Listen to this Post

Introduction:
Endpoint Detection and Response (EDR) platforms are marketed as the last line of defense, but a single phone call and a legitimate remote desktop tool can render them deaf and blind. The “We have an EDR” mindset often ignores Living‑Off‑the‑Land RMM (LOLRMM) techniques, where attackers use trusted software like RustDesk to slip past signature‑based and behavioral detection. This article dissects the exact attack chain referenced in the post—RustDesk, a vishing call, and a dream—and provides defenders with actionable detection, blocking, and attack‑surface reduction steps across Windows, Linux, and cloud environments.
Learning Objectives:
- Understand how LOLRMM bypasses EDRs by abusing signed, legitimate remote access tools.
- Learn to detect unauthorized RustDesk installations and active sessions using built‑in OS commands and logs.
- Apply hardening techniques, application control, and cloud policies to reduce the remote‑access attack surface.
You Should Know:
- The LOLRMM Mindset: Why EDRs Miss Legitimate Tools
The post from MagicSword perfectly captures a false sense of security: an organization boasts about their EDR while an attacker simply calls an employee and talks them into installing RustDesk. Because RustDesk is a legitimate, open‑source remote desktop application—often signed with a valid certificate and used by IT teams—EDRs rarely classify it as malware. Attackers leverage this trust, abusing the tool to gain persistent, unattended access without dropping a single malicious binary. The resource LOLRMM.io catalogs dozens of such tools, underscoring the need to shift from “detect bad” to “allow only good.”
Step‑by‑Step: How to inventory existing RustDesk instances in your environment.
– Windows (check for service and process):
Get-Service -Name RustDesk -ErrorAction SilentlyContinue Get-Process -Name RustDesk -ErrorAction SilentlyContinue
– Windows (scan for RustDesk files in common locations):
dir /s /b "C:\Users\AppData\Roaming\RustDesk\" "C:\Program Files\RustDesk\"
– Linux (check running processes and service):
ps aux | grep -i rustdesk systemctl status rustdesk 2>/dev/null || service rustdesk status 2>/dev/null
– Linux (locate configuration directories):
find /home /root /opt -type d -name "rustdesk" 2>/dev/null
- From Vishing to Full Control: The RustDesk Deployment Chain
The attack begins with a simple phone call, often impersonating IT support or a trusted vendor. The victim is guided to download and run RustDesk from the official website. An attacker may use the silent install switch to avoid user suspicion, or combine it with a one‑liner that extracts the unattended access password. Below is how a red team emulates—and how blue teams can detect—this behavior.
Step‑by‑Step guide:
- Silent installation on Windows:
rustdesk.exe --silent-install
- Auto‑extracting the RustDesk ID and password from the config (for attacker’s POV, used in red teaming):
$config = Get-Content "$env:APPDATA\RustDesk\config\RustDesk.toml" $config | Select-String "password" ; $config | Select-String "id"
(Defenders should look for anomalous access to this file with Sysmon event ID 11 for FileCreate.)
- Linux one‑liner that downloads and runs RustDesk (often used post‑exploitation via curl):
curl -L -o /tmp/rustdesk.deb https://github.com/rustdesk/rustdesk/releases/latest/download/rustdesk.deb && dpkg -i /tmp/rustdesk.deb && nohup rustdesk --silent-install &
3. Detecting RustDesk in Your Environment
Proactive detection of RustDesk usage is possible even if EDR is blind to it. Focus on registry keys, configuration files, network connections to RustDesk relay servers, and process lineage.
Step‑by‑Step detection:
- Windows Registry (persistence locations):
Get-ItemProperty -Path "HKLM:\SOFTWARE\RustDesk\" -ErrorAction SilentlyContinue Get-ItemProperty -Path "HKCU:\Software\RustDesk\" -ErrorAction SilentlyContinue
- Examine outgoing connections to known RustDesk relay servers:
Get-NetTCPConnection | Where-Object { $<em>.RemoteAddress -match "rustdesk.com" -or $</em>.RemotePort -eq 21116 } - Linux network detection:
ss -tunp | grep -E "21115|21116|21117|21118|21119" RustDesk default ports
- Analyze Sysmon logs (Event ID 1 – Process Creation) for RustDesk.exe executed by an unusual parent like outlook.exe or chrome.exe. EDR queries (e.g., Microsoft Defender for Endpoint):
DeviceProcessEvents | where FileName =~ "rustdesk.exe" and InitiatingProcessFileName !~ "msiexec.exe"
- Blocking Unauthorized RMM Tools with AppLocker and Firewall
Application control is the most effective countermeasure. Block RustDesk by executable hash, path, or publisher rule, then reinforce with network blocks.
Step‑by‑Step AppLocker (Windows):
- Create an executable rule to deny RustDesk unless explicitly allowed by exception (e.g., only from a specific signed path):
New-AppLockerPolicy -RuleType Exe -Action Deny -User Everyone -Path "%OSDRIVE%\Users\AppData\Roaming\RustDesk\" | Set-AppLockerPolicy
- Ensure the AppLocker identity service is running.
Step‑by‑Step firewall:
- Block RustDesk relay server IPs via Windows Defender Firewall (after resolving IPs from domains like rs-ny.rustdesk.com):
$ips = @("13.52.0.0/16","18.144.0.0/16") example ranges, verify current IPs New-NetFirewallRule -DisplayName "Block RustDesk Outbound" -Direction Outbound -RemoteAddress $ips -Action Block - Linux iptables equivalent:
iptables -A OUTPUT -d 13.52.0.0/16 -j DROP iptables -A OUTPUT -d 18.144.0.0/16 -j DROP
- DNS filtering: Use Pi‑hole or enterprise DNS to sinkhole
.rustdesk.com.
- Reducing Attack Surface: The “No Unnecessary Software” Principle
Every allowed remote access tool expands your attack surface. If RustDesk isn’t part of your standard build, application whitelisting should deny it. Even if you use it, restrict to specific admin workstations. Disable legacy remote access protocols that attackers often use as a fallback.
Step‑by‑Step hardening:
- Disable RDP where not needed:
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
- Linux: enforce key‑based SSH only and disable password authentication:
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config systemctl restart sshd
- Remove or blacklist unapproved remote‑control packages (Linux):
apt-get purge rustdesk teamviewer anydesk 2>/dev/null
- Implement Just‑In‑Time (JIT) access workflows (e.g., using Azure Bastion with time‑bound RBAC).
- Cloud Hardening: Preventing RustDesk Abuse via Cloud APIs
Attackers who are blocked on endpoints may pivot to cloud‑native remote management services. AWS Systems Manager Session Manager or Azure Serial Console can be abused similarly to RustDesk if permissions are overly permissive.
Step‑by‑Step cloud IAM policies:
- AWS: Deny `ssm:StartSession` unless the instance is tagged `Environment=Prod` and the IAM role is a specific admin role.
{ "Effect": "Deny", "Action": "ssm:StartSession", "Resource": "", "Condition": { "StringNotEquals": {"aws:ResourceTag/Environment": "Prod"} } } - Azure: Use Azure Policy to prevent VM extensions that install unapproved agents:
{ "if": { "field": "type", "equals": "Microsoft.Compute/virtualMachines/extensions" }, "then": { "effect": "deny" } } - Require multi‑factor authentication for all cloud console and CLI access to prevent stolen credentials from enabling RMM‑like connections.
- The Future: AI‑Powered Vishing and Zero‑Touch RMM Exploits
Attackers are already experimenting with AI‑generated voice phishing that impersonates executives with chilling accuracy. Paired with near‑zero‑touch installation of tools like RustDesk, the “phone call and a dream” will become an automated, scalable intrusion method. Defenders must combine application allow‑listing, continuous behavioral monitoring, and user education tailored to voice‑based social engineering. The concept of “reduce the attack surface before the attack surface reduces you” will evolve into a mandatory zero‑trust architecture where nothing—not even a signed remote desktop tool—is trusted by default.
What Undercode Say:
- EDR alone is insufficient when attackers weaponize trusted tools; application control and network segmentation must fill the gaps.
- Social engineering via voice calls remains a high‑success bypass technique, and it can defeat any technology if the human allows the connection.
- The LOLRMM.io repository highlights that there are dozens of remote management tools that slip under the radar; defenders must treat them all as potential threats.
- Organizations should adopt a “default deny” posture for remote access software, allowing only explicitly approved tools and continuously auditing their use.
- Cloud environments are not immune; IAM misconfigurations can offer attackers equivalent remote‑management capabilities without any endpoint malware.
Prediction:
As deepfake voice technology becomes more convincing and accessible, vishing campaigns will mimic internal helpdesk and C‑suite members, manipulating users into installing RustDesk or similar tools in seconds. In response, enterprises will shift toward biometric‑verified helpdesk calls and application‑aware zero trust platforms that dynamically revoke trust the moment an uncertified tool communicates with a public relay. The attack surface will no longer be defined by open ports, but by the number of users who can be sweet‑talked into pressing “Allow.”
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: We Have – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


