Listen to this Post
Introduction:
Remote Monitoring and Management (RMM) and Remote Desktop/Support tools are essential for IT administration, but attackers increasingly abuse them to gain persistent, stealthy access to corporate networks. Detection engineers need reliable, free resources to spot unauthorized installations of these tools—and that’s where lolrmm.io shines. This platform provides a curated, machine-readable list of legitimate remote tools that adversaries often co-opt, enabling SOC teams to build detections that flag policy-violating RMM deployments before a breach escalates.
Learning Objectives:
- Understand how attackers exploit legitimate RMM/RDS tools for lateral movement and persistence.
- Learn to use lolrmm.io and complementary LOL (Living Off the Land) projects to create custom detection rules.
- Implement step‑by‑step detection engineering workflows across Windows, Linux, and SIEM platforms using free indicator feeds.
You Should Know:
1. Understanding RMM Abuse in Modern Attacks
Attackers don’t always bring malware—they bring credentials and abuse trusted admin tools. RMM software like ScreenConnect, TeamViewer, AnyDesk, and Splashtop are designed for remote control, but once an attacker installs an unauthorized instance, they can operate undetected inside your network. According to recent threat reports, RMM abuse has skyrocketed because these tools generate minimal security alerts, have signed binaries, and often bypass application whitelisting. Detection engineering focused on RMM installation events (e.g., service creation, registry changes, or new process trees) is a high‑value, low‑effort win.
Step‑by‑step guide to understanding RMM abuse:
- Identify all remote tools approved by your company policy (e.g., only Company‑managed ScreenConnect).
- Monitor for execution of unapproved RMM binaries using process creation events (Event ID 4688 on Windows, execve logs on Linux).
- Look for anomalous network connections to known RMM cloud domains or IP ranges.
- Correlate RMM installation with unusual user behavior (e.g., a helpdesk account logging in at 3 AM).
2. Deploying lolrmm.io for Detection Engineering
lolrmm.io is a free, community‑driven resource that lists hundreds of RMM and remote support tools with their associated file names, hashes, registry keys, and installation paths. It provides CSV downloads of all indicators, making it trivial to import into your SIEM, EDR, or custom detection pipeline. The maintainers regularly update the feed as new tools emerge.
Step‑by‑step guide to using lolrmm.io:
- Visit https://lolrmm.io and browse the tool categories (RMM, Remote Desktop, Remote Support).
- Download the full CSV file from the “Indicators” section (contains file hashes, filenames, and process names).
- Ingest the CSV into your SIEM as a threat intelligence lookup table.
- Create a detection rule that triggers when a process matches any filename or hash in the CSV and the parent process is not your authorized software deployment system.
- For Windows, use PowerShell to compare running processes:
`Get-Process | Where-Object {$_.ProcessName -in (Import-Csv .\rmm_indicators.csv).ProcessName}`
3. Leveraging LOL Projects (LOLBAS, LOLDrivers, LOLOL.FARM)
RMM abuse is just one piece of the Living off the Land puzzle. The broader LOL family includes:
– LOLBAS – Living Off the Land Binaries and Scripts (Windows)
– LOLDrivers – Living Off the Land Drivers (kernel‑mode abuse)
– LOLOL.FARM – a searchable aggregator of all LOL projects, including lolrmm, LOLBAS, GTFOArgs (Linux), and more.
These resources help detection engineers anticipate how attackers use built‑in OS tools (e.g., certutil, mshta, wmic) and vulnerable drivers to bypass security controls.
Step‑by‑step guide to using lolol.farm:
- Navigate to https://lolol.farm and search for any binary or remote tool.
- Use the “Detections” tab to find pre‑written Sigma rules, YARA signatures, and Elastic detection queries.
- Export detection rules directly to your SIEM (Splunk, QRadar, Sentinel) or EDR (CrowdStrike, Defender).
4. For Linux, check LOLOL for GTFOArgs mappings:
`grep -r “ssh” /usr/bin/` – but use LOLOL to find how attackers abuse `ssh -D` for tunneling.
- Step‑by‑Step: Using lolrmm.io CSV Indicators in Your SIEM
The CSV from lolrmm.io contains fields:ToolName,ProcessName,FileName,SHA256,MD5,InstallPath,RegistryKey. Here’s how to operationalize it.
Windows (Splunk / Elastic / Sentinel):
- Import the CSV as a lookup table named
rmm_indicators. - Create a detection rule:
`index=windows EventCode=4688 Process_Name IN (SELECT ProcessName FROM rmm_indicators) NOT (Parent_Process=”msiexec.exe” OR User=”SYSTEM”)`
This flags any unapproved RMM execution not installed by a standard software deployment.
