RMM Tools: The Good, The Bad, and the Quietly Terrifying
Nobody's excited about remote access tools. Maybe we should be?
There's nothing thrilling about remote monitoring and management (RMM) tools. No one's giving a TED Talk on TeamViewer. But if you ask an incident responder what scares them most these days, don't be surprised if the answer is "legitimate IT software." We’ve discussed a few different sysinternals in this blog, but with the explosion of RMM abuse recently, this is worth a deeper dive.
RMM tools are legitimate and foundational to modern IT. They’re used by helpdesks, MSPs, and admins to fix problems fast. But what happens when the tool meant to help becomes the perfect tool to harm? And what happens when attackers start using your own IT hygiene to land, expand, and execute ransomware without writing a single line of malware?
This week, we're looking at RMM tools: the good, the bad, and the quietly terrifying (because it’s not just ugly). Because attackers don't break in anymore, they log in…and more often than not, they do it through your remote access stack.
The Swiss Army Knife for Admins and Attackers
Remote Monitoring and Management tools are meant to make life easier for IT teams. Need to update 300 machines? No problem. Deploy a script to every remote endpoint? Done in seconds. Shadow a user's session to troubleshoot a ticket? RMM makes it happen.
But that convenience cuts both ways, as RMMs offer and have:
Full remote access to machines
Built-in privilege escalation
Script execution
Process and file management
Screensharing and control
If you're an attacker, that's not a helpdesk tool. That's post-exploitation heaven, pre-installed and often trusted. No crafty malware or LLM-generated phishing email needed, you can waltz your way right through and onto your objective!
Real-World Intrusions: When RMM Goes Rogue
Here's how this actually plays out in the real world. Because it's not hypothetical anymore. RMM tools have been at the center of some of the most damaging breaches in recent memory.
Kaseya VSA: The REvil Supply Chain Breach (2021)
Kaseya is an RMM platform used by MSPs to manage client endpoints. In July 2021, the REvil ransomware group exploited a zero-day vulnerability in Kaseya VSA to push ransomware to more than 1,500 organizations. The attack originated through a managed service provider and spread downstream.
Kaseya didn't just get breached, but rather became a distribution platform for ransomware. Attackers didn't need to look for credentials. They had a trusted path to thousands of machines and the ability to run whatever they wanted, silently.
Storm-1811 and Quick Assist Social Engineering (2023-2024)
Microsoft's Quick Assist, a remote support feature built into Windows, was abused in a wave of social engineering attacks tied to a group tracked as Storm-1811. The group, also linked to (recently defunct) Black Basta ransomware operations, used fake IT support calls to trick users into granting access.
Once inside, attackers used living-off-the-land tools to harvest credentials, disable EDR, and detonate ransomware. The perfect helpdesk con job that bypassed most preventive controls, with zero malware required.
SimpleHelp Targeting Critical Infrastructure (2024)
In a series of intrusions documented in 2024 (this is still going on today), attackers exploited vulnerabilities in unpatched SimpleHelp deployments to gain access to healthcare and utility organizations. The RMM software was leveraged for credential theft, remote access, and deployment of post-exploitation tools.
Instead of writing their own implant, attackers simply used the one the IT team already trusted.
The Data Doesn't Lie
If it still feels niche,the broader landscape shows a pattern of concern. CrowdStrike observed a 70% increase in RMM-enabled intrusion activity from 2023 to 2024, with RMM tool exploitation accounting for 27% of all hands-on-keyboard intrusions. The year prior saw an even more dramatic spike with a 312% increase in adversaries leveraging legitimate RMM tools from 2022 to 2023.
Red Canary's 2024 Threat Detection Report documented widespread abuse of tools like NetSupport Manager, Remote Utilities, and Atera across environments they protect. Proofpoint has tracked a sustained rise in phishing campaigns using signed RMM installers as initial payloads.
SCATTERED SPIDER, back in the headlines over the past few weeks, and one of 2023's most active adversary groups, indiscriminately leveraged dozens of RMM tools for lateral movement across numerous intrusions. Two points make a line, but we’ve started to get a cluster of data points here folks.
Why RMM Abuse Works So Well
There are a few reasons RMM abuse is trending. Namely, all of them stem from the same core issue: our systems trust these tools by default.
Legitimacy by Design: RMM tools are often pre-installed. Even when newly deployed, they're signed, whitelisted, and rarely trigger alerts.
