Full Report
Following up on last year’s LOLDriver plugin, Tenable Research is releasing detection plugins for the top Remote Monitoring and Management (RMM) tools that attackers have been more frequently leveraging in victim environments.BackgroundIn August 2024, Tenable Research released a detection plugin for Nessus, Tenable Security Center and Tenable Vulnerability Management to help customers identify risky third-party Windows drivers utilized by attackers for privilege escalation on victim hosts. As part of our continued research into living off the land (LOTL) tooling utilized by attackers, we’re releasing new detection plugins for popular Remote Monitoring and Management (RMM) applications.Increased risk from RMM toolsIT operations and information security staff often need to remotely connect to machines dozens, perhaps even hundreds, of times per day to troubleshoot a problem or make a system function well. An administrator or support technician must reach a terminal on a server in a datacenter a continent away, or a user’s workstation in their home. As the role of the remote worker has dramatically expanded across organizations over the last 20 years, it has led to the introduction of RMM products in enterprise environments.The architecture of these products is fairly straightforward: a listener on the user’s machine, often referred to as an agent, host, or server, and an application to connect to, and control, the machine, often referred to as a viewer or client. In many cases this connection is facilitated by a proxy system, which maintains an inventory of the available machines in the environment, allowing an administrator to select one from a list, use stored credentials and track the health of the listeners. This proxy system might be on-premises, in the cloud, or hosted by the RMM vendor as a SaaS application. Source: Tenable, May 2025 While these tools may sound handy, attackers also know that these tools are present. They can use them for direct graphical control of a victim’s machines, often at a privilege level that is elevated by design. So, how do attackers get their hands on such a valuable resource?Attack scenarios for RMM toolsThere are several ways an attacker can obtain access to an organization’s RMM tools:Credential reuse. The attacker steals credentials belonging to a privileged user, either through social engineering, theft from the user’s workstation or control of an identity service. These credentials are used to authenticate to the RMM central service or to simply connect directly to a listener.Exploitation of a vulnerability in the RMM product. Many RMM applications have highly publicized vulnerabilities that allow elevation of privilege or remote code execution.Elevation of privilege. An attacker may gain control of a workstation or server used by an administrator and launch the RMM client application from there using the legitimate access of that administrator.And, of course, attackers with sufficient privileges can simply deploy a RMM tool of their choice on a compromised asset, allowing them to achieve persistence and remote command and control. The nature of modern RMM tool design allows attackers, in some cases, to do monitor and control an asset without formally installing a software package, which might trigger an alert to the organization’s security team.Defensive strategies for unauthorized RMM tool useA mature security program will update the organization’s protective, monitoring and response approach to address the risk presented by RMM tools. Some of these strategies include:Selecting an authorized RMM product or suite for the organization. This will allow security teams that inventory software on their assets to quickly spot the use of unauthorized RMM tools, which might have been introduced by an attacker.Auditing the use of the authorized RMM product. Have administrators that use the tools regularly review reports of sessions performed to ensure no unauthorized activity has occurred. Investigate these unauthorized sessions as soon as possible after detection.Reviewing network traffic between assets (especially remote assets) and the internet. Identify connections to known RMM tool websites, e.g., downloading of the tools or access to a proxy or management site.Scanning the environment to look for listening services. This strategy can be used to identify services belonging to RMM tools.How can Tenable customers mitigate the risk of RMM tools?Tenable has several existing plugins that can detect several different varieties of RMM tools. These include:Intelligent Platform Management Interface (IPMI) tools like iDRAC, iLO, ILOM and CIMC, as well as broader detection for any service running the IPMI protocolSystems management suites like Microsoft Configuration Manager, BigFix, Altiris, Tanium, LanDesk / Ivanti EM, Workspace ONE UEM / AirWatch, ManageEngine Endpoint Central and JAMF.Collaboration tools (yes, attackers use these, too) like Zoom, Teams and WebEx.Tenable is also releasing a number of Nessus plugins to detect many commonly used commercial and open source RMM or Remote Access Tool products:ProductPluginsTeamViewer52715, 206009 105111,121245RemotePC232745, 232746, 232747Pritunl232836, 232837, 232838, 232839Google Chrome Remote Desktop232692, 232693, 232694Duet Display232296, 232295Connectwise ScreenConnect192391, 190883, 190894Apache Guacamole232291JumpDesktop232297, 232298TSplus Remote Access232591AnyViewer232316, 232315Parsec Remote Access232649, 232651, 232650,VNC Connect232582, 232580, 232581Termius232292, 232293, 232294LogMeIn232654, 122754GoodAccess233552, 233553, 233554ISL Light232853, 232854, 232855OpenVPN154346, 191048, 125356, 56022, 107073, 232856, 232857NoMachine Remote Access233323, 233324, 233325RustDesk Remote Desktop233292, 233291, 233288, 233289, 233290Remote Utilities233555, 233556, 233557WinGate234718AirDroid233774, 233775, 233776AnyDesk189953, 189955, 189973There are also Nessus Web App Scanning plugins for many of these applications, which can help detect the applications’ web UI when detecting the service locally isn’t an option.A new scan template, Remote Monitoring and Management, has been created in Tenable Nessus to check for this set of RMM products. Customers can use the scan template to ensure that the instances they find are authorized for use in the organization. It is strongly recommended to scan with credentials, so that more exhaustive searches for these products can be performed.Future developmentIT operations and support teams will continue to rely on RMM tools for productivity benefits even as attackers increasingly exploit them. Tenable anticipates that new RMM solutions will emerge and major systems management suites will further integrate remote-control capabilities directly into their platforms.Meanwhile, vulnerability and threat intelligence researchers will keep their focus on the tools, identifying weaknesses and opportunities for exploitation as well as attacker-usage of such tools. As additional vulnerabilities are discovered and new threat intelligence reports reveal usage of new and existing tools, Tenable plans to publish detection and vulnerability plugins to find them. Given this growing space, organizations must remain vigilant, ensuring continuous monitoring, timely patching and strong security practices around RMM tools.