Linux (auditd + Sigma):
- Download the CSV and extract process names:
`cut -d’,’ -f2 rmm_indicators.csv | tail -n +2 > rmm_procs.txt`
– Monitor execve syscalls:
`auditctl -a always,exit -S execve -F path=/usr/bin/ -k rmm_detection`
Then check alerts for process names in your blocklist:
`ausearch -k rmm_detection | grep -F -f rmm_procs.txt`
CrowdStrike Falcon (Custom IOA):
- Use the CSV hashes to create a Custom IOA rule grouping – match on `ImageFileName` or `SHA256HashString` from the CSV.
5. Creating Custom Detections for Unauthorized Remote Tools
Beyond simple process name matching, build context‑aware rules that reduce false positives. Attackers often rename RMM executables; therefore, rely on hashes, digital signature verification, and unusual installation paths.
Step‑by‑step advanced detection:
- Enumerate installed software via Win32_Product (PowerShell):
`Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -match “TeamViewer|AnyDesk|ScreenConnect”} | Format-Table Name, Version, InstallDate`
– Monitor registry for silent installs:
`reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr “DisplayName”`
Cross‑reference with the approved software list.
- Use Sysmon Event ID 1 (Process creation) and Event ID 12/13 (Registry events) to detect when an RMM binary writes to an unexpected user profile directory (e.g.,
C:\Users\Public\). - Example Sigma rule (snippet):
title: Unauthorized RMM Installation status: experimental logsource: product=windows service=sysmon detection: selection: Image|endswith: </li> <li>'\AnyDesk.exe'</li> <li>'\TeamViewer.exe'</li> <li>'\ScreenConnect.Client.exe' condition: selection
- Tune exceptions for your authorized deployment tool (e.g., SCCM, PDQ).
6. Linux/Windows Commands to Identify RMM Processes
Attackers deploy RMM on Linux servers too (e.g., AnyDesk Linux agent, TeamViewer host). Use these commands to hunt for suspicious remote access tools.
Windows (detection engineer’s toolkit):
- List all running processes with file paths and hashes:
`wmic process get name, executablepath, processid | findstr /i “anydesk teamviewer screenconnect logmein”` - Compute hashes of suspicious binaries:
`Get-FileHash -Algorithm SHA256 C:\Program Files\AnyDesk\AnyDesk.exe`
- Query established network connections for RMM port patterns (e.g., 7070, 5938, 21116):
`netstat -ano | findstr “:7070″`
Linux (hunting for unauthorized remote tools):
- List processes with full command line:
`ps auxf | grep -E “anydesk|teamviewer|splashtop|rustdesk”`
- Check for installed packages (Debian/Ubuntu):
`dpkg -l | grep -E “anydesk|teamviewer”`
- Search for hidden RMM daemons:
`systemctl list-units –type=service | grep -i remote`
- Monitor logins via RMM (SSH tunnel detection):
`grep “Accepted” /var/log/auth.log | grep -E “ssh -D | -L”`
- Cloud Hardening and API Security for RMM Control
Modern RMM tools often expose cloud APIs for bulk management. Attackers who compromise service accounts can deploy RMM agents across entire Azure/AWS environments. Harden your cloud posture by restricting API permissions and monitoring for mass agent deployment.
Step‑by‑step guide:
- In Microsoft 365, audit for delegated admin privileges granted to RMM applications:
`Get-MgServicePrincipal -Filter “displayName eq ‘SolarWinds RMM'” | Get-MgServicePrincipalAppRoleAssignedTo`
- In AWS, block unauthorized installation of remote tools via Systems Manager:
`aws ssm describe-associations –association-id` – look for associations that deploy remote access software. - Create an Azure Sentinel detection that triggers when 5+ VMs install the same RMM software within 1 hour:
DeviceProcessEvents | where ProcessName in ("AnyDesk.exe", "TeamViewer.exe") | summarize InstallationCount = dcount(DeviceId) by bin(TimeGenerated, 1h), ProcessName | where InstallationCount > 5
What Undercode Say:
- Detection is prevention. By monitoring RMM installations with free feeds like lolrmm.io, SOC teams can stop attackers before they establish remote persistence—turning a common abuse technique into a high‑fidelity alert.
- LOL resources are force multipliers. Combining lolrmm.io, LOLBAS, LOLDrivers, and LOLOL.FARM gives defenders a unified intelligence layer for spotting living‑off‑the‑land tactics across Windows, Linux, and even cloud workloads.
- Automate the basics. Importing CSV indicators into a SIEM takes 15 minutes and drastically reduces the mean time to detect RMM abuse. Many breaches rely on these tools because organizations fail to monitor them at all.
Prediction:
As ransomware groups increasingly adopt RMM abuse to disable EDR agents and deploy encryptors via legitimate remote control, detection engineering will shift from signature‑based malware alerts to behavior‑based “trusted tool abuse” analytics. Within 12 months, we expect MITRE ATT&CK to expand sub‑techniques for RMM exploitation, and every major SIEM will include pre‑built detection rules for lolrmm.io’s indicator feed. Organizations that ignore RMM monitoring will continue to be blindsided—those that embrace these free resources will turn an attacker’s favorite living‑off‑the‑land technique into their earliest warning sign.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Randy Pargman – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
