Rmm — CraftedSignal Threat Feed

ConnectWise Automate Solution Center Cleartext Communication Vulnerability (CVE-2026-6066)

hello@craftedsignal.io — Tue, 21 Apr 2026 12:00:00 +0000

ConnectWise Automate is a remote monitoring and management (RMM) platform used by managed service providers (MSPs). CVE-2026-6066 describes a vulnerability in the ConnectWise Automate Solution Center where specific client-to-server communications may occur without transport-layer encryption. An attacker positioned on the network could intercept sensitive data transmitted in cleartext. This vulnerability was disclosed on April 20, 2026, and affects ConnectWise Automate versions prior to 2026.4. Successful exploitation allows an attacker to potentially gain access to credentials, configuration details, and other sensitive information related to the managed clients. The vulnerability has been resolved in Automate 2026.4 by enforcing secure communication for affected Solution Center connections.

Attack Chain

Attacker gains network access to a ConnectWise Automate deployment.
Attacker passively monitors network traffic for communications between Automate clients and the Solution Center.
Attacker identifies vulnerable client-to-server communications occurring without transport-layer encryption.
Attacker intercepts the cleartext network traffic using a packet capture tool such as Wireshark or tcpdump.
Attacker analyzes the intercepted traffic to identify sensitive information such as credentials or configuration data.
Attacker uses the acquired credentials to gain unauthorized access to managed systems or customer environments.
Attacker leverages compromised systems for lateral movement within the network.

Impact

Successful exploitation of CVE-2026-6066 can lead to the compromise of ConnectWise Automate deployments, potentially affecting hundreds or thousands of MSP clients. An attacker could intercept credentials, configuration data, and other sensitive information, leading to unauthorized access to managed systems. This could result in data breaches, ransomware attacks, and other malicious activities targeting MSP clients. The severity is amplified by the widespread use of ConnectWise Automate among MSPs and the potential for cascading effects across their customer base.

Recommendation

Upgrade ConnectWise Automate to version 2026.4 or later to remediate CVE-2026-6066 as per the ConnectWise security bulletin (https://www.connectwise.com/company/trust/security-bulletins/2026-04-20-connectwise-automate-bulletin).
Implement network segmentation and monitoring to detect and prevent unauthorized network access and traffic interception.
Deploy the Sigma rule for unencrypted ConnectWise Automate communication to identify potentially vulnerable connections.
Review and enforce strong password policies and multi-factor authentication for all ConnectWise Automate accounts.

Barracuda RMM Privilege Escalation via Filesystem ACLs

hello@craftedsignal.io — Wed, 15 Apr 2026 21:17:04 +0000

Barracuda RMM versions prior to 2025.2.2 contain a critical privilege escalation vulnerability (CVE-2026-22676). A local attacker can exploit overly permissive filesystem ACLs on the C:\Windows\Automation directory to achieve SYSTEM-level privileges. By modifying existing automation content or placing malicious, attacker-controlled files within this directory, the attacker can leverage the built-in automation functionality of Barracuda RMM. These files are then executed with NT AUTHORITY\SYSTEM privileges during routine automation cycles, leading to full system compromise. This vulnerability allows an attacker with limited local access to escalate their privileges to the highest level on the system, potentially leading to lateral movement, data exfiltration, or system disruption.

Attack Chain

The attacker gains initial local access to the target system.
The attacker identifies the C:\Windows\Automation directory and confirms overly permissive ACLs.
The attacker crafts a malicious executable or script designed to execute commands with elevated privileges.
The attacker modifies an existing automation script within the C:\Windows\Automation directory to execute their malicious code. Alternatively, the attacker places their malicious file directly into the C:\Windows\Automation directory.
Barracuda RMM’s automation service executes the modified or newly added file during its regular automation cycle, running the attacker’s code under the NT AUTHORITY\SYSTEM account.
The attacker’s code executes, granting them SYSTEM-level privileges.
The attacker leverages SYSTEM privileges to install backdoors, create new administrative accounts, or perform other malicious actions.

Impact

Successful exploitation of this vulnerability grants a local attacker complete control over the affected system. This can lead to sensitive data theft, installation of ransomware, or use of the compromised system as a staging point for further attacks within the network. The lack of authentication and the ability to directly execute commands as SYSTEM makes this a highly critical vulnerability. Given the nature of RMM software, successful exploitation on one endpoint could be leveraged to compromise numerous systems managed by the RMM.

Recommendation

Upgrade Barracuda RMM to version 2025.2.2 or later to patch CVE-2026-22676.
Monitor file modifications within the C:\Windows\Automation directory using the provided Sigma rule to detect suspicious activity.
Implement strict access control policies on the C:\Windows\Automation directory, limiting write access to only authorized accounts.
Review existing automation scripts for any unauthorized modifications.

DNS Queries to RMM Domains from Non-Browser Processes

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

This brief focuses on the abuse of legitimate Remote Monitoring and Management (RMM) software by threat actors. RMM tools are often used for legitimate IT administration but can be leveraged for malicious purposes such as command and control, persistence, and lateral movement within a compromised network. This activity is identified by detecting DNS queries to a list of known RMM service domains originating from processes that are not typical web browsers. This behavior indicates that an RMM client, script, or other non-browser application is attempting to communicate with an RMM service. The detection rule was published on 2026-03-23 by Elastic and aims to surface unauthorized or malicious use of RMM tools within an organization. It is crucial to differentiate between legitimate and malicious RMM usage by analyzing the context of these DNS queries.

Attack Chain

An attacker gains initial access to a Windows system through an unknown method.
The attacker installs or deploys a legitimate RMM tool or a modified version.
The RMM agent is configured to communicate with the attacker’s command and control infrastructure.
A non-browser process (e.g., a script or a standalone executable) initiates a DNS query to resolve an RMM domain (e.g., teamviewer.com, anydesk.com).
The DNS query is resolved, establishing a network connection between the compromised system and the RMM service or attacker-controlled server.
The attacker leverages the RMM tool to execute commands, transfer files, and maintain persistent access to the compromised system.
The attacker performs lateral movement to other systems within the network, utilizing the RMM tool for remote administration.
The attacker achieves their objective, such as data exfiltration or ransomware deployment, using the established RMM connection.

Impact

Compromise via RMM tools can lead to significant damage, including unauthorized access to sensitive data, disruption of business operations, and potential ransomware attacks. Successful exploitation allows attackers to maintain persistent access and control over affected systems, facilitating lateral movement and further malicious activities. The widespread use of RMM tools in various sectors makes this a broad threat. The impact can range from a single compromised workstation to the complete takeover of an organization’s IT infrastructure.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect DNS queries to RMM domains from non-browser processes and tune for your environment.
Review the IOC list of RMM domains and block any unauthorized RMM services at your DNS resolver.
Investigate any alerts generated by the Sigma rule by examining the process tree and verifying the legitimacy of the process initiating the DNS query.
Implement application control policies to restrict the execution of unauthorized RMM tools on your endpoints.
Enable Sysmon DNS event logging to activate the rules above.

First Time Seen Remote Monitoring and Management Tool Execution

hello@craftedsignal.io — Wed, 24 Jan 2024 12:00:00 +0000

Attackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.

Attack Chain

Initial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.
Tool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.
Persistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.
Command and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.
Lateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.
Data Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.
Cleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.

Impact

Compromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.

Recommendation

Deploy the process creation rule to detect the execution of RMM tools on endpoints based on process.name and process.code_signature.subject_name criteria in the query.
Enable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.
Investigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.

RMM Domain DNS Queries from Non-Browser Processes

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies potentially malicious use of Remote Monitoring and Management (RMM) tools by detecting DNS queries to known RMM domains originating from processes that are not web browsers. Attackers frequently abuse legitimate RMM software for command and control, persistence, and lateral movement within compromised networks. This rule focuses on surfacing RMM clients, scripts, or other non-browser activity contacting these services, thereby increasing the likelihood of detecting unauthorized remote access or malicious activity. The rule aims to reduce false positives by excluding common browser processes and focusing on unusual network activity. The identified domains are associated with various RMM tools like TeamViewer, AnyDesk, and ScreenConnect. This detection is relevant for organizations concerned about insider threats, supply chain attacks, or general compromise leading to unauthorized remote access.

Attack Chain

An attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.
The attacker installs an unauthorized RMM tool (e.g., using a script or installer).
The RMM tool initiates a DNS query to resolve its command and control domain (e.g., teamviewer.com).
The system, now running the RMM agent, establishes a connection to the attacker-controlled RMM server.
The attacker uses the RMM tool to execute commands on the compromised system.
The attacker uses the RMM tool for lateral movement within the network.
The attacker uses the RMM tool to maintain persistence on the compromised system.

Impact

Compromise via unauthorized RMM tools can provide attackers with persistent remote access, enabling them to perform a range of malicious activities, including data theft, ransomware deployment, and further lateral movement within the network. Successful exploitation can lead to significant financial loss, reputational damage, and disruption of business operations. The number of affected systems can vary depending on the scope of the initial compromise and the attacker’s ability to move laterally.

Recommendation

Deploy the Sigma rule RMM Domain DNS Queries from Non-Browser Processes to your SIEM and tune it to your environment, excluding legitimate non-browser processes that use RMM tools.
Investigate any alerts generated by the rule, focusing on identifying the process making the DNS query and its parent process, as outlined in the rule’s description.
Monitor DNS query logs for queries to the RMM domains listed in the IOC table, and block them at the DNS resolver if unauthorized RMM use is confirmed.
Enable Sysmon Event ID 22 (DNS Query) logging to provide the necessary data for this detection, as recommended in the “Setup” section of the content.

Remote Management Access Launch After MSI Install

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies a suspicious sequence of events where an MSI installer is executed, followed by the launch of remote management software (RMM) such as ScreenConnect, Syncro, or VNC. Attackers may leverage this technique to gain unauthorized access to systems by first installing malicious software via an MSI package, and then using the RMM software to establish a remote connection. The rule specifically looks for msiexec.exe being run with an install argument (/i) followed by the execution of known RMM tools within a short timeframe. This behavior is often indicative of malicious actors attempting to establish persistent remote access to compromised machines. The detection is designed for Windows environments and covers a range of data sources including Elastic Defend, Sysmon, SentinelOne, Microsoft Defender XDR, and Crowdstrike.

Attack Chain

An attacker gains initial access to a system through various means (e.g., social engineering, compromised website, or existing malware).
The attacker deploys a malicious MSI installer to the victim machine. This can be done through phishing attachments or drive-by downloads.
The user executes the MSI installer (msiexec.exe) with an installation argument (/i or -i). The parent process is typically explorer.exe or sihost.exe, indicating user-initiated installation.
The MSI installer executes, potentially installing malware or modifying system settings.
Within one minute of the MSI installation, a remote management software (RMM) client is launched, such as ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, or winvnc.exe.
The RMM client attempts to establish an outbound connection to a remote server controlled by the attacker, often using pre-configured access keys.
The attacker gains remote access to the compromised system via the RMM client. In the case of ScreenConnect, the attacker may use a guest link with a known session key.
The attacker performs malicious activities, such as data exfiltration, lateral movement, or installing additional malware.

Impact

Successful exploitation allows attackers to gain persistent remote access to compromised systems. This can lead to data theft, financial fraud, or disruption of services. Depending on the scope of the initial access, the attacker may be able to move laterally within the network, compromising additional systems. The use of RMM software can mask malicious activity as legitimate remote support, making detection more difficult.

Recommendation

Enable process creation logging via Sysmon or Windows Security Event Logs to capture the execution of msiexec.exe and RMM tools.
Deploy the “Remote Management Access Launch After MSI Install” Sigma rule to your SIEM and tune the timeframe (maxspan) to suit your environment.
Investigate any alerts generated by this rule, focusing on the source of the MSI file and the destination of the RMM connection.
Block the execution of unauthorized RMM software on your network based on process name, as identified in the rule (ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, winvnc.exe).
Monitor network connections for RMM software connecting to unusual or external IPs.

Multiple Remote Management Tool Vendors on Same Host

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection rule identifies Windows systems running multiple Remote Monitoring and Management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments might utilize several tools, the presence of multiple RMM solutions on a single host can signify a compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access points. The rule maps process names to vendor labels to avoid inflated counts from multiple binaries of the same vendor. This activity has been observed as a component of broader attack campaigns, including those leveraging compromised MSP infrastructure, and is described in CISA AA23-025A. The timeframe analyzed is “now-9m”, and the rule triggers if two or more different vendors are detected.

Attack Chain

Initial Access: The attacker gains initial access to the system, possibly through phishing, exploiting vulnerabilities, or stolen credentials.
Tool Deployment: The attacker deploys an initial RMM tool (e.g., AnyDesk, TeamViewer) for remote access and control.
Persistence: The attacker establishes persistence by configuring the RMM tool to start automatically on system boot.
Lateral Movement: The attacker uses the initial access to discover other systems on the network.
Additional RMM Deployment: The attacker deploys a second RMM tool (e.g., ScreenConnect, Splashtop) from a different vendor to create a redundant access method.
Privilege Escalation: The attacker escalates privileges using the compromised RMM tools, if necessary.
Remote Control: The attacker uses the RMM tools to remotely control the system, execute commands, and access sensitive data.
Data Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or uses the compromised system to launch further attacks on the network.

Impact

A successful attack leveraging multiple RMM tools can result in unauthorized access to sensitive data, system compromise, and lateral movement within the network. The presence of multiple RMM tools increases the attacker’s resilience, making it harder to detect and remediate the intrusion. Affected systems can be used as a staging ground for further attacks, leading to significant financial and reputational damage. This can impact any Windows-based system, and the CISA advisory AA23-025A specifically highlights the risk of MSP infrastructure compromise.

Recommendation

Deploy the Sigma rule Multiple RMM Vendors on Same Host to your SIEM and tune for your environment.
Investigate hosts triggering the rule to confirm legitimate use of multiple RMM tools. Check Esql.vendors_seen and Esql.processes_name_values for insight into the involved tools.
Review asset inventory and change tickets to verify authorized RMM software installations.
Isolate any unauthorized or unexplained hosts and remove unapproved RMM tools.
Enforce a single approved RMM stack per asset class where possible.
Enable Sysmon process creation logging (Event ID 1) on Windows endpoints to enhance detection capabilities as described in the rule’s setup instructions.

Multiple Remote Management Tool Vendors on Same Host

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.

Attack Chain

Initial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.
Tool Deployment: The attacker deploys an initial RMM tool for remote access and control.
Secondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.
Privilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.
Lateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.
Data Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.

Impact

A successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.

Recommendation

Deploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.
Investigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.
Enforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.
Tune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.
Review asset inventory and change tickets for approved RMM software to identify unauthorized installations.