exploits trusted vendor-signed binaries and encrypted traffic to evade signature-based detection.

Confidence: High | Priority: Critical

Scope

• Networks: All enterprise network segments with emphasis on: (1) healthcare/clinical networks, (2) endpoints managed by third-party MSPs, (3) servers and production systems that should never initiate RMM sessions, (4) user endpoints not in IT-managed asset groups, (5) DMZ and externally-facing systems
• Timeframe: Rolling 90-day retrospective hunt with continuous forward monitoring. Initial sweep should cover last 30 days of endpoint telemetry and last 90 days of DNS/proxy logs given that attackers may operate through RMM channels for weeks before ransomware deployment.
• Priority Systems: Domain controllers, backup servers, database servers, medical device management systems, systems with PHI/PII access, endpoints in clinical environments, systems managed by external MSPs, any system with admin-level service accounts

MITRE ATT&CK Techniques

T1219 — Remote Access Software (Command and Control) [P1]

Core technique: threat actors deploy legitimate RMM tools (AnyDesk, ScreenConnect, RustDesk, Atera, NetSupport) as portable executables to establish persistent, encrypted remote access that blends with legitimate IT operations. RMM tools are downloaded from vendor websites, are vendor-signed, and do not trigger AV/EDR signatures. This is the primary persistence mechanism replacing custom malware.

Splunk SPL:

index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security", "crowdstrike:events:sensor", "carbon_black") EventCode IN (1, 4688) (process_name IN ("AnyDesk.exe", "anydesk.exe", "ScreenConnect.ClientService.exe", "ScreenConnect.WindowsClient.exe", "rustdesk.exe", "AteraAgent.exe", "atera_agent.exe", "NetSupport.exe", "client32.exe", "NetSupportManager.exe") OR OriginalFileName IN ("AnyDesk.exe", "ScreenConnect.ClientService.exe", "rustdesk.exe", "AteraAgent.exe", "client32.exe")) | eval suspicious_path=if(NOT match(process_path, "(?i)(C:\\Program Files|C:\\Program Files \(x86\)|C:\\ProgramData)"), "YES", "NO") | where suspicious_path="YES" | stats count earliest(_time) as first_seen latest(_time) as last_seen values(process_path) as paths values(parent_process_name) as parent_procs by host, user, process_name | sort - count | table host user process_name paths parent_procs count first_seen last_seen

Elastic KQL:

(process.name:("AnyDesk.exe" OR "ScreenConnect.ClientService.exe" OR "ScreenConnect.WindowsClient.exe" OR "rustdesk.exe" OR "AteraAgent.exe" OR "atera_agent.exe" OR "NetSupport.exe" OR "client32.exe" OR "NetSupportManager.exe")) AND NOT process.executable:(*"Program Files"* OR *"Program Files (x86)"* OR *"ProgramData"*)

Sigma Rule:

title: Suspicious RMM Tool Execution from Non-Standard Path
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects execution of known RMM tools from non-standard installation directories, indicating potential attacker-deployed portable RMM binaries for persistent access.
author: RedSheep Security/Stone
date: 2025/07/09
references:
  - https://www.huntress.com/blog/rmm-abuse-when-it-convenience-bites-back
  - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a
logsource:
  category: process_creation
  product: windows
detection:
  selection_rmm:
    Image|endswith:
      - '\AnyDesk.exe'
      - '\ScreenConnect.ClientService.exe'
      - '\ScreenConnect.WindowsClient.exe'
      - '\rustdesk.exe'
      - '\AteraAgent.exe'
      - '\atera_agent.exe'
      - '\client32.exe'
      - '\NetSupportManager.exe'
  filter_legitimate_paths:
    Image|startswith:
      - 'C:\Program Files\'
      - 'C:\Program Files (x86)\'
      - 'C:\ProgramData\'
  condition: selection_rmm and not filter_legitimate_paths
falsepositives:
  - Legitimate portable use by IT administrators (should be documented and whitelisted)
  - Software evaluation or testing in non-standard directories
level: high
tags:
  - attack.command_and_control
  - attack.t1219
  - attack.persistence

Attribution: RedSheep Security/Stone (original)

Tune by excluding known IT admin accounts and approved portable deployment paths. Maintain a lookup table of authorized RMM tools and installation paths. Any RMM binary executing from %TEMP%, %APPDATA%, Downloads, Desktop, Recycle Bin, or C:\Users\Public is high-confidence malicious. Consider automated containment given 1-2 hour ransomware timelines.

