Remote monitoring and management tools

Editor’s note: While the detection opportunities and analysis on this page are still relevant, it has not been updated since 2024. 

Adversaries have abused RMM tools for years, and they continued to do so in 2023. RMM tools are an attractive option for adversaries because they offer robust sets of remote administration features and they do so with the veneer of legitimacy. Many organizations use one or another of these tools to apply updates, manage assets, deploy software, and more. If an adversary is lucky or has done their homework, they can complicate detection immensely by abusing an RMM tool that is permitted within an organization. Even in cases where an adversary is abusing an unpermitted RMM tool, organizations may be slow to respond or reluctant to block its use outright for fear that they may hinder a legitimate business use case.

What we saw and heard in 2023

RMM abuse was particularly topical in 2023 because one of the year’s most active adversary groups, SCATTERED SPIDER, indiscriminately leveraged dozens of RMM tools for lateral movement across numerous intrusions. From our perspective, increased malicious use of NetSupport Manager played a critical role in the prevalence of RMM abuse as well.

Across environments protected by Red Canary, we detected the following RMM tools most often:

NetSupport Manager

NetSupport Manager is a commercially available RMM tool used to remotely administer endpoints by IT administrators. Adversaries often abuse the free trial version to remotely control victim endpoints. Adversaries primarily distribute it via spearphishing attachments, but it’s also delivered as a follow-on payload by malware like SocGholish, Qbot and more. Legitimate NetSupport installs are often found in the Program Files directory, using the standard filename client32.exe. Suspect instances may be found by looking for client32.exe running from a non-standard directory, such as a user’s Downloads or Roaming folder, or, in the case of a file rename, looking for binaries with the internal name client32 making network connections to netsupportsoftware[.]com.

Remcos

Remcos is legitimate remote control and surveillance software abused by multiple adversaries to gain persistent remote access to systems. Adversaries often obfuscate its code or inject it into other processes to evade detection. The tool commonly generates forensic artifacts that include remcos in file paths, filenames, and registry keys, and the executable name is usually remcos.exe.

Remote Utilities

Remote Utilities (RUT), also called RuRAT, is another RMM tool that enables remote control, desktop sharing, and file transfers and is delivered via malicious email attachments.

Atera

Atera is an RMM utility abused by adversaries to maintain persistence following an initial compromise. It’s been leveraged by a variety of malware threats, even as a ransomware precursor. Its process names include:

• AteraAgent.exe
• AgentPackageSTRemote.exe
• AgentPackageHeartbeat.exe
• AgentPackageWindowsUpdate.exe
• AgentPackageADRemote.exe

It makes network connections to atera[.]com.

Scattered Spider

SCATTERED SPIDER is a cluster of interconnected adversaries known for highly targeted SMS phishing (“smishing”), brazen social engineering campaigns, and rapid lateral movement using a variety of RMM tools. They abused scores of RMM tools in incidents throughout 2023. Since other adversaries surely took note of their success throughout 2023 and are likely to imitate them moving forward, we’re going to list the RMM tools they reportedly abused and describe some of the problems these tools present collectively and individually.

While not exhaustive, the group has reportedly used the following tools:

• AnyDesk
• ASG Remote Desktop
• BeAnywhere
• Domotz
• DWservice
• Fixme.it
• Fleetdeck.io
• GetScreen
• Itarian Endpoint Manager
• Level.io
• Logmein
• ManageEngine
• N-Able
• Pulseway
• RattyRat
• Rport
• Rsocx
• RustDesk
• RustScan
• ScreenConnect
• Splashtop
• SSH RevShell and RDP Tunnelling via SSH
• Teamviewer
• TightVNC
• TrendMicro Basecamp
• Sorillus
• Xeox
• ZeroTier
• ZohoAssist

While the use of open source RMM utilities like RustDesk and newer utilities like FleetDeck is a troubling trend on its own—namely in that they are easily modified or largely unknown respectively—the total volume of RMM tools SCATTERED SPIDER abused can be overwhelming. The presence of any of these tools on their own—or any other RMM tool for that matter—isn’t necessarily malicious. Unless you adhere to strict allowlist/blocklist policies, which is easier said than done, there may be no action to take on these tools until an adversary starts performing overtly malicious activity. The difficulty of getting tools like these under control can be exacerbated in environments with existing local administrative rights that give normal users the ability to freely install RMM tools, which becomes even more problematic when you’re being targeted by a sophisticated adversary. However, a robust allowlist/blocklist policy is probably the first and most important step toward getting a handle on the types of applications permitted within your environment.

In the absence of strict application controls (and in the hands of a skilled adversary), RMM tools can bypass some of an organization’s most reliable detection logic because adversaries are typically hands-on-keyboard with RMM tools and able to modify their behaviors so they blend in with day-to-day administrator activity. Emerging as a simple download from a seemingly innocuous user, there is little behavior other than binary signatures to tip off defenders, giving adversaries an initial foothold within an environment and ample time to pivot quickly within interactive sessions before too many eyes have started investigating their behavior.

Having the ability to collect and inspect binary signature metadata and binary naming conventions and understanding common and uncommon installation paths for RMM tools are the basic prerequisites for developing an effective RMM detection strategy. Of course, the sheer volume of RMM tools available to adversaries, let alone abused by them, renders confident detection coverage a tall order.

The best generic advice for mitigating the risk posed by these tools is to create robust allow/blocklist policies and strictly adhere to them. Depending on your environment, one or more of these utilities may be permitted for use, so before you go down the road of detection on these utilities, it is highly recommended to get an effective inventory management tool to identify any shadow utilities that may be lurking in your environment before you start trying to detect these one at a time. Our open source baselining tool Surveyor has a definitions file that you can use to search for the presence of many of the tools listed in this section using a supported EDR tool.

Understanding what’s permitted in your environment and being able to survey your environment for what’s actually installed is critical. When you find unpermitted software installed, response actions will depend on organization-specific security policies.

We’ve written two blogs covering the potential dangers of RMM tool abuse. The latter (listed below) contains detailed detection guidance for a number of the tools mentioned here, including NetSupport Manager, Remote Utilities, ScreenConnect, and Anydesk. That logic can likely be abstracted and applied to other RMMs as well.

• Remote control: Detecting RMM software and other remote admin tools
• Remote access tool or trojan? How to detect misbehaving RATs

The following are detection opportunities for RMM tools we’ve detected but haven’t previously shared:

Remcos

This pseudo-detector identifies file modifications commonly associated with Remcos.

Atera

Look for process executions where the internal name for the process is ateraagent and the command line includes an external or otherwise unusual email address.