Keys to the kingdom: RMM exploits enabling human-operated intrusions in 2024–25
The double-edged sword of RMM Remote Monitoring and Management (RMM) tools are indispensable for modern IT operations. They enable administrators to remotely access, troubleshoot, update, and monitor systems—streamlining operations at scale. But these very features make RMM solutions extremely valuable to adversaries. When attackers compromise an RMM tool, they’re not just breaching a single endpoint—they’re gaining privileged, persistent, and often stealthy access to a wide array of systems. RMM abuse gives adversaries an immediate pivot for post-exploitation activities like credential harvesting, lateral movement, and data exfiltration. In 2024 and early 2025, Microsoft Defender Experts witnessed exploitation of zero-day vulnerabilities across multiple RMM platforms—including ConnectWise ScreenConnect, BeyondTrust Remote Support, and SimpleHelp. These weren't isolated incidents. They were part of coordinated, hands-on-keyboard intrusions driven by threat actors—from financially motivated groups to nation-state adversaries—moving fast, weaponizing these flaws for hands-on intrusions, lateral movement, and ransomware deployment. This blog unpacks the key vulnerabilities, real-world attack flows, and detection insights gleaned from incidents tracked by Defender Experts. Why RMM exploits matter more than ever RMM is not just remote access—it’s remote privilege. By compromising an RMM tool, an attacker can instantly: Bypass multi-layered defenses Operate under trusted software context That’s why vulnerabilities in these tools—especially those exposed to the Internet—represent high-value, low-effort attack vectors. Major RMM vulnerabilities overview (2024 – Early 2025) Simple Help Vulnerability (January 2025) In early January 2025, Horizon3.ai alerted SimpleHelp to three critical vulnerabilities in its Remote Support software: CVE-2024-57727, which enabled unauthorized file access via path traversal, CVE-2024-57726, which allowed privilege escalation, and CVE-2024-57728, which permitted arbitrary file uploads potentially leading to remote code execution. Notified on January 6, SimpleHelp swiftly released patched versions between January 8 and 13, underscoring the severity of the flaws. BeyondTrust Vulnerability (December 2024) In December 2024, BeyondTrust’s Remote Support vulnerabilities came to light after anomalous behaviours were detected on their cloud platform. Reports suggest that Chinese state-sponsored hackers exploited these flaws to gain access to sensitive government and enterprise systems, including the US Treasury Department Admitted It Got Hacked by China. ConnectWise ScreenConnect (February 2024) In early 2024, ScreenConnect’s ConnectWise was hit by two major vulnerabilities — CVE-2024-1708 (a path traversal flaw) and CVE-2024-1709 (an authentication bypass). The latter, rated CVSS 10.0, allowed unauthenticated attackers to create admin accounts and take full control of the server. Both flaws were rapidly exploited in the wild, with public PoCs appearing within 48 hours of disclosure. In all, the discovery of the aforementioned RMM vulnerabilities was quickly followed by real-world attacks. In each case, attackers rapidly weaponized the bugs: Chinese APTs leveraged BeyondTrust flaws for government intrusions. Mass exploitation campaigns used ScreenConnect bugs for initial access and lateral movement. SimpleHelp chains enabled unauthenticated attackers to escalate privileges, exfiltrate data, and drop persistent backdoors. Zooming in on attack paths observed by Defender Experts across multiple cases In early 2025, threat actors began exploiting vulnerabilities in trusted remote IT tools—specifically BeyondTrust Remote Support and SimpleHelp—to breach major public sector organizations. Targets included entities supporting government operations, critical infrastructure, healthcare, higher education, and essential services such as water and sewage. Originally intended for legitimate remote access, these tools were repurposed as stealthy intrusion channels. Once inside, adversaries rapidly escalated privileges, moved laterally across networks, and staged environments for ransomware deployment. Common attack path observed across multiple cases: Step 1: Abusing trusted remote access - Exploiting Bomgar SCC (Now BeyondTrust’s), ScreenConnect and SimpleHelp Remote Monitoring and Management Software vulnerabilities to gain initial access to target networks. Step 2: Scouting the battlefield: internal recon - Once inside, the intruders map out their new territory by running host and domain-based reconnaissance commands. In some cases, to