Remote monitoring and management tools

Remote monitoring and management (RMM) tools are legitimate administrative utilities that managed service providers, security vendors, and IT departments use to remotely manage employee workstations, but adversaries frequently abuse them to remotely control compromised endpoints. RMM tools are readily available, often free, highly reliable, and easy to use. Once an adversary installs one on a compromised system, they have access to a professional-grade administration platform that may seem benign and boasts a rich array of tools and features, including the command line, the desktop’s user interface, and access to any files on the system.

Many security operation centers (SOCs) consider unapproved RMM tools operating in their environment a symptom of “shadow IT” and only a minimal cause for concern. However, we know from experience that ransomware crews, state-funded adversaries, and all variety of financially motivated threats routinely abuse RMM tools.

RMM tools afford an adversary a few key advantages over traditional malware:

• They are easy to use by design and purpose-built for remote interaction.
• They work without the pesky effort of having to code anything yourself, allowing things like persistence to simply become a checkbox.
• They are signed, allowing them to evade controls or alerts that might expect malicious binaries to be unsigned.

Additionally, the traffic generated by many RMM tools flows through infrastructure and domains owned by companies that develop and maintain them, which is unlikely to be flagged as suspicious and may blend in with routine, benign network traffic. If an adversary is lucky or has done their homework, they can complicate detection immensely by abusing an RMM tool that is permitted within an organization. Even when an adversary abuses an unpermitted RMM tool, organizations may be slow to respond or reluctant to block its use outright for fear that they may hinder a legitimate business use case.

RMM tool abuse in 2025

While adversary abuse of RMM tools has been commonplace for years, they increasingly became the payload of choice among financially motivated attackers and ransomware affiliates in 2025. Popular tool NetSupport Manager climbed from number 7 on our 10 threat list to number 4 this year.

In September 2025, Red Canary Intelligence and Zscaler threat hunters published collaborative research on multiple web-based phishing campaigns dropping the RMM tools ITarian (aka Comodo), PDQ, SimpleHelp, and Atera.

Observed lures included:

• fake browser updates
• meeting invitations
• party invitations
• fake government forms

Red Canary has also observed multiple adversaries utilizing two RMM tools in quick succession, likely to establish multiple methods of persistent access.

Developers fight back

Combating the problem is tricky given the wide variety of RMMs available and the differing attitudes of the companies who develop them. Some deny, downplay, or ignore malicious use of their tools. Others are receptive to feedback and work with the community to fortify their products against abuse.

For example, LogMeInResolve took action with their installer logic to flag instances where adversaries have renamed an RMM installer, hopefully causing users to think twice before installing a renamed RMM (a common hallmark of RMM abuse).

ScreenConnect, PDQ, and Velociraptor have also taken steps to help mitigate abuse of their tools.

However, since there are so many RMM tools out there, when a developer makes it more difficult to abuse their particular tool, adversaries can simply adopt a new one.

A growing list of options for adversaries

Red Canary detected adversaries abusing the following RMMs in 2025:

• Action1
• Chrome Remote Desktop
• ConnectWise ScreenConnect
• Datto/CentraStage
• GoRelo
• GotoHTTP
• ITAgent
• Itarian
• Level
• LogMeIn Resolve
• N-Able N-Sight
• NetSupport Manager
• PDQ Connect
• SimpleHelp
• Syncro
• Velociraptor

The presence of any of these tools on their own—or any other RMM tool for that matter—isn’t necessarily malicious. Unless you adhere to strict allowlist/blocklist policies, which is easier said than done, there may be no action to take on these tools until an adversary starts performing overtly malicious activity. The difficulty of getting tools like these under control can be exacerbated in environments with existing local administrative rights that give normal users the ability to freely install RMM tools, which becomes even more problematic when you’re being targeted by a sophisticated adversary. However, a robust allowlist/blocklist policy is probably the first and most important step toward getting a handle on the types of applications permitted within your environment.

In the absence of strict application controls (and in the hands of a skilled adversary), RMM tools can bypass some of an organization’s most reliable detection logic because adversaries are typically hands-on-keyboard with RMM tools and able to modify their behaviors so they blend in with day-to-day administrator activity. Emerging as a simple download from a seemingly innocuous user, RMM activity surfaces little behavior other than binary signatures to tip off defenders, giving adversaries an initial foothold within an environment and ample time to pivot quickly within interactive sessions before too many eyes have started investigating their behavior.

