TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Tales of Too Many RMMs

2025-04-17 · Read original ↗

ATT&CK techniques detected

10 predictions
T1219Remote Access Tools
99%
“tales of too many rmms in a highly interconnected world, remote monitoring and management ( rmm ) tools are critical to reducing cost and increasing efficiencies. however, these tools pose challenges and even significant risk if not properly managed. huntress analysts have observ…”
T1219Remote Access Tools
98%
“that did not have a huntress agent installed, and was therefore not being managed via the huntress soc. the threat actor moved laterally between the endpoints via rdp, and within minutes of accessing the reported endpoint, installed the chrome remote desktop host, rustdesk, and a…”
T1219Remote Access Tools
95%
“may not have been executed, as the threat actor ’ s activities were thwarted before they got to that point in their attack. in this incident, the threat actor gained access to an endpoint via a legacy rmm, and installed another rmm tool while retaining access to the original init…”
T1021.001Remote Desktop Protocol
88%
“that did not have a huntress agent installed, and was therefore not being managed via the huntress soc. the threat actor moved laterally between the endpoints via rdp, and within minutes of accessing the reported endpoint, installed the chrome remote desktop host, rustdesk, and a…”
T1219Remote Access Tools
86%
“##connectivity across any enterprise environment. however, this is more particularly the case within the managed services provider ( msp ) and managed detection and response ( mdr ) space. for example, huntress has responded to incidents where the means of initial access was achi…”
T1486Data Encrypted for Impact
56%
“may not have been executed, as the threat actor ’ s activities were thwarted before they got to that point in their attack. in this incident, the threat actor gained access to an endpoint via a legacy rmm, and installed another rmm tool while retaining access to the original init…”
T1486Data Encrypted for Impact
46%
“that did not have a huntress agent installed, and was therefore not being managed via the huntress soc. the threat actor moved laterally between the endpoints via rdp, and within minutes of accessing the reported endpoint, installed the chrome remote desktop host, rustdesk, and a…”
T1021.001Remote Desktop Protocol
42%
“may not have been executed, as the threat actor ’ s activities were thwarted before they got to that point in their attack. in this incident, the threat actor gained access to an endpoint via a legacy rmm, and installed another rmm tool while retaining access to the original init…”
T1110.004Credential Stuffing
32%
“/ rpc or the mssql instance to enable rdp or to install other rmm tools. incident 1 during an incident identified on 7 feb 2025, evidence indicated that ultravnc had been installed on 14 may 2023, and that since that time, it had been subject to brute force password guessing atta…”
T1080Taint Shared Content
31%
“that did not have a huntress agent installed, and was therefore not being managed via the huntress soc. the threat actor moved laterally between the endpoints via rdp, and within minutes of accessing the reported endpoint, installed the chrome remote desktop host, rustdesk, and a…”

Summary

In a highly interconnected world, remote monitoring and management (RMM) tools are critical to reducing cost and increasing efficiencies. However, these tools pose challenges and even significant risk if not properly managed.