solidify their foothold, they downloaded and executed another RMM tool for persistence. Step 3: The ghost admin: creating a hidden backdoor - They created their own stealthy admin user—a backdoor hidden in plain sight with the inconspicuous new admin accounts, they ensured long-term access and continued reconnaissance via RMM. Step 4: Defense evasion: disabling the safety nets - The attacker disables key defensive measures. By setting the LocalAccountTokenFilterPolicy to 1, they turn off remote UAC filtering, granting full administrative privileges to remote sessions. This means that any administrative activity—whether legitimate or malicious—escapes the usual checks. Additionally, they extract and deploy multiple payloads, including stealthy drivers loaded via a binary, likely to evade or bypass detection by Windows Defender and other endpoint security solutions. Step 5: Stealing Credentials - The LSASS Heist - Now, they turned their focus to credential dumping. Using taskmgr.exe, they dumped LSASS memory, extracting authentication secrets like Cached passwords, NTLM hashes & Kerberos tickets. With this data, they didn’t need to guess passwords. They could authenticate as real users. Step 6: Lateral Movement in Action - With stolen credentials, they started moving across the network using NetExec (nxc)—a stealthy network exploitation tool. then leveraged Mimikatz to perform a pass-the-hash attack using the compromised user's credentials. Step 7: Command & Control: Establishing the Covert Link - The adversary loaded Ligolo and CloudFlared—both tunneling tools—to establish a secure, outbound connection from the compromised host back to their command and control (C2) server. This tunnel lets them bypass firewall restrictions and NAT, maintain persistent remote access, and control the compromised system covertly. The following case studies showcase real-world intrusions and illustrate the evolving tradecraft used in these RMM-based attacks. Case Study 01: Pre-Ransomware Intrusion via BeyondTrust in government operations and infrastructure Microsoft Defender Experts identified a targeted intrusion against a major public sector organization supporting government operations and infrastructure. The activity was attributed to Storm-1175, a financially motivated, China-based threat actor known for deploying Medusa ransomware. Storm-1175 is known for rapidly exploiting newly disclosed vulnerabilities, particularly in remote monitoring and management (RMM) tools and virtualization platforms. In this case, the actor exploited a vulnerability in BeyondTrust’s RMM software to gain initial access. Critically, the impacted organization had inadvertently exposed an admin jump server—a high-privilege system—directly to the internet via a remote access solution. This misconfiguration created a direct path to domain admin access, enabling the attacker to bypass internal controls and initiate a hands-on-keyboard intrusion. The threat actor swiftly conducted reconnaissance, escalated privileges, and began staging for ransomware deployment. This incident highlights the urgent risk posed by trusted IT infrastructure being misconfigured or exposed externally. It reinforces the need for: Timely patching of remote access software Strict network segmentation for privileged assets Continuous monitoring of administrative systems Minimizing public exposure of high-value infrastructure Misconfigurations—especially involving privileged systems—remain one of the most exploited pathways in human-operated intrusions. Case Study 02: Pre-Ransomware intrusion via SimpleHelp in critical services sectors In this case study threat actor exploited SimpleHelp RMM vulnerabilities to breach organizations in the healthcare and water and sewage services sectors. The intrusion progressed through a coordinated, human-operated attack chain—starting with RMM exploitation, escalating to credential theft, lateral movement, and ransomware staging. Key actions included: Creation of stealthy local admin accounts for persistence Credential dumping via LSASS memory access Lateral movement using Pass-the-Hash and NetExec Defender evasion and tunnelling with Ligolo/Cloudflare for C2 This intrusion underscores the critical risk posed by vulnerable remote admin tools in essential service environments—where rapid escalation and lack of segmentation can lead directly to high-impact ransomware events. Case Study 03: Ransomware intrusion via ScreenConnect in higher education to initiate full-chain ransomware deployment In a multi-stage intrusion observed in a higher education institution, threat actors exploited ScreenConnect RMM vulnerabilities to initiate a human-operated ransomware