RMM Abuse Isn't the Vulnerability

Remote Monitoring and Management (RMM) tools have quietly become one of the most abused components in modern intrusions.

They appear in incident reports, SOC escalations, cyber insurance questionnaires, and breach disclosures—often framed as the vulnerability itself:

• "The attacker used ScreenConnect."
• "A rogue RMM was installed."
• "PDQ was abused for persistence."

But here's the uncomfortable truth:

RMM tools are almost never the root vulnerability.

They are the operational layer attackers exploit after trust has already failed.

Just like prompt injection in AI systems, RMM abuse is a delivery mechanism, not the flaw. Treating it as the vulnerability leads to incomplete remediation, false confidence, and attackers quietly regaining access weeks later.

From a security architecture perspective, RMM abuse maps cleanly to concepts we already understand.

• RMM ≈ legitimate administrative capability
• The vulnerability ≈ unsafe trust, identity, and authorization boundaries
• The impact ≈ persistence, lateral movement, and data access

We don't report PowerShell as a vulnerability.

We report what PowerShell was allowed to do without controls.

RMM tools deserve the same treatment.

Across real-world intrusions investigated by SOCs and IR teams, the pattern is consistent:

1. Initial access via phishing, stolen credentials, MFA fatigue, or OAuth abuse
2. Installation of a signed, legitimate RMM tool
3. Use of that RMM to deploy a secondary (or tertiary) RMM
4. Layered persistence that survives partial cleanup

This is not accidental or opportunistic.

It is deliberate tradecraft.

Attackers are borrowing from classic command-and-control design principles—redundancy, fallback access, and operator flexibility—but implementing them with commercial software defenders are trained to trust.

In multiple documented incidents:

1. A phishing lure installs GoTo Resolve
2. GoTo Resolve is used to deploy ScreenConnect
3. ScreenConnect installs SimpleHelp or another RMM
4. Each RMM connects to a different attacker-controlled domain

This works because most incident response efforts stop at:

"We removed the suspicious RMM."

Attackers assume—correctly—that defenders won't hunt for the second one.

This is persistence through defender fatigue, not technical sophistication.

When defenders discover more than one RMM present, it is often rationalized as:

• Legacy tooling
• Vendor leftovers
• MSP sprawl

Attackers rely on that ambiguity.

Multiple RMMs provide:

• Persistence layering
• Tool specialization
• Detection evasion
• Operator flexibility

This is living-off-the-land, not malware delivery.

In the vast majority of cases, the root causes are architectural, not tool-specific.

Blocking RMM software fails because:

• Many RMMs are operationally required
• Attackers rotate tools faster than blocklists
• Binary blocking ignores how access was gained

This mirrors the mistake of blocking macros instead of fixing macro trust.

Effective defense focuses on trust boundaries, not software names.

RMM abuse isn't going away.

Eliminating RMM tools is as unrealistic as eliminating administrative access.

The real security question is:

What happens when a trusted tool is abused—or fails?

If the answer is "we detect and contain it quickly," your architecture is sound.

If the answer is "we'd probably miss it," the vulnerability isn't the RMM.

It's the system design.