Power and Privilege: RMMs offer the same capabilities attackers would manually install using custom tooling. But they come with a vendor badge and a UI.
Invisible Movement: RMM sessions often bypass typical user behavior analysis. Their network connections are encrypted, and logs may be stored off-host or in third-party systems.
MSP Supply Chain Exposure: Compromise an MSP using RMM, and you don't just gain one company you gain many. That's why the Kaseya incident was so catastrophic. One upstream hit, and a thousand downstream dominoes fell.
In the RMM era, attackers don't need persistence techniques, because the tool is the persistence…after all, the tools are IN the computer.
A Hunter's Guide to RMM Abuse
So what does this mean for network defenders? If you're not monitoring RMM usage, you're missing an important piece of your attack surface. Here's how to start closing that gap. Rest assured, there will be a hunting patterns blog for these in the near-future.
Quick Wins
Start by getting your house in order with an inventory of your RMM stack. You need to know which tools are officially deployed in your environment, then scan for the unofficial ones that inevitably creep in. Things like AnyDesk, RustDesk, or GoToAssist that users install without approval. Once you have that baseline, create detections for first-time execution or installation of common RMM agents using your software inventory or EDR telemetry.
Your network telemetry is a vital piece to the puzzle here. Monitor outbound RMM traffic using DNS logs, proxy logs, and network data to flag connections to RMM provider infrastructure. This gives you visibility into both authorized and rogue RMM usage patterns. At the same time, make MFA enforcement for RMM sessions non-negotiable. Require multi-factor authentication and session logging for any RMM tool used in your environment.
And finally, don't overlook the human element (layer 8 for the OSI pun fans out there). Train your users on social engineering tactics, particularly around unsolicited remote access requests. Employees should know that legitimate IT will never ask them to start a Quick Assist session out of the blue. Train them to question these requests and verify through established channels.
Building Toward Maturity
As you mature your RMM security posture, focus on centralizing those RMM logs into your SIEM. Parse out the critical events like session initiations, privilege escalations, and script executions. These become your foundational data points for everything else you'll be hunting for. Spend time understanding your baseline usage patterns: who's using RMM tools, when they're accessing systems, and how frequently these connections occur. The outliers are what you're really after, especially in lateral movement scenarios where normal patterns get disrupted.
For third-party access, force all vendor connections through jump boxes where you can control entry points and apply just-in-time access controls. Session recording becomes essential here. You need that forensic trail when things go sideways. Start detecting post-RMM activity by watching for RMM tools spawning PowerShell sessions, running LSASS dumps, or creating new local users. These are immediate red flags that warrant investigation.
Finally, develop your threat hunting capabilities around living-off-the-RMM patterns. Look for those sequences that start with legitimate RMM usage but progress into hands-on adversary activity like registry modifications, payload deployment, or log clearing. These patterns often reveal attackers who are leveraging your own administrative tools against you, and catching them requires proactive hunting rather than reactive alerting.
Why This Matters for Every Organization
The abuse of RMM software isn't a niche problem, rather a signal. It tells us that attackers no longer need to build infrastructure, they just need to repurpose yours. If you're ignoring these tools because "they're legit," you're missing a huge piece of the threat landscape.
Signed binaries aren't safe by default, and not to be an alarmist, but trusted vendors don't guarantee trusted outcomes. It's the same story we've seen across security time and again. What makes our lives easier also makes attackers' jobs easier, if we don't build the guardrails.
Where Do We Go From Here?
We're in a period of quiet dependency. Most organizations can’t function without RMM tools. But that dependency doesn't mean we can't demand visibility and control.
Let’s keep it simple. Here’s where to start (in order of steps):
Get your inventory in order
Start logging RMM events
Tune detections for living-off-the-land abuse
Segment and monitor all remote access
Push for MFA, approvals, and alerting
If you're a leader, practitioner or concerned citizen, ask your security team (or yourself) one question: If an attacker used our RMM tools against us tomorrow, would we see it? If the answer is no, your biggest risk might already be installed.
RMMs matter. Not because they're cool or flashy, but because they're everywhere and no one is watching closely enough. They’re boring, trusted and potentially dangerous, so let’s start tracking them, boosting segmentation and applying good security hygiene to stay one step ahead of the bad guys.
Stay secure and stay curious my friends,
Damien