attack that culminated in the deployment of Medusa ransomware by Day 31. Key phases of the attack: Day 1–2: Initial access and establishing foothold Exploitation of ScreenConnect allowed initial access Reconnaissance began immediately using cmd.exe for domain, host, and user enumeration Payloads downloaded via PowerShell, wget, and Bitsadmin A stealthy user account was created and added to high-privilege groups SimpleHelp RMM (via Jwrapper) was deployed for persistent remote access Day 8: persistence and deeper reconnaissance Attackers used NetScan and SimpleHelp to scan the environment Credential dumping via taskmgr.exe to extract LSASS memory C2 communication established using Ligolo tunneling Day 31: Lateral Movement & Impact Impacket & PDQ Deploy used for lateral movement. Registry tampering and config changes for Defender evasion. Human-operated signs: file masquerading, new admin via Net, WDigest changes. Medusa ransomware was deployed. Multiple indicators of ransomware-related activity were detected, including dropped payloads and malicious commands executed from compromised accounts. Key Takeaways: Initial access via misconfigured RMM software remains a high-risk vector. Credential abuse and remote tool stacking enabled stealthy, prolonged access. Delayed ransomware deployment (Day 31) reflects strategic patience and operational control. Higher education environments with exposed remote access tools and limited segmentation remain highly vulnerable to these human-operated attacks. Advance hunting queries // Identify suspicious discovery and addition to a local admin group through a RMM session DeviceProcessEvents | where InitiatingProcessParentFileName =~ "winpty-agent64.exe" | where InitiatingProcessFileName in~ ("powershell.exe", "powershell_ise.exe", "cmd.exe", "pwsh.exe") | where ( FileName in~ ("whoami.exe", "certutil.exe", "quser.exe", "bitsadmin.exe", "dsquery.exe") or (tolower(ProcessCommandLine) contains "localgroup" and tolower(ProcessCommandLine) contains "/add" and tolower(ProcessCommandLine) contains "administrators") or ProcessCommandLine has_any ("Invoke-Expression", ".DownloadString", ".DownloadFile", "FromBase64String", "iex ", "iex(", "Invoke-WebRequest", "iwr ", "irm ", "Invoke-RestMethod") or (FileName =~ "net.exe" and ProcessCommandLine has_any ("user ", " group")) ) // Identify suspicious discovery activity through RMM application let RMMBinaries = pack_array("Screenconnect", "Remote Access", "bomgar-scc", "winpty-agent64"); DeviceProcessEvents | where InitiatingProcessParentFileName has_any (RMMBinaries) | where InitiatingProcessFileName has "cmd.exe" and ProcessCommandLine has_any ("nltest", "net user", "net group", "tasklist", "iwr", "irm", "iex", "Invoke-Expression", "Invoke-RestMethod", "Invoke-WebRequest", "curl", "Add-MpPreference", "wmic ") | summarize RMMtool = tostring(make_set(InitiatingProcessParentFileName)), Commands = tostring(make_set(ProcessCommandLine)), CommandCount = array_length(make_set(ProcessCommandLine)), ProcessCount = array_length(make_set(FileName)) by DeviceId | where ProcessCount > 2 and CommandCount > 2 // Change the value based on the noise // Identify the execution of NetExec tool DeviceProcessEvents | where FileName has "nxc" | where ProcessCommandLine has_any ("smb", "ldap", "ssh", "ftp", "wmi", "winrm", "rdp", "vnc", "mssql") // Identify the execution of mstsc through mimikatz DeviceProcessEvents | where InitiatingProcessVersionInfoOriginalFileName has "mimikatz" | where ProcessVersionInfoOriginalFileName has "mstsc" Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. Apply patches provided by respective vendors to address these vulnerabilities. Apply mitigations listed in Microsoft’s technique profile on abuse of remote monitoring and management tools Refer to our human-operated ransomware overview for general hardening recommendations against ransomware attacks Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus tool does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. Attack surface reduction rules are sweeping settings effective at stopping entire classes of threats. Block executable files from running unless they meet a prevalence, age, or trusted list criterion Block execution of potentially obfuscated scripts Use advanced protection against ransomware Reference CVE-2024-1709 and CVE-2024-1708 vulnerabilities in ConnectWise ScreenConnect: https://security.microsoft.com/intel-profiles/CVE-2024-1709 CVE-2024-57726 - Multiple vulnerabilities found in SimpleHelp Remote Support Software: https://security.microsoft.com/intel-profiles/cve-2024-57726 Appendix Here’s a concise table that summarizes the vulnerabilities along with key timeline events.