Analysis Summary
# Tool/Technique: Remote Monitoring and Management (RMM) Tools Exploitation
## Overview
This topic focuses on the use of legitimate Remote Monitoring and Management (RMM) tools by malicious actors to achieve objectives like remote access, persistence, and data exfiltration, circumventing traditional security controls that often whitelist these business tools.
## Technical Details
- Type: Tool (Category of legitimate software exploited for malicious purposes)
- Platform: Windows, macOS, Linux (Implied, as RMM tools span multiple platforms)
- Capabilities: Establishing remote control, system management, information gathering, and potentially maintaining persistence.
- First Seen: Not explicitly mentioned, but the associated activity is ongoing.
## MITRE ATT&CK Mapping
The use of RMM tools generally maps to command and control and lateral movement, although the specific technique depends on how the tool is used post-compromise.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0008 - Lateral Movement**
- T1521 - Web Service (RMM software often communicates via web/proprietary protocols)
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (If the RMM tool uses signed executables)
## Functionality
### Core Capabilities
The summary lists numerous legitimate RMM and remote access solutions frequently observed being used by threat actors:
* **Remote Access/Control:** AnyDesk, TeamViewer (implied via LogMeIn), Connectwise ScreenConnect, TeamViewer replacements (AnyViewer), RustDesk, VNC Connect, Parsec, JumpDesktop, TSplus Remote Access, Remote Utilities, RemotePC, Google Chrome Remote Desktop.
* **Management/Productivity:** Pritunl, NoMachine Remote Access, AirDroid, ISL Light, Termius, Apache Guacamole.
* **Networking/VPN:** OpenVPN, GoodAccess.
### Advanced Features
The primary advanced feature noted is the **Defense Evasion** capability: These tools are often allowed through firewalls and security monitoring systems because they are whitelisted for legitimate IT operations, making them effective C2 channels for intruders.
## Indicators of Compromise
The article focuses on detecting the *presence* of these tools rather than typical malware IOCs like hashes for malicious payloads. The detection relies on identifying the installed software/services.
- File Hashes: N/A (Focus is on legitimate software installations)
- File Names: N/A (Focus is on legitimate software components)
- Registry Keys: N/A (Focus is on detecting the installed application base)
- Network Indicators: Traffic associated with known RMM service endpoints (e.g., traffic to AnyDesk servers, ScreenConnect C2). Specific examples are not provided, but the principle applies.
- Behavioral Indicators: Processes running under names like `AnyDesk.exe`, `sc.exe` (related to ScreenConnect), or unusual outbound connections matching known RMM service ports/protocols.
## Associated Threat Actors
The article implies that many threat actors, across various campaigns, exploit the widespread use of RMM tools, but does not name specific groups known for using this technique against the scope of tools listed.
## Detection Methods
- Signature-based detection: Inability to rely solely on signatures for known malware, requires specific signatures for legitimate applications.
- Behavioral detection: Monitoring for processes executing legitimate RMM executables at unusual times or from unexpected user contexts.
- YARA rules: Not explicitly mentioned, but applicable for identifying specific RMM binaries or configuration files.
- **Tenable Specific:** Utilizing the **Remote Monitoring and Management** scan template in Tenable Nessus to actively search for the installation footprints of these applications. Using Nessus Web App Scanning plugins to detect associated web UIs.
## Mitigation Strategies
- Prevention measures: Maintaining strict authorization policies regarding which RMM tools are permitted.
- Hardening recommendations:
1. Performing authenticated scanning to find hidden installations.
2. Continuous monitoring and timely patching of all RMM tools.
3. Restricting access to management interfaces (e.g., using strong authentication or JIT access concepts).
## Related Tools/Techniques
- Other authorized IT administration tools exploited for malicious purposes.
- Standard remote access malware (e.g., traditional RATs) that do not benefit from existing whitelisting.