Listen to this Post
A recent Proofpoint blog highlights a growing trend: remote monitoring and management (RMM) tools are becoming a preferred choice for attackers. Increasingly, threat actors are leveraging legitimate RMM tools as the initial payload in email campaigns. These tools are being exploited for purposes such as data exfiltration, financial theft, lateral movement, and the deployment of secondary malware, including ransomware.
CrowdStrike 2025 Global Threat Report:
You Should Know:
Detecting RMM Abuse with KQL (Kusto Query Language)
Below is a KQL query to detect unauthorized RMM tool usage in Microsoft Defender for Endpoint (MDE):
DeviceNetworkEvents
| where RemoteUrl has_any ("teamviewer", "anydesk", "logmein", "supremocontrol", "connectwise", "screenconnect", "gosupportnow", "ammyyadmin")
| where ActionType == "ConnectionSuccess"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName
| sort by Timestamp desc
Mitigation Steps:
1. Restrict RMM Tool Execution via AppLocker:
Get-AppLockerPolicy -Effective | Set-AppLockerPolicy -Merge -XmlPolicy "<RuleCollection Type='Exe' EnforcementMode='Enabled'><FilePathRule Id='1' Name='Block RMM Tools' Description='' UserOrGroupSid='S-1-1-0' Action='Deny'><Conditions><FilePathCondition Path='%ProgramFiles%\\TeamViewer\' /></Conditions></FilePathRule></RuleCollection>"
2. Monitor Suspicious Process Creation (Windows Command):
wmic process where "name like '%anydesk%' or name like '%teamviewer%'" get processid,name,executablepath,commandline
3. Block RMM-Related Network Traffic (Linux iptables):
iptables -A OUTPUT -p tcp --dport 80 -d teamviewer.com -j DROP iptables -A OUTPUT -p tcp --dport 443 -d anydesk.com -j DROP
4. Hunt for RMM Persistence (PowerShell):
Get-WmiObject -Query "SELECT FROM Win32_StartupCommand" | Where-Object { $_.Command -match "TeamViewer|AnyDesk" }
5. Check for RMM Services (Linux):
systemctl list-units --type=service | grep -iE "teamviewer|anydesk|logmein"
What Undercode Say:
RMM tools, while legitimate, are increasingly weaponized by cybercriminals for initial access and persistence. Organizations must:
– Monitor for unusual RMM connections.
– Restrict execution via application control.
– Audit scheduled tasks and services for RMM persistence.
– Block known malicious RMM domains at the firewall level.
Expected Output:
- Detection of unauthorized RMM connections.
- Blocked execution of RMM tools via AppLocker.
- Network-level blocking of RMM-related traffic.
- Identification of persistence mechanisms.
References:
Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
