SOC Prime Bias: Medium

06 Jan 2026 18:29
newspaper icon Huntress

A Series of Unfortunate (RMM) Events

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
A Series of Unfortunate (RMM) Events
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Threat actors are increasingly misusing legitimate remote monitoring and management (RMM) software to obtain initial access and retain persistence in targeted environments. The report highlights incidents where operators first installed a “primary” RMM tool—such as GoTo Resolve or PDQ—then followed up by deploying additional RMM utilities like ScreenConnect, SimpleHelp, or ITarian. The initial installers were commonly delivered through phishing and social engineering, often hosted on attacker-controlled domains. Because these are trusted commercial tools, their abuse can blend into normal admin activity and support long-lived footholds.

Investigation

Huntress SOC conducted retrospective threat hunting across endpoint telemetry and identified execution chains beginning with phishing-delivered installers for GoTo Resolve, PDQ, or ITarian. Analysts then traced the persistence and expansion steps, including scheduled task creation, service installation/starts, and filesystem paths used to stage and deploy secondary RMM binaries such as ScreenConnect and SimpleHelp. Supporting evidence—including VirusTotal parent-process execution context and local filesystem artifacts—was used to reconstruct the multi-stage intrusion flow.

Mitigation

Implement application allowlisting and explicitly block unapproved RMM tools, particularly those executed from temporary or user-writable directories. Monitor for scheduled tasks and service creation events tied to common RMM products and scrutinize outbound traffic to newly registered or suspicious domains. Maintain a current inventory of sanctioned RMM software and routinely audit where, how, and by whom these tools are used.

Response

If a rogue RMM installer is identified, isolate the endpoint, stop and remove associated services and scheduled tasks, and delete the unauthorized binaries. Block or sinkhole attacker-controlled domains and URLs observed during delivery and C2 communications. Complete a full forensic validation to confirm no additional persistence remains, and tune detections to surface similar “primary-to-secondary RMM” deployment patterns going forward.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef process fill:#ccffcc %% Nodes u2013 Actions action_phishing["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/><b>Description</b>: Victim receives a phishing email with a malicious attachment such as Open Revised Contract.exe"] class action_phishing action action_user_exec["<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/><b>Description</b>: Victim manually runs the downloaded RMM installer from the attachment"] class action_user_exec action action_sched_task["<b>Action</b> – <b>T1053 Scheduled Task/Job</b><br/><b>Description</b>: Attacker creates a Windows scheduled task to maintain persistence"] class action_sched_task action action_service_exec["<b>Action</b> – <b>T1569.002 System Services: Service Execution</b><br/><b>Description</b>: Malicious RMM service is installed and started via sc.exe"] class action_service_exec action action_rmt_use["<b>Action</b> – <b>T1219 Remote Access Tools</b><br/><b>Description</b>: Installed RMM provides adversary remote access capabilities"] class action_rmt_use action action_remote_desktop["<b>Action</b> – <b>T1219.002 Remote Access Tools: Remote Desktop Software</b><br/><b>Description</b>: Specific remote desktop software (ScreenConnect) is deployed for covert control"] class action_remote_desktop action action_lateral_transfer["<b>Action</b> – <b>T1570 Lateral Tool Transfer</b><br/><b>Description</b>: Attacker uses the initial RMM to download and install additional RMM tools"] class action_lateral_transfer action %% Nodes u2013 Tools / Files tool_malicious_attachment["<b>Tool</b> – <b>Name</b>: Malicious RMM Installer<br/><b>File Types</b>: .exe (e.g., Open Revised Contract.exe)"] class tool_malicious_attachment tool tool_goto_resolve["<b>Tool</b> – <b>Name</b>: GoTo Resolve (RMM)<br/><b>Capability</b>: Remote management and support"] class tool_goto_resolve tool tool_pdq["<b>Tool</b> – <b>Name</b>: PDQ Deploy (RMM)<br/><b>Capability</b>: Software deployment and execution"] class tool_pdq tool tool_itarian["<b>Tool</b> – <b>Name</b>: ITarian (RMM)<br/><b>Capability</b>: Remote administration"] class tool_itarian tool tool_screenconnect["<b>Tool</b> – <b>Name</b>: ScreenConnect (Remote Desktop)<br/><b>Capability</b>: Screen sharing and remote control"] class tool_screenconnect tool tool_simplehelp["<b>Tool</b> – <b>Name</b>: SimpleHelp (RMM)<br/><b>Capability</b>: Remote assistance"] class tool_simplehelp tool process_sc_exe["<b>Process</b> – <b>Name</b>: sc.exe<br/><b>Purpose</b>: Create and start Windows services"] class process_sc_exe process %% Connections u2013 Attack Flow action_phishing –>|delivers attachment| tool_malicious_attachment tool_malicious_attachment –>|executed by victim| action_user_exec action_user_exec –>|installs| tool_goto_resolve action_user_exec –>|installs| tool_pdq action_user_exec –>|installs| tool_itarian tool_goto_resolve –>|creates| action_sched_task tool_goto_resolve –>|uses| process_sc_exe process_sc_exe –>|starts service for| action_service_exec action_service_exec –>|enables| action_rmt_use action_rmt_use –>|provides remote desktop via| tool_screenconnect action_rmt_use –>|maintains access with| tool_goto_resolve action_rmt_use –>|initiates| action_lateral_transfer action_lateral_transfer –>|downloads and installs| tool_simplehelp action_lateral_transfer –>|downloads and installs| tool_screenconnect "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    An adversary sends a phishing email with an attachment named Open Revised Contract (2).exe. A user, believing the file to be a legitimate contract, clicks the attachment. The executable drops a malicious RMM MSI (276Special%10Invitation9756.msi) into the %TEMP% directory and launches it via msiexec.exe. The MSI installs a rogue RMM service that opens a reverse‑shell to the attacker’s C2. This flow maps to:

    1. T1203 – Client execution (user runs the attached EXE).
    2. T1027.004 – Compiled payload (the EXE is a compiled malicious binary).
    3. T1218.005 – Msiexec (the EXE uses msiexec.exe /i to run the MSI).
    4. T1554 – Compromise client software binary (the MSI installs the rogue RMM).

    The process creation events generated are:

    • C:Users<user>AppDataLocalTempOpen Revised Contract (2).exe – the initial malicious EXE.
    • C:WindowsSystem32msiexec.exe with command line /i "C:Users<user>AppDataLocalTemp276Special%10Invitation9756.msi" /quiet.

    Both paths match entries in the Sigma rule and should fire an alert.

  • Regression Test Script:

    # ------------------------------------------------------------
# Simulation script – triggers the Sigma rule using the exact
# filenames defined in the detection logic.
# ------------------------------------------------------------
$tempDir = "$env:TEMPRMM_Test"
New-Item -Path $tempDir -ItemType Directory -Force | Out-Null

# 1. Drop fake malicious EXE (simulated by copying notepad.exe)
$malExe = "$tempDirOpen Revised Contract (2).exe"
Copy-Item -Path "$env:SystemRootSystem32notepad.exe" -Destination $malExe -Force

# 2. Drop fake malicious MSI (simulated by copying any MSI – e.g., Windows SDK)
$malMsi = "$tempDir276Special%10Invitation9756.msi"
# Creating an empty placeholder MSI file
New-Item -Path $malMsi -ItemType File -Force | Out-Null

# 3. Execute the EXE – it will in turn launch msiexec to install the MSI
Write-Host "[*] Executing malicious EXE..."
Start-Process -FilePath $malExe -Wait

# 4. Directly launch the MSI via msiexec to ensure detection (if step 3 failed)
Write-Host "[*] Launching MSI via msiexec..."
$msiArgs = "/i `"$malMsi`" /quiet"
Start-Process -FilePath "$env:SystemRootSystem32msiexec.exe" -ArgumentList $msiArgs -Wait

Write-Host "[+] Simulation complete. Check SIEM for alerts on the two process creations."
# ------------------------------------------------------------
# Cleanup (run separately if desired)
# ------------------------------------------------------------
# Remove-Item -Path $tempDir -Recurse -Force

  • Cleanup Commands:

    # Remove all artifacts created by the simulation
$tempDir = "$env:TEMPRMM_Test"
if (Test-Path $tempDir) {
    Remove-Item -Path $tempDir -Recurse -Force
    Write-Host "[*] Cleanup completed."
} else {
    Write-Host "[!] No artifacts found; nothing to clean."
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free