<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>TSClient - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/tsclient/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 15:36:36 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/tsclient/feed.xml" rel="self" type="application/rss+xml"/><item><title>First Time Seen Remote Monitoring and Management Tool Detection</title><link>https://feed.craftedsignal.io/briefs/2026-07-first-seen-rmm/</link><pubDate>Fri, 03 Jul 2026 15:36:36 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-first-seen-rmm/</guid><description>Adversaries are leveraging legitimate Remote Monitoring and Management (RMM) and remote access tools on Windows endpoints for command-and-control, persistence, and execution, with detection focusing on the first observed instance of these tools on a host.</description><content:encoded><![CDATA[<p>Adversaries frequently exploit the trusted nature and broad capabilities of legitimate Remote Monitoring and Management (RMM) and remote access software to maintain covert access and control over compromised Windows systems. This threat brief focuses on the detection of these tools when they are observed for the first time on a given endpoint, indicating potential unauthorized deployment. While these tools are essential for IT administration, their abuse facilitates command-and-control (C2), enables persistence, and allows for the execution of arbitrary commands. Notable campaigns, such as those leading to domain-wide ransomware (as highlighted by The DFIR Report), often involve the misuse of RMM solutions like SimpleHelp, AnyDesk, and ConnectWise Control. This detection method identifies suspicious installations by monitoring process names and code signatures for commonly abused RMM tools, specifically triggering when a <code>host.id</code> and <code>process.name</code> pair has not been seen within a defined 7-day historical window.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: Adversaries gain initial access to an organization's network, often through methods such as phishing, exploiting vulnerable public-facing applications, or supply chain compromises.</li>
<li><strong>Execution</strong>: After establishing a foothold, the adversary deploys a legitimate RMM agent or client onto the compromised Windows host. This deployment may occur via various methods, including malicious ISO files (as referenced in a DFIR report) or existing remote access.</li>
<li><strong>Persistence</strong>: The installed RMM tool is configured by the adversary to ensure continued access to the compromised system, often by establishing itself as a service or through other autorun mechanisms.</li>
<li><strong>Command and Control</strong>: The RMM agent initiates an outbound connection to an adversary-controlled server, establishing a stable and often encrypted C2 channel that blends with legitimate network traffic.</li>
<li><strong>Execution via RMM</strong>: The adversary leverages the RMM tool's remote execution capabilities to deploy additional malware, execute commands, exfiltrate data, or initiate further lateral movement within the network.</li>
<li><strong>Impact</strong>: The adversary achieves their final objective, which can range from data exfiltration and espionage to the deployment of ransomware, encrypting critical organizational data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The abuse of RMM tools by adversaries can lead to severe organizational impact. When compromised, RMM tools provide a high level of control over the affected endpoints, enabling attackers to bypass traditional security controls due to the legitimate nature of the software. This can result in widespread data exfiltration, system damage through unauthorized software installations or configurations, and ultimately, significant financial losses due to ransomware deployment and business disruption. CISA has issued advisories highlighting the use of RMM tools in ransomware campaigns, underscoring the critical risk these compromises pose to organizations across all sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule &quot;First Time Seen Remote Monitoring and Management Tool (Windows)&quot; to your SIEM and tune it for your environment.</li>
<li>Ensure Sysmon process creation and code signing event logging is enabled across all Windows endpoints to provide the necessary telemetry for the detection rule.</li>
<li>Investigate all alerts generated by this rule immediately, focusing on the <code>process.executable</code>, <code>process.command_line</code>, and <code>process.code_signature.subject_name</code> fields.</li>
<li>Review network logs for suspicious outbound connections from newly observed RMM processes.</li>
<li>Establish clear organizational policies for RMM tool deployment and usage, including strict change management processes and whitelisting of authorized RMM executables and signers.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>command-and-control</category><category>persistence</category><category>execution</category><category>rmm</category><category>remote-access</category><category>windows</category></item></channel></rss>