T1219 — Remote Access Software (Command and Control) [P1]

Focused detection for NetSupport Manager abuse. Malicious NetSupport deployments use attacker-controlled gateway addresses rather than vendor domains, and typically execute client32.exe from non-standard paths such as C:\Users\Public\. The NetSupport Manager/1.3 User-Agent string in HTTP traffic is a reliable network indicator.

Splunk SPL:

index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security") EventCode=1 (process_name="client32.exe" OR OriginalFileName="client32.exe") | eval suspicious=if(match(process_path, "(?i)(Users\\Public|Temp|AppData|Downloads|Desktop|Recycle)"), "HIGH", "MEDIUM") | stats count values(process_path) as paths values(parent_process_name) as parents values(CommandLine) as cmdlines by host, user, suspicious | sort - suspicious | table host user process_path parents cmdlines suspicious count

Elastic KQL:

process.name:"client32.exe" AND (process.executable:*Users\\Public* OR process.executable:*Temp* OR process.executable:*AppData* OR process.executable:*Downloads*)

Sigma Rule:

title: NetSupport Manager Client Execution from Suspicious Path
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
status: experimental
description: Detects client32.exe (NetSupport Manager client) executing from non-standard directories commonly used by attackers for malicious NetSupport deployments.
author: RedSheep Security/Stone
date: 2025/07/09
references:
  - https://www.darkreading.com/application-security/rmm-abuse-explodes-hackers-ditch-malware
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\client32.exe'
  filter_standard:
    Image|startswith:
      - 'C:\Program Files\'
      - 'C:\Program Files (x86)\'
  condition: selection and not filter_standard
falsepositives:
  - Legitimate NetSupport deployments in non-standard directories (rare, should be documented)
level: critical
tags:
  - attack.command_and_control
  - attack.t1219

Attribution: RedSheep Security/Stone (original)

client32.exe in C:\Users\Public\ is a very high-confidence indicator of malicious NetSupport deployment. Correlate with network connections to non-netsupport.com domains to identify attacker-controlled gateway infrastructure.

T1105 — Ingress Tool Transfer (Command and Control) [P1]

Transfer of portable RMM binaries to compromised hosts. Attackers download RMM executables from vendor websites or transfer them via the initial access vector. Detection focuses on file creation events for RMM binaries in unusual directories and download activity from RMM vendor sites by non-IT users/systems.

Splunk SPL:

index=endpoint sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 (TargetFilename="*AnyDesk*" OR TargetFilename="*ScreenConnect*" OR TargetFilename="*rustdesk*" OR TargetFilename="*atera*" OR TargetFilename="*client32*" OR TargetFilename="*NetSupport*") | eval suspicious_dir=if(match(TargetFilename, "(?i)(Temp|AppData|Downloads|Desktop|Users\\Public|Recycle)"), "YES", "NO") | where suspicious_dir="YES" | stats count earliest(_time) as first_seen values(TargetFilename) as files by host, user | sort - count

Elastic KQL:

event.action:"creation" AND file.name:("AnyDesk.exe" OR "ScreenConnect.ClientService.exe" OR "rustdesk.exe" OR "AteraAgent.exe" OR "client32.exe") AND (file.path:*Temp* OR file.path:*AppData* OR file.path:*Downloads* OR file.path:*Public*)

Sigma Rule:

title: RMM Binary File Creation in Suspicious Directory
id: c3d4e5f6-a7b8-9012-cdef-123456789012
status: experimental
description: Detects creation of known RMM tool binaries in temporary, user, or download directories indicating potential attacker tool staging.
author: RedSheep Security/Stone
date: 2025/07/09
references:
  - https://www.huntress.com/blog/rmm-abuse-when-it-convenience-bites-back
logsource:
  category: file_event
  product: windows
detection:
  selection_filenames:
    TargetFilename|endswith:
      - '\AnyDesk.exe'
      - '\ScreenConnect.ClientService.exe'
      - '\ScreenConnect.WindowsClient.exe'
      - '\rustdesk.exe'
      - '\AteraAgent.exe'
      - '\client32.exe'
  selection_paths:
    TargetFilename|contains:
      - '\Temp\'
      - '\AppData\'
      - '\Downloads\'
      - '\Desktop\'
      - '\Users\Public\'
      - '\$Recycle.Bin\'
  condition: selection_filenames and selection_paths
falsepositives:
  - Legitimate software downloads by IT staff prior to installation
level: high
tags:
  - attack.command_and_control
  - attack.t1105

Attribution: RedSheep Security/Stone (original)

Correlate file creation events with subsequent process execution events for the same binary to build a complete attack chain timeline. File creation in Recycle Bin paths is especially suspicious.

T1071.001 — Application Layer Protocol: Web Protocols (Command and Control) [P2]

RMM tools communicate over HTTPS through vendor-controlled cloud relay infrastructure, blending with normal web traffic. Detection requires DNS and proxy monitoring for RMM vendor domains from systems not authorized to use those tools.

Splunk SPL:

index=dns OR index=proxy sourcetype IN ("stream:dns", "bluecoat", "squid", "pan:traffic", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational") (query="*.anydesk.com" OR query="*.screenconnect.com" OR query="*.rustdesk.com" OR query="*.atera.com" OR query="*.connectwise.com" OR dest_host="*.anydesk.com" OR dest_host="*.screenconnect.com" OR dest_host="*.rustdesk.com" OR dest_host="*.atera.com") | lookup authorized_rmm_hosts host as src OUTPUT authorized | where isnull(authorized) OR authorized!="true" | stats count dc(query) as unique_domains values(query) as domains earliest(_time) as first_seen latest(_time) as last_seen by src, src_ip | sort - count

Elastic KQL:

(dns.question.name:*.anydesk.com OR dns.question.name:*.screenconnect.com OR dns.question.name:*.rustdesk.com OR dns.question.name:*.atera.com OR dns.question.name:*.connectwise.com) AND NOT source.ip:("10.0.0.0/8" AND tags:"authorized_rmm")

Sigma Rule:

title: DNS Query to RMM Vendor Relay Infrastructure
id: d4e5f6a7-b8c9-0123-def0-234567890123
status: experimental
description: Detects DNS queries to known RMM vendor relay domains which may indicate unauthorized RMM tool usage or attacker-deployed RMM agents.
author: RedSheep Security/Stone
date: 2025/07/09
references:
  - https://www.huntress.com/blog/rmm-abuse-when-it-convenience-bites-back
logsource:
  category: dns_query
  product: windows
detection:
  selection:
    QueryName|endswith:
      - '.anydesk.com'
      - '.screenconnect.com'
      - '.rustdesk.com'
      - '.atera.com'
      - '.connectwise.com'
  condition: selection
falsepositives:
  - Authorized IT/MSP RMM tool usage (filter by asset group or authorized host list)
level: medium
tags:
  - attack.command_and_control
  - attack.t1071.001

Attribution: RedSheep Security/Stone (original)

This query requires an authorized RMM hosts lookup table (authorized_rmm_hosts) to be effective. Without it, this will generate significant noise in environments with legitimate RMM usage. Focus on servers, production systems, and endpoints outside IT-managed asset groups. For RustDesk, self-hosted instances will NOT query rustdesk.com — monitor for unusual relay server connections on ports 21115-21119.

T1078 — Valid Accounts (Persistence) [P2]

RMM sessions authenticated with stolen, compromised, or fabricated credentials. Attackers use valid account credentials to authenticate to RMM platforms, making sessions appear legitimate. Detection focuses on geographic impossibility, temporal anomalies, and multi-factor authentication bypass indicators.

Splunk SPL:

index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security") EventCode=1 process_name IN ("AnyDesk.exe", "ScreenConnect.ClientService.exe", "rustdesk.exe", "AteraAgent.exe", "client32.exe") | eval hour=strftime(_time, "%H") | eval day=strftime(_time, "%A") | where (hour < 6 OR hour > 20) OR day IN ("Saturday", "Sunday") | stats count values(process_name) as tools values(process_path) as paths by host, user, hour, day | sort - count | table host user tools paths hour day count

Elastic KQL:

(process.name:("AnyDesk.exe" OR "ScreenConnect.ClientService.exe" OR "rustdesk.exe" OR "AteraAgent.exe" OR "client32.exe")) AND (NOT @timestamp.hour_of_day:[6 TO 20])

Sigma Rule:

title: RMM Tool Execution Outside Business Hours
id: e5f6a7b8-c9d0-1234-ef01-345678901234
status: experimental
description: Detects RMM tool execution outside normal business hours (before 0600 or after 2000) which may indicate unauthorized or attacker-initiated remote access sessions.
author: RedSheep Security/Stone
date: 2025/07/09
references:
  - https://www.huntress.com/blog/rmm-abuse-when-it-convenience-bites-back
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\AnyDesk.exe'
      - '\ScreenConnect.ClientService.exe'
      - '\rustdesk.exe'
      - '\AteraAgent.exe'
      - '\client32.exe'
  timeframe:
    - early_morning|
    - late_night|
  condition: selection
falsepositives:
  - Legitimate after-hours IT maintenance or emergency support
level: medium
tags:
  - attack.persistence
  - attack.t1078
  - attack.command_and_control
  - attack.t1219

Attribution: RedSheep Security/Stone (original)

This rule requires local time zone awareness. Adjust the hour thresholds based on your organization's operating hours. Correlate with VPN logs and badge access to identify sessions from employees who are not physically present. Geographic impossibility (login from two distant locations within a short timeframe) is a high-confidence indicator.

T1553.002 — Subvert Trust Controls: Code Signing (Defense Evasion) [P2]

Legitimate vendor-signed RMM binaries inherently bypass signature-based endpoint detection. Attackers exploit the trust relationship between security tools and signed software — the RMM binaries are not modified or tampered with, they are legitimate signed executables used for malicious purposes. Detection must focus on behavioral context rather than binary analysis.

Splunk SPL:

index=endpoint sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (process_name IN ("AnyDesk.exe", "ScreenConnect.ClientService.exe", "ScreenConnect.WindowsClient.exe", "rustdesk.exe", "AteraAgent.exe", "client32.exe")) | eval signed_vendor=case(match(Signature, "(?i)philandro"), "AnyDesk", match(Signature, "(?i)connectwise"), "ScreenConnect", match(Signature, "(?i)rustdesk"), "RustDesk", match(Signature, "(?i)atera"), "Atera", match(Signature, "(?i)netsupport"), "NetSupport", 1=1, "Unknown") | eval path_risk=case(match(process_path, "(?i)(Temp|AppData|Downloads|Public|Recycle)"), "HIGH", match(process_path, "(?i)Program Files"), "LOW", 1=1, "MEDIUM") | where path_risk!="LOW" | table _time host user process_name process_path signed_vendor path_risk parent_process_name CommandLine

Elastic KQL:

process.name:("AnyDesk.exe" OR "ScreenConnect.ClientService.exe" OR "rustdesk.exe" OR "AteraAgent.exe" OR "client32.exe") AND process.code_signature.exists:true AND NOT process.executable:(*"Program Files"*)

Signed binary analysis alone will not detect this threat. The detection value comes from correlating legitimate signatures with suspicious execution context (unusual paths, unusual parent processes, unusual timing). This is a behavioral detection challenge, not a signature challenge.

T1486 — Data Encrypted for Impact (Impact) [P1]

Ransomware deployment via established RMM sessions. Over 50% of suspicious Atera activity links to ransomware, with timelines as short as 1-2 hours from RMM deployment to ransomware detonation. Detection focuses on correlating RMM tool execution with subsequent indicators of ransomware staging or execution.

Splunk SPL:

index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security") EventCode IN (1, 4688) | eval is_rmm=if(match(process_name, "(?i)(AnyDesk|ScreenConnect|rustdesk|atera|client32|NetSupport)"), 1, 0) | eval is_ransomware_indicator=if(match(CommandLine, "(?i)(vssadmin.*delete|wmic.*shadowcopy.*delete|bcdedit.*recoveryenabled.*no|wbadmin.*delete|cipher\.exe.*/w)"), 1, 0) | transaction host maxspan=2h | where is_rmm=1 AND is_ransomware_indicator=1 | table _time host user process_name CommandLine

Elastic KQL:

(process.name:("vssadmin.exe" OR "wmic.exe" OR "bcdedit.exe" OR "wbadmin.exe") AND process.command_line:(*delete* OR *shadowcopy* OR *recoveryenabled*)) AND host.name:(* )

Sigma Rule:

title: RMM Tool Followed by Ransomware Pre-Encryption Activity
id: f6a7b8c9-d0e1-2345-f012-456789012345
status: experimental
description: Detects ransomware staging indicators (VSS deletion, recovery disabling) on hosts where RMM tools have recently executed, indicating potential RMM-facilitated ransomware deployment per Huntress 2026 reporting.
author: RedSheep Security/Stone
date: 2025/07/09
references:
  - https://www.huntress.com/blog/rmm-abuse-when-it-convenience-bites-back
logsource:
  category: process_creation
  product: windows
detection:
  selection_ransomware_staging:
    CommandLine|contains:
      - 'vssadmin delete shadows'
      - 'wmic shadowcopy delete'
      - 'bcdedit /set {default} recoveryenabled no'
      - 'wbadmin delete catalog'
  condition: selection_ransomware_staging
falsepositives:
  - Legitimate system administration (VSS management) — rare and should be documented
level: critical
tags:
  - attack.impact
  - attack.t1486
  - attack.t1490

Attribution: RedSheep Security/Stone (original)

Given the 1-2 hour ransomware timeline documented by Huntress, this detection must be paired with automated containment. Any host triggering both RMM execution from non-standard paths AND ransomware staging indicators should be immediately network-isolated. The transaction/correlation window of 2 hours is based on the fastest documented attack timeline.

T1056 — Input Capture (Collection) [P2]

Credential harvesting via interactive RMM sessions, particularly ScreenConnect which is favored for this purpose due to its session recording and file transfer capabilities. Attackers use the interactive remote desktop session to observe credential entry or access credential stores.

Splunk SPL:

index=endpoint sourcetype="WinEventLog:Security" EventCode=4648 | eval rmm_logon=if(match(Process_Name, "(?i)(ScreenConnect|AnyDesk|rustdesk|atera|client32)"), "YES", "NO") | where rmm_logon="YES" | stats count values(Target_Server_Name) as targets values(Account_Name) as accounts_used by host, Process_Name | sort - count

Elastic KQL:

event.code:"4648" AND process.name:("ScreenConnect.ClientService.exe" OR "ScreenConnect.WindowsClient.exe" OR "AnyDesk.exe" OR "rustdesk.exe")

ScreenConnect is specifically favored for credential harvesting per Huntress/Dark Reading reporting. Monitor for explicit credential logon events (4648) where the calling process is an RMM tool, as this indicates the RMM session is being used to authenticate to additional resources with different credentials — a hallmark of lateral movement.

T1059.001 — Command and Scripting Interpreter: PowerShell (Execution) [P2]

RMM tools, particularly NetSupport with its scripting support, can be used to execute PowerShell commands for enumeration, privilege escalation, and payload delivery. Detection focuses on PowerShell execution spawned by RMM tool processes.

Splunk SPL:

index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Microsoft-Windows-PowerShell/Operational") ((EventCode=1 process_name="powershell.exe" parent_process_name IN ("AnyDesk.exe", "ScreenConnect.ClientService.exe", "ScreenConnect.WindowsClient.exe", "rustdesk.exe", "AteraAgent.exe", "client32.exe", "cmd.exe")) OR (EventCode=4104)) | eval rmm_spawned=if(match(parent_process_name, "(?i)(AnyDesk|ScreenConnect|rustdesk|atera|client32|NetSupport)"), "YES", "NO") | where rmm_spawned="YES" OR (EventCode=4104 AND match(ScriptBlockText, "(?i)(Invoke-|IEX|downloadstring|encodedcommand|bypass)")) | table _time host user process_name parent_process_name CommandLine ScriptBlockText

Elastic KQL:

process.name:"powershell.exe" AND process.parent.name:("AnyDesk.exe" OR "ScreenConnect.ClientService.exe" OR "ScreenConnect.WindowsClient.exe" OR "rustdesk.exe" OR "AteraAgent.exe" OR "client32.exe")

Sigma Rule:

title: PowerShell Spawned by RMM Tool Process
id: a7b8c9d0-e1f2-3456-0123-567890123456
status: experimental
description: Detects PowerShell execution with an RMM tool as the parent process, indicating potential post-exploitation command execution through an abused RMM session.
author: RedSheep Security/Stone
date: 2025/07/09
references:
  - https://www.darkreading.com/application-security/rmm-abuse-explodes-hackers-ditch-malware
logsource:
  category: process_creation
  product: windows
detection:
  selection_powershell:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_rmm_parent:
    ParentImage|endswith:
      - '\AnyDesk.exe'
      - '\ScreenConnect.ClientService.exe'
      - '\ScreenConnect.WindowsClient.exe'
      - '\rustdesk.exe'
      - '\AteraAgent.exe'
      - '\client32.exe'
      - '\NetSupportManager.exe'
  condition: selection_powershell and selection_rmm_parent
falsepositives:
  - Legitimate IT automation scripts executed via RMM tools (should be baselined)
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - attack.command_and_control
  - attack.t1219

Attribution: RedSheep Security/Stone (original)

Legitimate MSP/IT automation may trigger this — baseline expected PowerShell execution patterns through authorized RMM tools. Encoded commands, download cradles, and AMSI bypass attempts spawned by RMM processes are high-confidence malicious indicators.

T1036 — Masquerading (Defense Evasion) [P2]

Hunt for RMM binaries that have been renamed to evade process name-based detections. Attackers may rename AnyDesk.exe or client32.exe to blend with system processes. Detection compares OriginalFileName metadata against actual process name.

Splunk SPL:

index=endpoint sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OriginalFileName IN ("AnyDesk.exe", "ScreenConnect.ClientService.exe", "rustdesk.exe", "AteraAgent.exe", "client32.exe") | eval renamed=if(process_name!=OriginalFileName, "RENAMED", "NORMAL") | where renamed="RENAMED" | table _time host user process_name OriginalFileName process_path parent_process_name CommandLine

Elastic KQL:

process.pe.original_file_name:("AnyDesk.exe" OR "ScreenConnect.ClientService.exe" OR "rustdesk.exe" OR "AteraAgent.exe" OR "client32.exe") AND NOT process.name:("AnyDesk.exe" OR "ScreenConnect.ClientService.exe" OR "rustdesk.exe" OR "AteraAgent.exe" OR "client32.exe")

This detection relies on Sysmon capturing the OriginalFileName PE metadata field. Renamed RMM binaries are a strong indicator of deliberate evasion and should be treated as high-confidence malicious activity.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=dns OR index=proxy (query="*.anydesk.com" OR dest_host="*.anydesk.com" OR url="*anydesk.com*") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src) as source_hosts by query | lookup authorized_rmm_hosts host as source_hosts OUTPUT authorized | where isnull(authorized)

index=dns OR index=proxy (query="*.screenconnect.com" OR dest_host="*.screenconnect.com" OR url="*screenconnect.com*") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src) as source_hosts by query | lookup authorized_rmm_hosts host as source_hosts OUTPUT authorized | where isnull(authorized)

index=dns OR index=proxy (query="*.connectwise.com" OR dest_host="*.connectwise.com") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src) as source_hosts by query

index=dns OR index=proxy (query="*.rustdesk.com" OR dest_host="*.rustdesk.com" OR url="*rustdesk.com*") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src) as source_hosts by query | lookup authorized_rmm_hosts host as source_hosts OUTPUT authorized | where isnull(authorized)

index=dns OR index=proxy (query="*.atera.com" OR dest_host="*.atera.com" OR url="*atera.com*") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src) as source_hosts by query | lookup authorized_rmm_hosts host as source_hosts OUTPUT authorized | where isnull(authorized)

index=endpoint (process_name="AnyDesk.exe" OR TargetFilename="*AnyDesk.exe*") | where NOT match(process_path, "(?i)C:\\Program Files") | stats count values(process_path) as paths values(host) as hosts by user | sort - count

index=endpoint (process_name="ScreenConnect.ClientService.exe" OR process_name="ScreenConnect.WindowsClient.exe" OR TargetFilename="*ScreenConnect*") | where NOT match(process_path, "(?i)C:\\Program Files") | stats count values(process_path) as paths values(host) as hosts by user | sort - count

index=endpoint (process_name="rustdesk.exe" OR TargetFilename="*rustdesk*") | where NOT match(process_path, "(?i)C:\\Program Files") | stats count values(process_path) as paths values(host) as hosts by user | sort - count

index=endpoint (process_name="AteraAgent.exe" OR process_name="atera_agent.exe" OR TargetFilename="*atera*agent*") | where NOT match(process_path, "(?i)C:\\Program Files") | stats count values(process_path) as paths values(host) as hosts by user | sort - count

index=endpoint (process_name="client32.exe" OR TargetFilename="*client32.exe*") | where NOT match(process_path, "(?i)C:\\Program Files") | stats count values(process_path) as paths values(host) as hosts by user | sort - count

YARA Rules

HUNT_Portable_RMM_Suspicious_Location — Detects known RMM tool binaries located in suspicious directories (temp, downloads, appdata, public, recycle bin) indicating potential attacker-deployed portable RMM agents

rule HUNT_Portable_RMM_Suspicious_Location {
    meta:
        author = "RedSheep Security/Stone"
        description = "Detects known RMM tool binaries in suspicious directories indicating potential attacker deployment"
        date = "2025-07-09"
        reference = "https://www.huntress.com/blog/rmm-abuse-when-it-convenience-bites-back"
        severity = "high"
        hunt = "RMM Tool Abuse"
    strings:
        $anydesk_name = "AnyDesk" ascii wide nocase
        $anydesk_mutex = "AnyDesk-" ascii wide
        $screenconnect = "ScreenConnect" ascii wide nocase
        $screenconnect_svc = "ScreenConnect.ClientService" ascii wide
        $rustdesk = "rustdesk" ascii wide nocase
        $rustdesk_str = "rustdesk.exe" ascii wide nocase
        $atera = "AteraAgent" ascii wide nocase
        $atera_str = "atera_agent" ascii wide nocase
        $netsupport = "NetSupport" ascii wide nocase
        $netsupport_client = "client32" ascii wide nocase
        $path_temp = "\\Temp\\" ascii wide nocase
        $path_appdata = "\\AppData\\" ascii wide nocase
        $path_downloads = "\\Downloads\\" ascii wide nocase
        $path_public = "\\Users\\Public\\" ascii wide nocase
        $path_recycle = "\\$Recycle.Bin\\" ascii wide nocase
        $path_desktop = "\\Desktop\\" ascii wide nocase
    condition:
        uint16(0) == 0x5A4D and
        filesize < 100MB and
        (($anydesk_name or $anydesk_mutex) or
         ($screenconnect or $screenconnect_svc) or
         ($rustdesk or $rustdesk_str) or
         ($atera or $atera_str) or
         ($netsupport or $netsupport_client)) and
        ($path_temp or $path_appdata or $path_downloads or $path_public or $path_recycle or $path_desktop)
}

Attribution: RedSheep Security/Stone (original)

HUNT_NetSupport_RAT_Config — Detects NetSupport Manager configuration artifacts commonly seen in malicious deployments, including gateway configuration strings and client32 components

rule HUNT_NetSupport_RAT_Config {
    meta:
        author = "RedSheep Security/Stone"
        description = "Detects NetSupport Manager configuration and component artifacts commonly seen in malicious deployments"
        date = "2025-07-09"
        reference = "https://www.darkreading.com/application-security/rmm-abuse-explodes-hackers-ditch-malware"
        severity = "high"
    strings:
        $client32 = "client32.exe" ascii wide nocase
        $client32_ini = "client32.ini" ascii wide nocase
        $netsupport_mgr = "NetSupport Manager" ascii wide
        $gateway_addr = "GatewayAddress" ascii wide nocase
        $nsc_config = ".nsc" ascii wide
        $pcictrl = "PCICTRL.DLL" ascii wide nocase
        $htctl32 = "HTCTL32.DLL" ascii wide nocase
        $nsm_license = "NSM.LIC" ascii wide nocase
        $remctrl = "remcmdstub.exe" ascii wide nocase
    condition:
        ($client32 or $client32_ini) and
        ($gateway_addr or $nsc_config) and
        ($pcictrl or $htctl32 or $nsm_license or $remctrl or $netsupport_mgr)
}

Attribution: RedSheep Security/Stone (original)

HUNT_RMM_Binary_Strings — Broad detection for PE files containing strings from multiple RMM tools, designed for filesystem sweeps to identify RMM binaries on disk

rule HUNT_RMM_Binary_Strings {
    meta:
        author = "RedSheep Security/Stone"
        description = "Identifies PE files containing RMM tool-specific strings for filesystem sweep hunting"
        date = "2025-07-09"
        reference = "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a"
        severity = "medium"
    strings:
        $anydesk_pdb = "AnyDesk" ascii wide
        $anydesk_config = "ad.anynet." ascii wide
        $sc_client = "ScreenConnect.Client" ascii wide
        $sc_relay = "relay.screenconnect.com" ascii wide
        $rd_main = "rustdesk" ascii wide
        $rd_relay = "rs-ny.rustdesk.com" ascii wide
        $atera_agent = "AteraAgent" ascii wide
        $atera_svc = "aaborern" ascii wide
        $ns_client = "NetSupport Ltd" ascii wide
        $ns_mgr = "NetSupport Manager" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        filesize < 100MB and
        any of them
}

Attribution: RedSheep Security/Stone (original)

Suricata Rules

SID 2025001 — Detects HTTP User-Agent string associated with NetSupport Manager client, commonly seen in malicious NetSupport RAT deployments

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"HUNT - NetSupport Manager HTTP User-Agent Detected"; flow:established,to_server; http.user_agent; content:"NetSupport Manager/1.3"; nocase; classtype:trojan-activity; sid:2025001; rev:1; metadata:created_at 2025_07_09, updated_at 2025_07_09;)

Attribution: RedSheep Security/Stone (original)

SID 2025002 — Detects TLS SNI connection to AnyDesk relay infrastructure from internal hosts

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"HUNT - TLS Connection to AnyDesk Relay Infrastructure"; flow:established,to_server; tls.sni; content:".anydesk.com"; nocase; classtype:policy-violation; sid:2025002; rev:1; metadata:created_at 2025_07_09, updated_at 2025_07_09;)

Attribution: RedSheep Security/Stone (original)

SID 2025003 — Detects TLS SNI connection to ScreenConnect relay infrastructure from internal hosts

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"HUNT - TLS Connection to ScreenConnect Relay Infrastructure"; flow:established,to_server; tls.sni; content:".screenconnect.com"; nocase; classtype:policy-violation; sid:2025003; rev:1; metadata:created_at 2025_07_09, updated_at 2025_07_09;)

Attribution: RedSheep Security/Stone (original)

SID 2025004 — Detects TLS SNI connection to RustDesk relay infrastructure from internal hosts

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"HUNT - TLS Connection to RustDesk Relay Infrastructure"; flow:established,to_server; tls.sni; content:".rustdesk.com"; nocase; classtype:policy-violation; sid:2025004; rev:1; metadata:created_at 2025_07_09, updated_at 2025_07_09;)

Attribution: RedSheep Security/Stone (original)

SID 2025005 — Detects TLS SNI connection to Atera cloud infrastructure from internal hosts - high ransomware correlation

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"HUNT - TLS Connection to Atera Cloud Infrastructure [High Ransomware Correlation]"; flow:established,to_server; tls.sni; content:".atera.com"; nocase; classtype:policy-violation; sid:2025005; rev:1; metadata:created_at 2025_07_09, updated_at 2025_07_09;)

Attribution: RedSheep Security/Stone (original)

SID 2025006 — Detects RustDesk self-hosted relay traffic on default ports 21115-21119

alert tcp $HOME_NET any -> $EXTERNAL_NET 21115:21119 (msg:"HUNT - Potential RustDesk Self-Hosted Relay Connection"; flow:established,to_server; classtype:policy-violation; sid:2025006; rev:1; metadata:created_at 2025_07_09, updated_at 2025_07_09;)

Attribution: RedSheep Security/Stone (original)

Data Source Requirements

Recommendations

• IMMEDIATE (24h): Deploy all P1 detection queries from this hunt across Splunk and Elastic instances. Prioritize the anomalous RMM execution path detection (T1219) and ransomware correlation detection (T1486) given the 1-2 hour attack timeline.
• IMMEDIATE (24h): Conduct a full endpoint sweep using the provided Splunk queries to identify any currently executing unauthorized RMM tools. Any AteraAgent.exe found outside approved IT systems should be treated as a high-confidence IOC given the >50% ransomware correlation.
• SHORT-TERM (72h): Establish and document an authoritative RMM tool inventory: which tools are authorized, on which systems, by which user accounts, and from which installation paths. Create a Splunk lookup table (authorized_rmm_hosts) to enable effective filtering of legitimate usage.
• SHORT-TERM (72h): Deploy Suricata rules SID 2025001-2025006 to network sensors for detecting NetSupport User-Agent strings, RMM vendor TLS connections, and RustDesk self-hosted relay traffic on ports 21115-21119.
• SHORT-TERM (1 week): Implement application control policies (AppLocker or WDAC) to block execution of RMM binaries outside approved installation directories (C:\Program Files\). Deploy in audit mode initially, then enforce after 2-week baseline.
• SHORT-TERM (1 week): Create automated containment playbooks (SOAR) that trigger immediate network isolation when an unapproved RMM binary executes on any endpoint. Manual triage is insufficient given the documented 1-2 hour ransomware timeline.
• MEDIUM-TERM (30 days): Audit all MSP relationships and document exactly which RMM tools each MSP deploys, on which systems, and through which accounts. Verify MSP-reported deployments against your own EDR/Sysmon telemetry. Identify any discrepancies.
• MEDIUM-TERM (30 days): Implement DNS sinkholing or blocking for RMM vendor domains not in your authorized tool list. If your organization does not use RustDesk, block *.rustdesk.com at the DNS/proxy level and alert on bypass attempts.
• MEDIUM-TERM (30 days): Deploy the YARA rules from this hunt package across all endpoint scanning infrastructure for periodic filesystem sweeps to detect dormant or staged RMM binaries.
• ONGOING: Run the temporal anomaly detection query (RMM execution outside business hours) as a scheduled search with automated alerting. After-hours RMM activity from non-IT accounts should generate P1 alerts with SOC response SLAs under 15 minutes.

Sources

• Huntress Blog: RMM Abuse - When IT Convenience Bites Back
• Dark Reading: RMM Abuse Explodes as Hackers Ditch Malware
• CISA Advisory AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software