Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-RMM-UnauthorizedToolDeployment.

Upgrade to Pro
THREAT-RMM-UnauthorizedToolDeployment

Ransomware Affiliates Weaponizing Legitimate RMM Software (ScreenConnect, AnyDesk, Atera) as Post-Compromise Access Tooling

Resource Development Last updated:

Rather than developing custom malware, ransomware affiliates and initial access brokers increasingly obtain commercially available, code-signed Remote Monitoring and Management (RMM) software — ScreenConnect, AnyDesk, Atera, Splashtop, NetSupport Manager — for use as post-compromise remote-access tooling. Because these tools are legitimate, digitally signed, and widely deployed by managed service providers, they are frequently absent from allowlists built around known-malicious binaries (Mimikatz, Cobalt Strike, PsExec) and evade signature-based AV/EDR detection entirely. The documented Storm-1811/Black Basta chain (CISA AA23-325A) begins with email-bombing a victim with spam, then a threat actor impersonating IT/helpdesk staff calls the victim and talks them into opening Microsoft Quick Assist (quickassist.exe) or Windows Remote Assistance (msra.exe) to grant screen control; the actor then installs ScreenConnect or AnyDesk through that session to establish durable, unauthorized remote access before deploying ransomware. Detection therefore pivots from the acquisition itself (which occurs outside the victim environment via a legitimate vendor download/trial signup) to observing the installation and execution of RMM binaries that are not present on the organization's sanctioned-tooling allowlist, with highest confidence when that installation is directly preceded by a Quick Assist or Remote Assistance session on the same endpoint.

What is THREAT-RMM-UnauthorizedToolDeployment Ransomware Affiliates Weaponizing Legitimate RMM Software (ScreenConnect, AnyDesk, Atera) as Post-Compromise Access Tooling?

Ransomware Affiliates Weaponizing Legitimate RMM Software (ScreenConnect, AnyDesk, Atera) as Post-Compromise Access Tooling (THREAT-RMM-UnauthorizedToolDeployment) maps to the Resource Development tactic — the adversary is trying to establish resources they can use to support operations in MITRE ATT&CK.

This page provides production-ready detection logic for Ransomware Affiliates Weaponizing Legitimate RMM Software (ScreenConnect, AnyDesk, Atera) as Post-Compromise Access Tooling, covering the data sources and telemetry it touches: Process: Process Creation, Microsoft Defender for Endpoint, Threat Intelligence Watchlists. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Resource Development
Microsoft Sentinel / Defender
kusto
// Detect execution of RMM client binaries not present on the org's sanctioned-RMM watchlist,
// with elevated risk when directly preceded by a Quick Assist / Remote Assistance session on
// the same device — the documented Storm-1811 / Black Basta help-desk vishing chain.
let LookbackWindow = 24h;
let CorrelationWindow = 4h;
let RMMBinaries = dynamic([
  "screenconnect.clientservice.exe", "screenconnect.windowsclient.exe", "screenconnect.clientlauncher.exe",
  "anydesk.exe", "ateraagent.exe", "srservice.exe", "srmanager.exe", "ststreamer.exe",
  "client32.exe", "pcicfgx.exe", "teamviewer.exe", "teamviewer_service.exe",
  "lmiguardiansvc.exe", "getscreen.exe", "rustdesk.exe", "gotoresolve.exe"
]);
let RemoteAssistPrecursors = dynamic(["quickassist.exe", "msra.exe"]);
let SanctionedRMM = (_GetWatchlist('ApprovedRMMTools') | project SearchKey);
let UnsanctionedRMMEvents = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName has_any (RMMBinaries)
| where FileName !in~ (SanctionedRMM)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, SHA256;
let QuickAssistSessions = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName has_any (RemoteAssistPrecursors)
| project QaTimestamp = Timestamp, DeviceName, QaProcess = FileName;
UnsanctionedRMMEvents
| join kind=leftouter QuickAssistSessions on DeviceName
| where isempty(QaProcess) or (Timestamp > QaTimestamp and Timestamp - QaTimestamp <= CorrelationWindow)
| extend HelpDeskVishingChain = isnotempty(QaProcess)
| extend RiskScore = iff(HelpDeskVishingChain, "Critical", "High")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, SHA256, QaProcess, QaTimestamp, HelpDeskVishingChain, RiskScore
| sort by RiskScore asc, Timestamp desc

Detects execution of known RMM client binaries (ScreenConnect, AnyDesk, Atera, Splashtop, NetSupport, TeamViewer, RustDesk, GoTo Resolve) that are not present on a maintained watchlist of organization-approved RMM tooling. Because these binaries are legitimately signed, this query intentionally does not rely on hash or signature reputation — an allowlist of sanctioned tools (populate 'ApprovedRMMTools' with the RMM software your MSP/IT team actually uses) is the only reliable way to separate approved remote support from adversary-introduced tooling. The query joins each unsanctioned RMM launch against any Quick Assist / Remote Assistance session on the same device in the preceding 4 hours; a match reconstructs the documented Storm-1811/Black Basta help-desk vishing chain and is scored Critical.

high severity high confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint Threat Intelligence Watchlists

Required Tables

DeviceProcessEvents

False Positives

  • MSP-managed environments where the approved-tooling watchlist has not been kept current as the MSP changes or adds RMM vendors
  • IT help desks legitimately using Quick Assist for routine support followed unrelated by a user independently installing a personal remote-access tool for their own use
  • Employees using AnyDesk/TeamViewer for personal file transfer or remote access to a home machine, unrelated to any support session
  • Software packaging/deployment tools (e.g., Ninite, Chocolatey) that bundle a remote-support client as part of a broader software suite install

Sigma rule & cross-platform mapping

The detection logic for Ransomware Affiliates Weaponizing Legitimate RMM Software (ScreenConnect, AnyDesk, Atera) as Post-Compromise Access Tooling (THREAT-RMM-UnauthorizedToolDeployment) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Quick Assist Followed by Unsanctioned RMM Binary Launch

    Expected signal: Sysmon Event ID 1 / Security Event ID 4688: process creation for quickassist.exe (renamed notepad.exe copy) followed approximately 5 seconds later by process creation for anydesk.exe (renamed notepad.exe copy), both under the test account on the same host.

  2. Test 2Unsanctioned RMM Binary Execution Without Prior Remote-Assist Session

    Expected signal: Sysmon Event ID 1 / Security Event ID 4688: process creation for ateraagent.exe (renamed notepad.exe copy), with no preceding quickassist.exe or msra.exe event on the same host.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-RMM-UnauthorizedToolDeployment — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections