Skip to content
Threat Feed
medium advisory

Suspicious DNS Queries to Remote Monitoring and Management Domains from Non-Browser Processes

This brief details the detection of DNS queries targeting commonly abused Remote Monitoring and Management (RMM) or remote access software domains, originating from non-browser processes, which is a common tactic for command and control, persistence, and lateral movement by threat actors.

This threat brief focuses on the detection of suspicious DNS queries directed towards domains associated with Remote Monitoring and Management (RMM) and remote access software. Threat actors frequently exploit legitimate RMM tools for various malicious purposes, including establishing command and control (C2), maintaining persistence within compromised environments, and facilitating lateral movement. The detection rule specifically targets DNS queries made by non-browser processes, aiming to surface activity from unapproved RMM clients, malicious scripts, or other unexpected software attempting to contact these services. This approach helps defenders identify unauthorized remote access, which could indicate a compromise, or the illicit use of legitimate tools for adversary operations, enabling timely response and mitigation.

Attack Chain

  1. Initial Access: A user falls victim to a phishing email or exploits an internet-facing vulnerability, allowing an attacker to gain an initial foothold on a system.
  2. Execution & Staging: Malicious code is executed, often disguised as a legitimate application or utility, which may download further tools or scripts.
  3. RMM Tool Deployment: The attacker deploys a legitimate, but often unauthorized or cracked, RMM or remote access client on the compromised system. This could be done through direct installation or by leveraging existing system capabilities.
  4. Command and Control (C2) Initialization: The newly deployed RMM client attempts to establish a connection to its control server, which involves performing DNS queries to its service domains (e.g., teamviewer.com, anydesk.com, connectwise.com).
  5. Persistent Remote Access: Successful connection to the RMM domain provides the attacker with persistent remote access to the compromised system, often bypassing traditional firewall rules due to the nature of RMM applications.
  6. Internal Reconnaissance & Lateral Movement: Using the RMM tool, the attacker conducts internal reconnaissance, maps the network, and moves laterally to other systems within the environment.
  7. Objective Achievement: The attacker executes their final objectives, which may include data exfiltration, deployment of ransomware, or further propagation of malware.

Impact

The abuse of RMM tools by threat actors can lead to severe organizational impact. Successful exploitation can result in unauthorized, persistent access to critical systems, enabling extensive data exfiltration of sensitive information, deployment of ransomware causing significant operational disruption and financial losses, or complete network compromise. Organizations across all sectors, particularly those relying on legitimate RMM for IT support, are susceptible. If the attack succeeds, it can undermine an organization's security posture, lead to regulatory non-compliance, and damage reputation.

Recommendation

  • Deploy the provided Sigma rule (or its ESQL equivalent) to your SIEM/endpoint security platform and tune for your environment to detect suspicious DNS queries.
  • Ensure that DNS query logging is enabled for all Windows endpoints, ideally via Sysmon Event ID 22 or Elastic Defend, to provide the necessary telemetry for the detection rule.
  • Investigate all alerts generated by the Detect DNS Query to Remote Monitoring/Management (RMM) Domain from Non-Browser Process rule, focusing on the process.executable and its parent process.
  • Review the code signatures (process.code_signature) of flagged processes to verify legitimacy and prevent abuse of trojanized RMM installers.
  • Block the RMM domains listed in the IOC table at the DNS resolver and firewall levels for any systems not explicitly authorized to use such tools.
  • Implement and enforce a strict policy for approved RMM tools and publishers, ensuring only authorized staff use managed, legitimate software for remote support.

Detection coverage 1

Detect DNS Query to Remote Monitoring/Management (RMM) Domain from Non-Browser Process

medium

Detects DNS queries to commonly abused RMM or remote access software domains originating from processes other than common browsers, indicating potential C2 or unauthorized remote access.

sigma tactics: command_and_control techniques: T1219 sources: dns_query, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

