Threat hunting case study: RMM software | Intel 471 Skip to content

Threat hunting case study: RMM software

Mar 18, 2025
Background 2024 04 03 000947 dokz

Threat actors are increasingly leveraging legitimate remote monitoring and management (RMM) applications to infiltrate and move through networks. These tools are powerful and useful for administrators who do not have on-site, physical access to machines. Organizations frequently rely on RMM software for essential information technology (IT) tasks, such as system updates, asset management, software deployment, endpoint troubleshooting and maintenance scheduling. Some popular RMM tools include AnyDesk, Atera Agent, MeshAgent, NetSupport Manager, Quick Assist, ScreenConnect, Splashtop and TeamViewer.

Unsurprisingly, threat actors find these tools useful as well. They use them to gain access to networks, install malware, disable security features and escalate privileges. Detecting malicious actions using RMM tools is difficult because they are so widely used and deeply integrated into IT workflows. RMM is legitimate software, so these applications are unlikely to be flagged as malware. Abusing RMM tools offers a distinct advantage over remote access tools (RATs), which are custom-designed malware tools that need to employ other techniques, such as valid signing certificates, to avoid being flagged by security software. RMM software abuse is not a new technique, but it registered at a persistent level throughout 2024.

How RMM tools are exploited

Threat actors frequently can gain access to RMM software by initially compromising RMM user credentials through social-engineering tactics or by exploiting vulnerabilities in outdated software. This allows attackers to use a preinstalled tool, thus potentially attracting less attention when misusing it. In some cases, attackers will take proactive steps to preserve their illicit access to an RMM tool. This can include creating additional accounts for RMM software in case it is discovered that account credentials have been compromised and are reset.

Attackers also may social engineer victims into installing RMM software under misleading pretences. This scheme has often manifested as a bogus request from an organization’s IT department to solve a problem. An employee who wants to take the right action may comply, installing the software and then allowing access for the attackers. Attackers can use RMM software to map the network and identify valuable assets. They typically move laterally using credentials harvested from compromised systems to exfiltrate sensitive data, deploy ransomware or launch further attacks against downstream clients. To ensure long-term access or facilitate additional malicious activities, threat actors often install additional RATs to maintain persistent access. These tools can serve as backups for remote desktop sessions or establish reverse connections to adversary-controlled servers, leading to widespread operational disruptions, significant financial losses and potential supply chain vulnerabilities. 

Attacker use of RMM

Threat actors often use RMM software to maintain persistence. In one recent campaign,  an attacker falsely posed as a known client to an organization during a Microsoft Teams call and convinced the victim to install AnyDesk. The attacker then deployed the DarkGate malware. In a separate campaign, threat actors exploited a vulnerability (CVE-2023-48788) in a FortiClient endpoint management system (EMS) for initial access. After using a ScreenConnect executable file to gain remote access, they installed AnyDesk as a means of securing persistence on the compromised system.

The Black Basta ransomware group has also abused RMM software. The group emerged in mid-April 2022 and evolved into the third most impactful ransomware group that year. Its members are experienced Russian-speaking ransomware and cybercrime veterans, some of whom worked with the infamous Conti ransomware-as-a-service (RaaS) group. In February 2025, a leaker released about 197,000 chat messages exchanged within the group over a nine-month period. The leak provided deep insight into the group’s tactics, techniques and procedures (TTPs), including how it gained initial access to victims and network using RMM software (see: Black Basta exposed: A look into a cybercrime data leak).

In one scenario, Black Basta would target an employee with a spam attack that would fill the person’s inbox. Then, someone from Black Basta would call the person and impersonate an IT support member from the victim’s organization. The attacker would offer to install antispam software on the user’s machine. In order to do that, the victim was persuaded to install remote access software such as AnyDesk, Quick Assist or TeamViewer. 

After the victim installed the software, Black Basta would contact one of its malicious penetration testers, who would then try to install additional malware or legitimate RMM software to enable persistent access. If the attackers install legitimate RMM software, they may take steps to hide that software. In the next section, we’ll cover how to conduct a threat hunt based on this attacker behavior, which is a key step in operationalizing this kind of threat intelligence.

Threat hunting for RMM

The first logical threat hunt would be to check whether a particular RMM application is running at all. If AnyDesk isn’t allowed by the IT team, that’s an immediate sign of something suspicious. It’s possible an end user may have installed it for legitimate reasons, however, its presence would merit further investigation. That’s a quick win for the security operations center (SOC).

If RMM tools are allowed, a more targeted threat hunt approach is needed. A common adversary behavior is to tuck an RMM executable into an abnormal location in the file system. So rather than running from AppData or Downloads, it will run from an odd location. We’ve addressed this type of attack scenario in a hunt package called “AnyDesk Execution from Abnormal Folder - Potential Malicious Use of RMM Tool.” The hunt package is compatible with security incident and event management (SIEM) tools, endpoint detection and response (EDR) software and logging aggregation platforms including CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike LogScale, Elastic, Google SecOps, Microsoft Defender, Microsoft Sentinel, QRadar Query, SentinelOne, SentinelOne Singularity, Splunk, Tanium and Tanium Signal.

Let’s look at broad query logic. We’re specifically looking for process names or details that may appear as *AnyDesk.exe, *AnyDesk* or *AnyDesk Software.* However, this query logic excludes common process paths where AnyDesk usually executes from, such as AppData, Downloads, *Program Files (x86)\anydesk* and *Program Files\anydesk.*

This query can be tuned and modified to fit the parameters of your organization. For example, if an organization has a robust security program that only allows applications to execute from programfiles or programfiles(x86), then that action occurring from AppData or Downloads would be abnormal and shouldn’t be excluded.

Now, let’s do a hunt in Splunk using Microsoft’s System Monitor (Sysmon) logs. These results are returned:

The first check is to make sure the data that is returned is matching the query logic. The first result, which is in the lower left of the screenshot, shows that AnyDesk is executing from the user’s public music directory. Adversaries commonly use the public directory, and music is a discreet one that isn’t commonly checked. If we go back to the query logic, we see the user’s public directory is not excluded, so we know our logic is on point:

Now that this threat hunt has uncovered potential malicious activity, there are several follow-up paths an investigator could take. For example, AnyDesk usually uses a network connection, so it’s possible to check where it is connecting. If it is being used maliciously and used to drop next-stage payloads, those new processes can be observed. Those are the types of follow-on activities that can be pursued.

We hope this tutorial on threat hunting for RMM software abuse has been useful. A video version is available here. Be sure to register for a HUNTER471 Community Account, which contains sample free hunt packages, including the one described in this blog post. The account will also allow for insight into HUNTER471’s comprehensive library of advanced threat hunting packages, detailed analyst notes and proactive recommendations. These resources are designed to strengthen your threat hunting capabilities and keep your organization secure. Happy hunting!