{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/aweray-remote/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["01com","Action1","Addigy","AeroAdmin","Ammyy Admin","AnyDesk","Anyplace Control","AnySupport","Atera RMM","Aurelius Host","Auvik","Aweray Remote","Backdrop Cloud","Barracuda MSP","BeamYourScreen","BeAnywhere","BeInSync","BeyondTrust Remote Support","Bomgar Remote Support","CentraStage","Centurion Technologies","ConnectWise","ConnectWise Control (ScreenConnect)","CrossLoop","DameWare","Datto RMM","Deskday","DeskRoll","Desktop Streaming","Distant Desktop","Donkz","DWService","eHorus","Electric AI RMM","EMCO Remote Installer","Ericom Connect","FastSupport","FastViewer","FixMe.IT","FleetDeck","GatherPlace","GoToAssist","GoToResolve","GetScreen","Goverlan","HeartbeatRM","HelpMe.net","HelpWire","HopToDesk","Hosted RMM","ImmyBot","Impero Remote Monitoring","Instant Housecall","IntelliAdmin","Internap CDN","Internet ID","Iperius Remote","ISL Online","Itarian","ITSupport247","JumpCloud","Jump Desktop","JumpTo","Kabuto","Kaseya VSA","Kickidler","Laplink","Level.io","Liongard","LiteManager","LogicNow","LogMeIn","LogMeIn Rescue","Lunixar","MeshCentral","Mikogo","Miradore","MSP360","MyGreenPC","N-able RMM","Naverisk","NCH Software","NetOp Remote Control","NetSupport Manager","NetViewer","NinjaOne","NoMachine","NTRsupport","Opti-Tune","Oray Remote Control","Panorama9","Parsec","PCVisit","Pilixo","Playanext","Pulseway","Qetqo","R-HUD","Real-Time Collaboration","Remmon","Remote.It","Remote Management","RemoteCall","Remote Desktop","RemotePC","RemoteToPC","Remote Utilities","Remotix","Remotly","RepairShopr","RMansys","RMM Service","Royal Apps","Rport","RUDesktop","RustDesk","Rview","ScreenMeet","Servably","Server-Eye","Set.Me","ShowMyPC","SignalServer","SimpleHelp","Skyfex","Sorillus","Splashtop","SpyAnywhere","Spytech-Web","StartSupport","SuperOps.ai","Supremo Control","SWI Remote Support","SyncroMSP","Syspectr","System Monitor","Tactical RMM","Tailscale","TeamViewer","Techinline","Tele-Desk","TiFlux","TightVNC","tmate","ToDesk","Twingate","UltraViewer","UltraVNC","VNC Connect","Weezo","Xeox","Zoho Assist"],"_cs_severities":["medium"],"_cs_tags":["windows","command-and-control","endpoint","rmm","remote-access"],"_cs_type":"advisory","_cs_vendors":["01com","Action1","Addigy","AeroAdmin","Ammyy","AnyDesk","Anyplace Control","AnySupport","Atera","Aurelius Host","Auvik","Aweray","Barracuda MSP","BeamYourScreen","BeAnywhere","BeInSync","BeyondTrust","Bomgar","CentraStage","Centurion Technologies","ConnectWise","CrossLoop","DameWare","Datto","Deskday.ai","DeskRoll","Desktop Streaming","Distant Desktop","Donkz","DWService","eHorus","Electric AI","EMCO Software","Ericom","FastViewer","FixMe.IT","FleetDeck","GatherPlace","GoTo","GetScreen","Goverlan","HeartbeatRM","HelpWire","HopToDesk","Hosted RMM","ImmyBot","Impero Software","Instant Housecall","IntelliAdmin","Internap CDN","Internet ID","Iperius Remote","ISL Online","Itarian","ITSupport247","JumpCloud","Jump Desktop","Kabuto","Kaseya","Kickidler","Laplink","Level.io","Liongard","LiteManager","LogicNow","LogMeIn","Lunixar","MeshCentral","Mikogo","Miradore","MSP360","MyGreenPC","N-able","Naverisk","NCH Software","NetOp","NetSupport","NetViewer","NinjaOne","NoMachine","NTRsupport","Opti-Tune","Oray","Panorama9","Parsec","PCVisit","Pilixo","Playanext","Pulseway","Qetqo","R-HUD","Real-Time Collaboration","Remmon","Remote.It","Remote Management","RemoteCall","Remote Desktop","RemotePC","Remote Utilities","Remotix","Remotly","RepairShopr","RMansys","RMM Service","Royal Apps","Rport","RUDesktop","RustDesk","Rview","ScreenConnect","ScreenMeet","Servably","Server-Eye","Set.Me","ShowMyPC","SignalServer","SimpleHelp","Skyfex","Sorillus","Splashtop","SpyAnywhere","Spytech-Web","StartSupport","SuperOps.ai","Supremo Control","SWI","SyncroMSP","Syspectr","System Monitor","Tactical RMM","Tailscale","TeamViewer","Techinline","Tele-Desk","TiFlux","TightVNC","tmate","ToDesk","Twingate","UltraViewer","UltraVNC","VNC","Weezo","Xeox","Zoho"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of suspicious DNS queries directed towards domains associated with Remote Monitoring and Management (RMM) and remote access software. Threat actors frequently exploit legitimate RMM tools for various malicious purposes, including establishing command and control (C2), maintaining persistence within compromised environments, and facilitating lateral movement. The detection rule specifically targets DNS queries made by non-browser processes, aiming to surface activity from unapproved RMM clients, malicious scripts, or other unexpected software attempting to contact these services. This approach helps defenders identify unauthorized remote access, which could indicate a compromise, or the illicit use of legitimate tools for adversary operations, enabling timely response and mitigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: A user falls victim to a phishing email or exploits an internet-facing vulnerability, allowing an attacker to gain an initial foothold on a system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution \u0026amp; Staging\u003c/strong\u003e: Malicious code is executed, often disguised as a legitimate application or utility, which may download further tools or scripts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRMM Tool Deployment\u003c/strong\u003e: The attacker deploys a legitimate, but often unauthorized or cracked, RMM or remote access client on the compromised system. This could be done through direct installation or by leveraging existing system capabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) Initialization\u003c/strong\u003e: The newly deployed RMM client attempts to establish a connection to its control server, which involves performing DNS queries to its service domains (e.g., \u003ccode\u003eteamviewer.com\u003c/code\u003e, \u003ccode\u003eanydesk.com\u003c/code\u003e, \u003ccode\u003econnectwise.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistent Remote Access\u003c/strong\u003e: Successful connection to the RMM domain provides the attacker with persistent remote access to the compromised system, often bypassing traditional firewall rules due to the nature of RMM applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance \u0026amp; Lateral Movement\u003c/strong\u003e: Using the RMM tool, the attacker conducts internal reconnaissance, maps the network, and moves laterally to other systems within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Achievement\u003c/strong\u003e: The attacker executes their final objectives, which may include data exfiltration, deployment of ransomware, or further propagation of malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of RMM tools by threat actors can lead to severe organizational impact. Successful exploitation can result in unauthorized, persistent access to critical systems, enabling extensive data exfiltration of sensitive information, deployment of ransomware causing significant operational disruption and financial losses, or complete network compromise. Organizations across all sectors, particularly those relying on legitimate RMM for IT support, are susceptible. If the attack succeeds, it can undermine an organization's security posture, lead to regulatory non-compliance, and damage reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule (or its ESQL equivalent) to your SIEM/endpoint security platform and tune for your environment to detect suspicious DNS queries.\u003c/li\u003e\n\u003cli\u003eEnsure that DNS query logging is enabled for all Windows endpoints, ideally via Sysmon Event ID 22 or Elastic Defend, to provide the necessary telemetry for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the \u003ccode\u003eDetect DNS Query to Remote Monitoring/Management (RMM) Domain from Non-Browser Process\u003c/code\u003e rule, focusing on the \u003ccode\u003eprocess.executable\u003c/code\u003e and its parent process.\u003c/li\u003e\n\u003cli\u003eReview the code signatures (\u003ccode\u003eprocess.code_signature\u003c/code\u003e) of flagged processes to verify legitimacy and prevent abuse of trojanized RMM installers.\u003c/li\u003e\n\u003cli\u003eBlock the RMM domains listed in the IOC table at the DNS resolver and firewall levels for any systems not explicitly authorized to use such tools.\u003c/li\u003e\n\u003cli\u003eImplement and enforce a strict policy for approved RMM tools and publishers, ensuring only authorized staff use managed, legitimate software for remote support.