Living Off the Land: Why Hackers Are Abusing RMM Tools Instead of Malware

For years, the hallmark of a sophisticated cyberattack was custom malware. Security teams invested heavily in endpoint detection and response (EDR) systems specifically to identify these malicious signatures. But the threat landscape is shifting. Today's attackers aren't always writing custom code; they are simply "logging in" using your own trusted tools.

A recent surge in Remote Monitoring and Management (RMM) abuse highlights this critical pivot. Adversaries are increasingly ditching traditional malware in favor of legitimate IT administration tools like AnyDesk, ScreenConnect, and Atera. This "Living off the Land" (LotL) technique allows them to bypass detection, blend in with normal administrative traffic, and maintain persistent access without raising red flags.

The Shift to Administrative Abuse

RMM software is designed for efficiency. It allows IT administrators to manage endpoints, troubleshoot issues, and execute scripts remotely. Unfortunately, these exact features make RMMs a goldmine for threat actors.

When a hacker deploys custom ransomware, they risk triggering antivirus heuristics. When they deploy a portable, executable version of a legitimate RMM tool, they are often invisible to signature-based defenses. The operating system and security solutions view the process as "trusted" because it is digitally signed by a reputable vendor. This abuse provides attackers with:

1. Stealth: Traffic looks like legitimate administrative activity.
2. Persistence: RMM tools often have auto-start capabilities built-in.
3. Operational Efficiency: Hackers gain full remote control (GUI access) without needing to develop complex command-and-control (C2) infrastructure.

Deep Dive: The Attack Vector

The attack usually begins with initial access via phishing or exploiting a vulnerability on an internet-facing service (like RDP). Once foothold is established, the attacker downloads a portable version of an RMM tool—often masquerading as a system update or a legitimate utility.

Instead of installing the software in the standard Program Files directory, attackers frequently execute these binaries from temporary folders or hidden directories within AppData. This "side-loading" method avoids detection from configuration managers that only scan approved installation paths.

Technical TTPs

• Command Line Arguments: Attackers use specific flags to suppress UI prompts or run the tool silently in the background.
• Lateral Movement: Once the RMM agent is active on one machine, the attacker uses the management console (often a web interface they accessed via stolen credentials) to jump to other connected endpoints.
• Data Exfiltration: The RMM tool establishes an outbound encrypted tunnel. Because these tools are designed for remote control, large data transfers often look indistinguishable from legitimate file transfers to the naked eye.

Detection and Threat Hunting

Defending against RMM abuse requires a shift from signature-based detection to behavioral analysis. You must hunt for anomalies in where and how these trusted tools are running.

1. KQL Query for Sentinel/Defender

Use this KQL query to hunt for RMM processes executing from suspicious non-standard paths (e.g., temporary folders or user profiles) rather than standard installation directories.

let RMM_Signers = dynamic(["AnyDesk Software GmbH", "ConnectWise, LLC", "ScreenConnect Software", "Atera Networks Ltd"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "winword.exe", "excel.exe") 
 or FolderPath contains "\\AppData\\" or FolderPath contains "\\Temp\\" 
 or FolderPath contains "\\Downloads\\"
| where ProcessVersionInfoCompanyName in~ (RMM_Signers)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

2. PowerShell Host-Based Investigation

This script scans running processes for known RMM vendors and checks if they are running from the user's profile directory, a common indicator of abuse.

$RMM_Vendors = @("AnyDesk", "ConnectWise", "ScreenConnect", "Atera", "Splashtop")
$SuspiciousProcesses = Get-Process | Where-Object { 
    $_.Path -ne $null -and 
    $RMM_Vendors | Where-Object { $_.Company -like "*$($_)*" } -and 
    $_.Path -like "$env:USERPROFILE*"
}

if ($SuspiciousProcesses) {
    Write-Host "[!] Suspicious RMM activity detected:" -ForegroundColor Red
    $SuspiciousProcesses | Format-Table Id, ProcessName, Path, StartTime -AutoSize
} else {
    Write-Host "[+] No suspicious RMM processes found." -ForegroundColor Green
}

Mitigation Strategies

Detecting RMM abuse is difficult, so prevention must be rigorous. Simply detecting the software is not enough, as your IT team likely uses it daily.

1. Software Whitelisting: Implement strict AppLocker or WDAC policies. Create rules that allow RMM executables only if they are running from the specific C:\Program Files directory used by your IT department and signed with your organization's specific certificate or the vendor's verified hash.

2. Network Segmentation: Ensure that RMM traffic is only allowed from specific management jump-boxes. Block internet access to known RMM vendor portals (e.g., *.anydesk.com, *.screenconnect.com) from end-user devices unless those devices are specifically designated for administration.

3. Account Hygiene: Since RMM abuse often piggybacks on stolen credentials, enforce Multi-Factor Authentication (MFA) on all administrative portals and ensure that local administrator rights are stripped from standard user accounts to prevent silent installs.

4. Alert on New Installers: Configure your EDR or SIEM to trigger a high-severity alert whenever a known RMM binary signature is detected on a machine that does not have it assigned in your asset inventory.

Conclusion

The era of relying solely on antivirus to catch "bad" files is over. As hackers weaponize legitimate tools like RMM software, the line between administration and attack blurs. Security teams must assume that if a tool provides remote access, adversaries will try to use it. By monitoring execution paths and enforcing strict whitelisting, you can close the stealth gap that RMM abuse creates.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub