Detecting Remote Management and Monitoring (RMM) Tool Communication with Microsoft Defender for Endpoint Advanced Hunting

This post introduces how to leverage Microsoft Defender for Endpoint's Advanced Hunting feature to detect communications from Remote Management and Monitoring (RMM) tools.

Prerequisites

• Microsoft Defender for Endpoint P2 license (Not available for Defender for Business)
• Microsoft Defender for Endpoint P2 onboarded to target devices

The Threat of RMM Tool Misuse

RMM tools, such as AnyDesk and TeamViewer, are incredibly useful for IT administrators to remotely maintain systems and provide support. However, if their powerful features are misused, they can become a significant security threat.

In recent ransomware and targeted attacks, there has been a continuous rise in cases where attackers illicitly install RMM tools on devices to remotely control them and infiltrate internal networks. As the diagram below shows, attack campaigns using RMM tools have surged since 2024.

Source: Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US

Attackers abuse legitimate RMM tools to infiltrate environments, steal sensitive information, or spread malware. Microsoft's "Microsoft Digital Defense Report 2024"^[URL] also mentions that a trending attack vector involves attackers, disguised as help desk personnel, tricking users into installing RMM tools. Furthermore, "Shadow IT," where employees use RMM tools without organizational approval, also increases security risks.

Additionally, a very troublesome aspect is that RMM tools themselves are not malicious and are often used for regular business operations, meaning they might not be detected by firewalls, SWGs, or EDRs. For example, if an EDR is in place, direct communication to an attacker's server might be detected, but RMM tools could be overlooked (this, of course, depends on the product and settings. It also implies that FW and SWG administrators need to do their job diligently). Therefore, it's crucial to promptly detect unauthorized RMM tool communications within your environment and eliminate potential threats.

Detecting RMM Tool Misuse

The query introduced here utilizes a list of known RMM tools to detect when a device onboarded with Microsoft Defender for Endpoint P2 attempts to communicate with these URLs.

// Retrieve a list of RMM tool binaries from an external CSV
let RMMList = externaldata(rmm_program: string, rmm_binary: string)
    [h'https://raw.githubusercontent.com/Kithu29/RMM-Tools-List/main/rmm_list.csv']
    with (format="csv", ignoreFirstRecord=true);
// Extract only rmm_binary and create a distinct list
let RMMBinaryList =
    RMMList
    | summarize make_set(rmm_binary)
    | project RMMBinaryList = set_rmm_binary; // Make the result of make_set easier to handle as a single array
// Search the DeviceNetworkEvents table for processes whose initiating file name is in the RMM binary list
DeviceNetworkEvents
// Evaluate if InitiatingProcessFileName matches (case-insensitive) any in the RMMBinaryList
| where InitiatingProcessFileName in~ (RMMBinaryList)
// Optionally, display additional information
| project
    Timestamp,
    DeviceId,
    DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessFileName,      // Process file name that might correspond to an RMM tool
    InitiatingProcessFolderPath,    // Folder path where the communicating process exists
    InitiatingProcessCommandLine,   // Command line arguments of the communicating process
    InitiatingProcessParentFileName, // Parent process file name of the communicating process (for reference)
    RemoteUrl,
    RemoteIP,
    RemotePort
// | summarize count() by InitiatingProcessFileName // To aggregate the count for each detected RMM binary

Here is the detection screen. As you can see from the screen, anydesk.exe is signed by AnyDesk Software GmbH, so default detections alone make it difficult to distinguish between legitimate and malicious use. (Of course, detection might be possible depending on tool usage and policies.)

Query Explanation

1. externaldata: First, the externaldata operator is used to load a list (CSV file) of network indicators (URIs and tool names) for RMM tools, publicly available on GitHub, as external data. This list includes URIs related to numerous RMM tools such as Action1, Addigy, AeroAdmin, AnyDesk, Atera, TeamViewer, and more.
2. Creating the RMM Tool URI List: Next, only the URIs are extracted from the loaded RMMList, and a dynamic array RMMUrlDynamicList is created using the make_list() function.
3. Detecting RMM Tool-Related Communications: Finally, events where the RemoteUrl field (destination URL) in the DeviceNetworkEvents table contains any of the URLs from the previously created RMMUrlDynamicList are searched using has_any. This allows for the detection of network connections to the monitored RMM tools.

Further Investigation

While this query is expected to catch many suspicious communications by RMM tools, to improve detection accuracy and reduce false positives, it is recommended to consider the following points for alert tuning and additional analysis:

• Check Destination Information (RemoteUrl, RemoteIP): Are there connections to RMM servers other than those used for legitimate business operations?

  
  let RMMList = externaldata(URI: string, RMMTool: string)
      [h'https://raw.githubusercontent.com/jischell-msft/RemoteManagementMonitoringTools/refs/heads/main/Network%20Indicators/RMM_SummaryNetworkURI.csv']
      with (format="csv", ignoreFirstRecord=true);
  let RMMUrlDynamicList =
      RMMList
      | summarize make_list(URI);
  DeviceNetworkEvents
  | where RemoteUrl has_any (RMMUrlDynamicList)
      

• Check Command Line Arguments (InitiatingProcessCommandLine): Are there arguments specifying suspicious destinations or options not typically used in regular operations?
• Check Execution Location (InitiatingProcessFolderPath): Is the RMM tool being executed from unusual locations like temporary folders or user profiles, rather than standard installation paths?
• Check Frequency and Timing: Are RMM tool communications occurring at times or frequencies inconsistent with normal business operations?

Potential Threats Detectable with This Query

By running this query, you can detect the following risks for devices onboarded to MDE:

• Unauthorized Access and Remote Operation: Detect attempts by attackers using stolen credentials or vulnerabilities to launch legitimate RMM tools outside of organizational management for unauthorized access and remote operation of internal systems. This can help capture early signs of ransomware attacks or persistent unauthorized access (like APT attacks).
• Lateral Movement: Provides clues to detect attackers who have already infiltrated the network and are attempting to expand their foothold horizontally (lateral movement) using RMM tools to other devices. RMM communications from server segments or specific user groups that normally do not use RMM tools are particularly noteworthy.
• Early Signs of Data Exfiltration: Potentially detect communications when attackers use RMM tool file transfer features or connect to external storage services as a preparatory step to exfiltrate sensitive data.
• Malware Abusing RMM Tools: Some malware secretly installs and misuses RMM tools as backdoors to enable remote control by attackers. This query helps detect RMM communications established by such malware.
• Detection of Shadow IT: Discover instances where employees install and use RMM tools personally for convenience without IT department approval. These unmanaged tools can lead to non-compliance with security policies, unpatched vulnerabilities, and become footholds for attacks.

Important Considerations for Utilization

• Distinguishing from Legitimate Use (Reducing False Positives): RMM tools officially authorized within the organization or legitimate use by specific departments/users may also be detected. Therefore, it's important to have an operational process (e.g., creating whitelists, confirming with departments) to differentiate whether a detected alert is a true threat or legitimate use. Customizations, such as adding filters to exclude communications from specific IP addresses or departments, can be considered.
• Management and Comprehensiveness of External Lists: The content of the external list referenced by the query is managed by its creators. Understand the accuracy, comprehensiveness, and update frequency of the list, and consider managing or customizing the list within your organization if necessary. While a significant number of RMM tools are listed, it is not exhaustive.
• Continuous Monitoring: Microsoft Defender for Endpoint has a feature called "custom detections" that allows you to register queries for automatic detection. Utilizing this enables continuous monitoring.
• Measures Other Than This Query: Naturally, it is recommended to implement other countermeasures in parallel. For example, consider perimeter defenses to prevent attackers from installing RMM tools (e.g., email security), proper management of administrative privileges on endpoints, and restricting communication destinations with FWs or SWGs.

Summary

The Microsoft Defender Advanced Hunting query introduced here is highly effective for discovering cyberattacks abusing RMM tools and Shadow IT instances that violate organizational policies. By regularly executing this query and appropriately investigating detected events, you can contribute to the early detection and response to security incidents, and strengthen your organization's overall security posture.

Please try this query in your environment and use it as an aid for your security monitoring.

References and Acknowledgements

The query introduced in this article is a customized version of a query published on GitHub by Steven Lim^[URL]. I would like to take this opportunity to thank Steven Lim. I also want to thank Kithu29 and J Schell for creating and publishing the RMM lists on GitHub. They were a great help!