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T14:01:27Z","date_published":"2026-07-06T14:01:27Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rmm-dns-queries/","summary":"This brief details the detection of DNS queries targeting commonly abused Remote Monitoring and Management (RMM) or remote access software domains, originating from non-browser processes, which is a common tactic for command and control, persistence, and lateral movement by threat actors.","title":"Suspicious DNS Queries to Remote Monitoring and Management Domains from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2026-07-rmm-dns-queries/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AA","Acronis Cyber Protect Connect Agent","AeroAdmin","AgentMon","AnyDesk","APC Admin","APC Host","AteraAgent","Aweray Remote","AweSun","B4-Service","BASupSrvc","Bomgar SCC","CagService","CloudRaCmd","CloudRaSd","CloudRaService","ConnectWise Control","Domotz Agent","DWSNET Agent","DameWare Remote Control","FleetDeck Commander","GetScreen","GoToAssist Service","GoTo Resolve","HelpWire","ImmyAgent","ImmyBot Agent Ephemeral","ImmyUpdater","Impero Client SVC","Impero Server SVC","ISL Light","ISL Light Client","JumpCloud Agent","Komari","Komari Agent","Level","LogMeIn Rescue","LogMeIn Ignition","LogMeIn","LTSvc","LTSvcMon","LTTray","Lunixar","Lunixar Remote","Lunixar Updater","LvAgent","ManageEngine Remote Access Plus","MeshAgent","Mikogo-Service","Nezha-agent","NinjaRMM Agent","NinjaRMM Agent Patcher","NinjaRMM CLI","Parsec","PService","Quick Assist","Radmin","RC EngMgr U","RCClient","RCMgrSVC","RCService","Remote Support","RemoteDesktopManager","Remotely Agent","Remotely Desktop","RemotePC","RemotePCDesktop","RemotePCService","RemoteView","RFUS Client","RMM Agent","ROMServer","ROMViewer","RPCSuite","RustDesk","RUTserv","RUTview","RV Agent","RV Agtray","SAAzAPSC","ScreenConnect","ScreenConnect Client Service","Session Win","SimpleGatewayService","SimpleHelp Customer","SMPC View","SPCLink","Splashtop Streamer","Splashtop SOS","SPSRV","SRAgent","SRService","SRManager","SRServer","STRWinClt","Supremo","SupremoService","Syncro App Runner","Syncro Installer","Syncro Overmind Service","Syncro Service","SyncroLive Agent","SyncroLive Agent Runner","SyncroLive Service","TacticalRMM","Tailscale","TeamViewer","TeamViewer Desktop","TeamViewer Service","TiAgent","TiClientCore","ToDesk Service","ToolsIQ","TSClient","TVN","TVNServer","TVNViewer","Twingate","UltraVNC","UltraViewer","Velociraptor","VNC Server","VNC Viewer","WinVNC","ZA Access","ZA Connect","Zaservice","ZMAgent","Zoho Meeting","ZohoURS","ZohoURSService","Zohotray"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","persistence","execution","rmm","remote-access","windows"],"_cs_type":"advisory","_cs_vendors":["Action1 Corporation","Aeroadmin LLC","AmidaWare LLC","Ammyy LLC","AnyDesk Software GmbH","AOMEI International Network Limited","Atera Networks Ltd","AWERAY PTE. LTD.","BeamYourScreen GmbH","Bomgar Corporation","BreakingSecurity.net","ConnectWise, Inc.","Devolutions Inc","DOMOTZ INC.","DUC FABULOUS CO.,LTD","DWSNET OÜ","Electronic Team, Inc.","Famatech Corp.","FleetDeck Inc","GlavSoft LLC","GoTo Technologies USA, LLC","Hefei Pingbo Network Technology Co. Ltd","IDrive, Inc.","Impero Solutions Limited","Instant Housecall","ISL Online Ltd.","JumpCloud Inc","Level Software, Inc.","LogMeIn, Inc.","LUNIXAR SAS DE CV","MMSOFT Design Ltd.","MSPBytes Corp","N-ABLE TECHNOLOGIES LTD","Nanosystems S.r.l.","NetSupport Ltd","NinjaOne LLC","NinjaRMM, LLC","Parallels International GmbH","philandro Software GmbH","Pro Softnet Corporation","PURSLANE","RealVNC Limited","REMOTE UTILITIES PTE. LTD.","Rocket Software, Inc.","Rsupport Co., Ltd.","SAFIB","Servably, Inc.","ShowMyPC INC","SimpleHelp Ltd","Splashtop Inc.","Superops Inc.","Tailscale Inc.","TeamViewer Germany GmbH","Techinline Limited","uvnc bvba","ZOHO Corporation Private Limited"],"content_html":"\u003cp\u003eAdversaries frequently exploit the trusted nature and broad capabilities of legitimate Remote Monitoring and Management (RMM) and remote access software to maintain covert access and control over compromised Windows systems. This threat brief focuses on the detection of these tools when they are observed for the first time on a given endpoint, indicating potential unauthorized deployment. While these tools are essential for IT administration, their abuse facilitates command-and-control (C2), enables persistence, and allows for the execution of arbitrary