Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-RMM-UnauthorizedToolDeployment.
Upgrade to ProDetect Ransomware Affiliates Weaponizing Legitimate RMM Software (ScreenConnect, AnyDesk, Atera) as Post-Compromise Access Tooling in Splunk
Rather than developing custom malware, ransomware affiliates and initial access brokers increasingly obtain commercially available, code-signed Remote Monitoring and Management (RMM) software — ScreenConnect, AnyDesk, Atera, Splashtop, NetSupport Manager — for use as post-compromise remote-access tooling. Because these tools are legitimate, digitally signed, and widely deployed by managed service providers, they are frequently absent from allowlists built around known-malicious binaries (Mimikatz, Cobalt Strike, PsExec) and evade signature-based AV/EDR detection entirely. The documented Storm-1811/Black Basta chain (CISA AA23-325A) begins with email-bombing a victim with spam, then a threat actor impersonating IT/helpdesk staff calls the victim and talks them into opening Microsoft Quick Assist (quickassist.exe) or Windows Remote Assistance (msra.exe) to grant screen control; the actor then installs ScreenConnect or AnyDesk through that session to establish durable, unauthorized remote access before deploying ransomware. Detection therefore pivots from the acquisition itself (which occurs outside the victim environment via a legitimate vendor download/trial signup) to observing the installation and execution of RMM binaries that are not present on the organization's sanctioned-tooling allowlist, with highest confidence when that installation is directly preceded by a Quick Assist or Remote Assistance session on the same endpoint.
MITRE ATT&CK
- Tactic
- Resource Development
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\screenconnect.clientservice.exe" OR Image="*\\screenconnect.windowsclient.exe" OR
Image="*\\anydesk.exe" OR Image="*\\ateraagent.exe" OR Image="*\\srservice.exe" OR
Image="*\\client32.exe" OR Image="*\\teamviewer.exe" OR Image="*\\lmiguardiansvc.exe" OR
Image="*\\rustdesk.exe" OR Image="*\\gotoresolve.exe")
| lookup approved_rmm_tools.csv image_name AS Image OUTPUT is_sanctioned
| where isnull(is_sanctioned)
| join type=left host [
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\quickassist.exe" OR Image="*\\msra.exe")
| rename _time as qa_time, Image as qa_image
| table host, qa_time, qa_image
]
| eval HelpDeskVishingChain=if(isnotnull(qa_time) AND (_time - qa_time) <= 14400 AND (_time - qa_time) >= 0, 1, 0)
| eval RiskScore=if(HelpDeskVishingChain=1, "Critical", "High")
| table _time, host, User, Image, CommandLine, qa_image, qa_time, HelpDeskVishingChain, RiskScore
| sort - RiskScore, - _time SPL detection mirroring the KQL logic: flags execution of RMM client binaries not present in a maintained approved_rmm_tools.csv lookup, then joins against any Quick Assist / Remote Assistance (msra.exe) launch on the same host within the preceding 4 hours to identify the Storm-1811/Black Basta help-desk vishing chain.
Data Sources
Required Sourcetypes
False Positives & Tuning
- MSP environments where the approved_rmm_tools.csv lookup is stale relative to the vendor's actual tool mix
- Legitimate, unrelated help desk sessions followed independently by a user installing a personal remote-access client
- Personal use of AnyDesk/TeamViewer for remote access to a home machine
- Bundled software installers that silently deploy a remote-support client as part of a larger suite
Other platforms for THREAT-RMM-UnauthorizedToolDeployment
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Quick Assist Followed by Unsanctioned RMM Binary Launch
Expected signal: Sysmon Event ID 1 / Security Event ID 4688: process creation for quickassist.exe (renamed notepad.exe copy) followed approximately 5 seconds later by process creation for anydesk.exe (renamed notepad.exe copy), both under the test account on the same host.
- Test 2Unsanctioned RMM Binary Execution Without Prior Remote-Assist Session
Expected signal: Sysmon Event ID 1 / Security Event ID 4688: process creation for ateraagent.exe (renamed notepad.exe copy), with no preceding quickassist.exe or msra.exe event on the same host.
References (4)
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-RMM-UnauthorizedToolDeployment — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month