DNS Queries to RMM Domains from Non-Browser Processes
Detection of DNS queries to known remote monitoring and management (RMM) domains originating from non-browser processes on Windows systems indicates potential abuse of legitimate software for command and control.
This brief focuses on the abuse of legitimate Remote Monitoring and Management (RMM) software by threat actors. RMM tools are often used for legitimate IT administration but can be leveraged for malicious purposes such as command and control, persistence, and lateral movement within a compromised network. This activity is identified by detecting DNS queries to a list of known RMM service domains originating from processes that are not typical web browsers. This behavior indicates that an RMM client, script, or other non-browser application is attempting to communicate with an RMM service. The detection rule was published on 2026-03-23 by Elastic and aims to surface unauthorized or malicious use of RMM tools within an organization. It is crucial to differentiate between legitimate and malicious RMM usage by analyzing the context of these DNS queries.
Attack Chain
- An attacker gains initial access to a Windows system through an unknown method.
- The attacker installs or deploys a legitimate RMM tool or a modified version.
- The RMM agent is configured to communicate with the attacker’s command and control infrastructure.
- A non-browser process (e.g., a script or a standalone executable) initiates a DNS query to resolve an RMM domain (e.g., teamviewer.com, anydesk.com).
- The DNS query is resolved, establishing a network connection between the compromised system and the RMM service or attacker-controlled server.
- The attacker leverages the RMM tool to execute commands, transfer files, and maintain persistent access to the compromised system.
- The attacker performs lateral movement to other systems within the network, utilizing the RMM tool for remote administration.
- The attacker achieves their objective, such as data exfiltration or ransomware deployment, using the established RMM connection.
Impact
Compromise via RMM tools can lead to significant damage, including unauthorized access to sensitive data, disruption of business operations, and potential ransomware attacks. Successful exploitation allows attackers to maintain persistent access and control over affected systems, facilitating lateral movement and further malicious activities. The widespread use of RMM tools in various sectors makes this a broad threat. The impact can range from a single compromised workstation to the complete takeover of an organization’s IT infrastructure.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect DNS queries to RMM domains from non-browser processes and tune for your environment.
- Review the IOC list of RMM domains and block any unauthorized RMM services at your DNS resolver.
- Investigate any alerts generated by the Sigma rule by examining the process tree and verifying the legitimacy of the process initiating the DNS query.
- Implement application control policies to restrict the execution of unauthorized RMM tools on your endpoints.
- Enable Sysmon DNS event logging to activate the rules above.
Detection coverage 2
DNS Query to Known RMM Domain from Non-Browser Process
mediumDetects DNS queries to known RMM domains from processes excluding common web browsers.
Process Connecting to Known RMM Domain
mediumDetects a non-browser process initiating a network connection to an IP address associated with a known RMM domain.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
74
domain
| Type | Value |
|---|---|
| domain | teamviewer.com |
| domain | logmein.com |
| domain | logmeinrescue.com |
| domain | logmeininc.com |
| domain | internapcdn.net |
| domain | anydesk.com |
| domain | screenconnect.com |
| domain | connectwise.com |
| domain | splashtop.com |
| domain | zohoassist.com |
| domain | dwservice.net |
| domain | gotoassist.com |
| domain | getgo.com |
| domain | rustdesk.com |
| domain | remoteutilities.com |
| domain | atera.com |
| domain | ammyy.com |
| domain | n-able.com |
| domain | kaseya.net |
| domain | bomgar.com |
| domain | beyondtrustcloud.com |
| domain | parsec.app |
| domain | parsecusercontent.com |
| domain | tailscale.com |
| domain | twingate.com |
| domain | jumpcloud.com |
| domain | vnc.com |
| domain | remotepc.com |
| domain | netsupportsoftware.com |
| domain | getscreen.me |
| domain | beanywhere.com |
| domain | swi-rc.com |
| domain | swi-tc.com |
| domain | qetqo.com |
| domain | tmate.io |
| domain | playanext.com |
| domain | supremocontrol.com |
| domain | itarian.com |
| domain | datto.com |
| domain | auvik.com |
| domain | syncromsp.com |
| domain | pulseway.com |
| domain | immy.bot |
| domain | immybot.com |
| domain | level.io |
| domain | ninjarmm.com |
| domain | ninjaone.com |
| domain | centrastage.net |
| domain | datto.net |
| domain | liongard.com |
| domain | naverisk.com |
| domain | panorama9.com |
| domain | superops.ai |
| domain | superops.com |
| domain | tacticalrmm.com |
| domain | meshcentral.com |
| domain | remotly.com |
| domain | fixme.it |
| domain | islonline.com |
| domain | zoho.eu |
| domain | goverlan.com |
| domain | iperius.net |
| domain | iperiusremote.com |
| domain | remotix.com |
| domain | mikogo.com |
| domain | r-hud.net |
| domain | pcvisit.de |
| domain | netviewer.com |
| domain | helpwire.app |
| domain | remotetopc.com |
| domain | rport.io |
| domain | action1.com |
| domain | tiflux.com |
| domain | gotoresolve.com |