193

domain

TypeValue
domain01com.com
domain247ithelp.com
domainaction1.com
domainaddigy.com
domainaeroadmin.com
domainammyy.com
domainanydesk.com
domainanyplace-control.com
domainanysupport.net
domainatera.com
domainaurelius.host
domainauvik.com
domainaweray.com
domainaweray.net
domainbackdrop.cloud
domainbarracudamsp.com
domainbeamyourscreen.com
domainbeanywhere.com
domainbeinsync.com
domainbeinsync.net
domainbeyondtrustcloud.com
domainbomgar.com
domainbomgarcloud.com
domaincentrastage.net
domaincenturiontech.com
domainconnectwise.com
domaincrossloop.com
domaindameware.com
domaindatto.com
domaindatto.net
domaindeskday.ai
domaindeskroll.com
domaindesktopstreaming.com
domaindistantdesktop.com
domaindonkz.nl
domaindwservice.net
domainehorus.com
domainelectric.ai
domainemcosoftware.com
domainericom.com
domainfastsupport.com
domainfastviewer.com
domainfixme.it
domainfleetdeck.io
domaingatherplace.com
domaingatherplace.net
domaingetgo.com
domaingetscreen.me
domaingotoassist.at
domaingotoassist.com
domaingotoassist.me
domaingotohttp.com
domaingotoresolve.com
domaingoverlan.com
domainheartbeatrm.com
domainhelpme.net
domainhelpwire.app
domainhoptodesk.com
domainhostedrmm.com
domainimmy.bot
domainimmybot.com
domainimperosoftware.com
domaininstanthousecall.com
domaininstanthousecall.net
domainintelliadmin.com
domaininternapcdn.net
domaininternetid.ru
domainiperius-rs.com
domainiperius.net
domainiperiusremote.com
domainislonline.com
domainislonline.net
domainitarian.com
domainitsupport247.net
domainjumpcloud.com
domainjumpdesktop.com
domainjumpto.me
domainkabuto.io
domainkabutoservices.com
domainkaseya.com
domainkaseya.net
domainkickidler.com
domainlaplink.com
domainlevel.io
domainliongard.com
domainlitemanager.com
domainlitemanager.ru
domainlogicnow.com
domainlogmein-gateway.com
domainlogmein.com
domainlogmeininc.com
domainlogmeinrescue.com
domainlogmeinrescue.eu
domainlunixar.com
domainmeshcentral.com
domainmikogo.com
domainmikogo4.com
domainmiradore.com
domainmsp360.com
domainmygreenpc.com
domainn-able.com
domainnaverisk.com
domainnchuser.com
domainnetop.com
domainnetsupportmanager.com
domainnetsupportsoftware.com
domainnetviewer.com
domainninjaone.com
domainninjarmm.com
domainninjarmm.net
domainnomachine.com
domainntrsupport.com
domainopti-tune.com
domainoptitune.us
domainoray.com
domainoray.net
domainpanorama9.com
domainparsec.app
domainparsecusercontent.com
domainpcvisit.de
domainpilixo.com
domainplayanext.com
domainpulseway.com
domainqetqo.com
domainr-hud.net
domainreal-time-collaboration.com
domainremmon.hu
domainremote.it
domainremote.management
domainremotecall.com
domainremotedesktop.com
domainremotepc.com
domainremotetopc.com
domainremoteutilities.com
domainremotix.com
domainremotly.com
domainrepairshopr.com
domainrmansys.ru
domainrmmservice.ca
domainrmmservice.eu
domainroyalapps.com
domainrport.io
domainrudesktop.ru
domainrustdesk.com
domainrview.com
domainscreenconnect.com
domainscreenmeet.com
domainscrn.mt
domainservably.com
domainserver-eye.de
domainset.me
domainsetme.net
domainshowmypc.com
domainsignalserver.xyz
domainsimple-help.com
domainskyfex.com
domainsorillus.com
domainsplashtop.com
domainsplashtop.eu
domainspyanywhere.com
domainspytech-web.com
domainstartsupport.com
domainsuperops.ai
domainsuperops.com
domainsuperopsalpha.com
domainsuperopsbeta.com
domainsupremocontrol.com
domainswi-rc.com
domainswi-tc.com
domainsyncroapi.com
domainsyncromsp.com
domainsyspectr.com
domainsystem-monitor.com
domainsystemmonitor.us
domaintacticalrmm.com
domaintailscale.com
domainteamviewer.com
domaintechinline.net
domaintele-desk.com
domaintiflux.com
domaintightvnc.com
domaintmate.io
domaintodesk.com
domaintwingate.com
domainultraviewer.net
domainultravnc.com
domainvnc.com
domainweezo.me
domainweezo.net
domainxeox.com
domainzoho.eu
domainzohoassist.com
domainzohoassist.jp