commands. Notable campaigns, such as those leading to domain-wide ransomware (as highlighted by The DFIR Report), often involve the misuse of RMM solutions like SimpleHelp, AnyDesk, and ConnectWise Control. This detection method identifies suspicious installations by monitoring process names and code signatures for commonly abused RMM tools, specifically triggering when a \u003ccode\u003ehost.id\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e pair has not been seen within a defined 7-day historical window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: Adversaries gain initial access to an organization's network, often through methods such as phishing, exploiting vulnerable public-facing applications, or supply chain compromises.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution\u003c/strong\u003e: After establishing a foothold, the adversary deploys a legitimate RMM agent or client onto the compromised Windows host. This deployment may occur via various methods, including malicious ISO files (as referenced in a DFIR report) or existing remote access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence\u003c/strong\u003e: The installed RMM tool is configured by the adversary to ensure continued access to the compromised system, often by establishing itself as a service or through other autorun mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control\u003c/strong\u003e: The RMM agent initiates an outbound connection to an adversary-controlled server, establishing a stable and often encrypted C2 channel that blends with legitimate network traffic.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution via RMM\u003c/strong\u003e: The adversary leverages the RMM tool's remote execution capabilities to deploy additional malware, execute commands, exfiltrate data, or initiate further lateral movement within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The adversary achieves their final objective, which can range from data exfiltration and espionage to the deployment of ransomware, encrypting critical organizational data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of RMM tools by adversaries can lead to severe organizational impact. When compromised, RMM tools provide a high level of control over the affected endpoints, enabling attackers to bypass traditional security controls due to the legitimate nature of the software. This can result in widespread data exfiltration, system damage through unauthorized software installations or configurations, and ultimately, significant financial losses due to ransomware deployment and business disruption. CISA has issued advisories highlighting the use of RMM tools in ransomware campaigns, underscoring the critical risk these compromises pose to organizations across all sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;First Time Seen Remote Monitoring and Management Tool (Windows)\u0026quot; to your SIEM and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon process creation and code signing event logging is enabled across all Windows endpoints to provide the necessary telemetry for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by this rule immediately, focusing on the \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.command_line\u003c/code\u003e, and \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eReview network logs for suspicious outbound connections from newly observed RMM processes.\u003c/li\u003e\n\u003cli\u003eEstablish clear organizational policies for RMM tool deployment and usage, including strict change management processes and whitelisting of authorized RMM executables and signers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:36:36Z","date_published":"2026-07-03T15:36:36Z","id":"https://feed.craftedsignal.io/briefs/2026-07-first-seen-rmm/","summary":"Adversaries are leveraging legitimate Remote Monitoring and Management (RMM) and remote access tools on Windows endpoints for command-and-control, persistence, and execution, with detection focusing on the first observed instance of these tools on a host.","title":"First Time Seen Remote Monitoring and Management Tool Detection","url":"https://feed.craftedsignal.io/briefs/2026-07-first-seen-rmm/"}],"language":"en","title":"CraftedSignal Threat Feed - Aweray Remote","version":"https://jsonfeed.org/version/1.1"}