Establish your baseline

Understanding what’s running in your environment and what is sanctioned in your environment is a crucial first step in protecting against RMM abuse. You can profile your environment using free tools like Surveyor to get a better understanding of what, if any, RMM tools are being used. You may find legit users leveraging wanted and unwanted RMMs alike, but you might also find outright malicious use of approved or unapproved RMMs for post-exploit activity by adversaries.

Application controls

If your organization has RMM tools that are approved for use, you can use application controls to block the execution of any RMM tools that aren’t approved. Rooting out malicious or suspicious use of sanctioned RMM tools is tricky and reliant on active monitoring, behavioral detection, and policy enforcement.

Know what to look for

Having the ability to collect and inspect binary signature metadata and binary naming conventions and understanding common and uncommon installation paths for RMM tools are the basic prerequisites for developing an effective RMM detection strategy. Of course, the sheer volume of RMM tools available to adversaries, let alone abused by them, renders confident detection coverage a tall order.

Allow/blocklist policies

The best generic advice for mitigating the risk posed by these tools is to create robust allow/blocklist policies and strictly adhere to them. Depending on your environment, one or more of these utilities may be permitted for use, so before you go down the road of detection on these utilities, we recommend adopting an effective inventory management tool to identify any shadow utilities that may be lurking in your environment before you start trying to detect these one at a time.

Surveyor has a definitions file that you can use to search for the presence of many of the tools listed in this section using a supported EDR tool.

Understanding what’s permitted in your environment and being able to survey your environment for what’s actually installed is critical. When you find unpermitted software installed, response actions will depend on organization-specific security policies.

Response

Most remote access tools set up persistence using a service; you can usually remove the access by simply uninstalling them as you would any other application. However, an adversary may remove the “uninstall” option. When or if that is the case, you will need to delete the service, stop the process, and then delete the corresponding executables.

Many remote access tools will log their own activity, so if you have the time, expertise, and resources available, consider reviewing these logs to get a more detailed picture of the actions they performed, including installing secondary RMM, an increasingly common tactic.

RMM detection is heavily dependent on the RMMs adversaries are choosing to abuse at any given time. While these do change from time to time, there are always a few major players (e.g., NetSupport Manager, ScreenConnect), and detection strategies are often conceptually similar, no matter the tool. Some resources we’ve found useful in building detection logic include:

• LoLRMM: A catalogue of RMM tools helpful for understanding how a given RMM works as a starting point
• Ransomware Matrix: A catalogue of tools abused by ransomware operators, including a handy list of RMMs known to be abused in ransomware schemes, which can help security teams set detection priorities
• Malware Traffic Analysis: Brad Duncan often shares malware traffic from different samples, which often include relevant information about RMM abuse (example: Malware-Traffic-Analysis.net – 2025-12-29: ClickFix activity for NetSupport RAT).

We’ve written two blogs covering the potential dangers of RMM tool abuse. The latter (listed below) contains detailed detection guidance for a number of the tools mentioned here, including NetSupport Manager, Remote Utilities, ScreenConnect, and Anydesk. That logic can likely be abstracted and applied to other RMMs as well.

• Remote control: Detecting RMM software and other remote admin tools
• Remote access tool or trojan? How to detect misbehaving RATs

The following detection opportunities cover additional RMM tools.

Renamed SimpleHelp Installer

Keep in mind that adversaries may employ defense evasion techniques to hide their activity or match a social engineering ruse, such as renaming the RMM tool. The following pseudo-detector looks for renamed instances of SimpleHelp

Msiexec quietly installing ScreenConnect from a URL

This detector will alert when an adversary uses the /q command to quietly install ScreenConnect from a URL.

ScreenConnect interacting with suspicious TLDs

Adversaries may configure their own C2 domain when the RMM tool uses custom infrastructure. The following pseudo-detector looks for ScreenConnect communicating with unusual TLDs.

Remcos

This pseudo-detector identifies file modifications commonly associated with Remcos.

Atera

Look for process executions where the internal name for the process is ateraagent and the command line includes an external or otherwise unusual email address.