Exploiting the Tools You Trust
Security investigators have identified a growing cyber threat: attackers are misusing Remote Monitoring and Management (RMM) tools, such as Atera and Splashtop, to gain sustained access within corporate networks. By deploying multiple RMM agents simultaneously, attackers ensure persistence even if one gets discovered and removed.
These tools-normally reserved for legitimate IT administration-are being transformed into stealthy channels for command execution, malware deployment, and data exfiltration.
Why This Threat Is So Insidious
RMM tools present a dual-use dilemma:
- Trusted software that bypasses suspicion during routine audits
- Provide capabilities similar to RATs: remote execution, file transfer, remote shell sessions, and agent persistence
- Used by advanced groups as primary or backup access vectors across ransomware campaigns—including during lateral movement and data theft
Today’s threat actors prioritize redundancy and stealth, often installing multiple RMM clients to maintain control if one is detected-indicating an alarming shift in attacker tactics.
What COE Security Recommends
COE Security helps organizations secure and detect misuse of RMM tools, especially in environments with managed IT infrastructure or third-party support.
Key protections we offer:
- Inventory and audit of installed RMM tools across endpoints and servers
- Configuration reviews and hardening (minimum privileges, session policies)
- SIEM/EDR hunting rules to detect unusual RMM behavior—e.g. concurrent use of multiple agents, unplanned remote commands, or scripted installations
- Incident response playbooks specific to RMM compromise and lateral movement
- User and IT team awareness training to flag unexpected remote access requests via legitimate tools
Broader Security Implications
- Perimeter defences increasingly bypassed: Attackers can blend in with legitimate administrative signals
- Elevated risk with unmanaged RMM installs: Services like AnyDesk, RustDesk, or NetSupport Manager may be abused before they’re even formally onboarded on the network
- Policies and monitoring strategies must evolve-staying ahead of the game means treating RMM as high-risk infrastructure not just standard software
About COE Security
At COE Security, we help organizations fortify their infrastructure with modern threat detection, behavior-based monitoring, and risk-aware policy design.
Our expertise includes:
- Advanced detection of dual-use tools and feature abuse
- Red teaming and pen test scenarios centered on real-world RMM misuse
- Zero trust architecture implementations for remote support tools
- Custom rule development aligned to the MITRE ATT&CK framework
- Technical training for SOC, IR, and IT teams to spot stealthy access vectors
We empower clients across finance, healthcare, telecom, retail, and government sectors to prevent legitimate infrastructure from becoming adversarial instruments.