Choosing between Microsoft Defender Experts for Hunting and Microsoft Defender Experts for XDR
Introduction In today’s cybersecurity landscape, organizations face increasingly complex and sophisticated threats. Microsoft offers two robust solutions designed to enhance your security operations: Microsoft Defender Experts for Hunting and Microsoft Defender Experts for XDR. While both services aim to protect your organization against threats, they are tailored for distinct use cases. This guide will help you understand when to utilize Defender Experts for Hunting and when Defender Experts for XDR might be the right choice for your organization. What Is Microsoft Defender Experts for Hunting? Microsoft Defender Experts for Hunting is a proactive threat hunting service designed for organizations with a well-established security operations center (SOC) that want additional assistance in unearthing hidden novel attacks. This service utilizes Microsoft Defender data to hunt across multiple domains, including endpoints, Office 365, cloud applications, and identity. Defender Experts for Hunting: Provides proactive threat hunting beyond just the endpoint, analysing signals across your digital environment. Leverages extensive threat intelligence, security experts, and AI/ML tools, the proactive hunting service operates by developing hypotheses, analysing contexts, and observing behaviours to detect novel attacks. Provides contextual alerting by investigating findings and delivering actionable remediation instructions to your SOC. Is ideal for organizations that want to maintain full control of incident response while benefiting from Microsoft’s expertise in threat detection. For more details, refer to What is Microsoft Defender Experts for Hunting offering - Microsoft Defender XDR | Microsoft Learn What Is Microsoft Defender Experts for XDR? Microsoft Defender Experts for XDR is a managed extended detection and response (XDR) service that extends beyond threat hunting to include detection, investigation, and response. Tailored for organizations that use Microsoft Defender XDR services, this offering not only identifies threats but also manages incident response, enabling security teams to focus on high-priority incidents. Defender Experts for XDR: Provides complete incident lifecycle management, combining automation with Microsoft’s expert analysts to detect, investigate, and respond to threats. Supports multiple Microsoft Defender solutions, including Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra ID. Is a great choice for organizations that want a fully managed SOC-like experience without the need for extensive in-house resources. Includes Defender Experts for Hunting built in for proactive threat hunting For more details, refer to What is Microsoft Defender Experts for XDR offering - Microsoft Defender XDR | Microsoft Learn Which Service is best for your organization When deciding between Defender Experts for Hunting and Defender Experts for XDR, it’s essential to evaluate your organization's current capabilities, resources, and security objectives. Defender Experts for Hunting This service is ideal for organizations that: Already have a robust SOC and dedicated incident response team. Need proactive threat hunting to uncover hidden threats across diverse domains that are novel or not yet covered by existing detections. Want to maintain in-house control of incident response while receiving expert insights and remediation instructions. Defender Experts for XDR This service is ideal for organizations that: Want a fully managed detection and response solution to complement their existing security measures. Lack the resources or expertise to manage a 24/7 SOC. Need extended detection and response capabilities across the entire Microsoft Defender for XDR ecosystem. Recommendation based on scenarios Scenarios Defender Experts for Hunting Defender Experts for XDR Augments an already established SOC ✓ ✓ Proactive threat hunting across endpoints, Office 365, cloud applications, and identity ✓ ✓ Actionable remediation instructions for your in-house SOC ✓ ✓ Full incident lifecycle management (detection, investigation, response) ✓ Option for automatic remediation on behalf of your SOC ✓ Support for organizations with limited SOC resources ✓ 24/7 managed XDR service ✓ Conclusion Modern cybersecurity threats are increasingly complex and continually evolving. It is not sufficient to merely detect and highlight these threats; it is also critical to identify novel threats and respond to them with speed and precision. Both Microsoft Defender Experts for Hunting and Defender Experts for XDR offer substantial benefits to organizations looking to defend against threats and catch emerging threats before they escalate into issues. Choosing the right service depends on your specific needs: whether you require proactive threat hunting to complement an existing SOC or a 24/7 fully managed detection and response solution that operates continuously to handle the complexities of modern threats, thereby alleviating the burden on internal teams. With Defender Experts for XDR, bolster your SOC with around the clock protection from dedicated security professionals. By understanding these options, you can make an informed decision that aligns with your security goals and ensures your organization is well-protected in today’s threat landscape.
Watch and learn from Microsoft security experts who reinforce your SecOps 24/7
In today’s evolving digital landscape, cybersecurity is more than technology, products, and platforms; it’s the people behind the scenes who work 24/7 to ensure organizations remain protected. At Microsoft, we are also defenders. We understand the challenges facing Security Operations Centers (SOCs). We created Microsoft Defender Experts for XDR, a comprehensive Managed Extended Detection and Response (MXDR) service, to reinforce our customer’s in-house SOC, help security teams focus on what matters most, and provide CISOs with more peace of mind. Microsoft Defender Experts for XDR combines industry-leading Microsoft Defender products with our team of Microsoft security experts and analysts. We created a video series that offers a behind-the-scenes look at Defender Experts for XDR through conversations with our security professionals. You will learn about their roles, their approaches to cybersecurity, and how they work to keep organizations safe 24/7. Microsoft Defender Experts for XDR Video Series - Let's get started with Season 1 In this video series, Sachin Kumar, a Senior Product Manager for Defender Experts for XDR and Edward Walton, a seasoned security expert from the Microsoft Global Black Belt security team, will be your hosts. They will introduce you to the people working behind the scenes and help you understand more about Defender Experts for XDR, which is Microsoft’s MXDR service. Each episode provides deeper insights into how the human expertise behind Defender Experts for XDR improves your organization's security outcomes and posture. Episode Guide Check out the latest episodes below and visit the YouTube playlist to see all the episodes in the series. Collaborative Interplay - TI, AI, and Defender Experts In this episode, Edward and Sachin are joined by Brian, a seasoned research lead from the Defender Experts for XDR team. He shares his insights into the collaborative interplay between threat intelligence, AI, and research within the Defender Experts for XDR team. This episode highlights how threat intelligence, AI, and research teams integrate and enrich a robust, adaptive, and proactive defense within Defender Experts for XDR. This collaboration empowers the experts to remain agile and deliver superior protection against advanced threats. A Conversation with Defender Experts Analyst Lead In this episode, Edward and Sachin are joined by Michael, a Principal Security Researcher and Defender Experts for XDR operations lead. Michael shares his journey into cybersecurity and his current role at Microsoft. He discusses his responsibilities within the Microsoft Defender Experts for XDR team, including leading the development of the investigation query platform and handling escalations. He also highlights the team's collaboration with the security research team and Microsoft Threat Intelligence Center (MSTIC) to improve threat detection and block malicious activities. He provides examples of common threats like phishing and malware. That includes describing a recent incident involving an exploited remote administration tool. Stay tuned for additional episodes and meet the people and technology behind Defender Experts for XDR.Enhancing Threat Hunting with Microsoft Defender Experts Plugin
In today's rapidly evolving digital landscape, cybersecurity threats are becoming increasingly sophisticated, requiring organizations to adopt proactive measures to safeguard their assets. Recognizing this need, Microsoft has introduced the Defender Experts Plugin—a powerful addition to Copilot for Security’s GitHub. This plugin is designed to elevate your cybersecurity defenses by integrating proactive threat hunting capabilities across your entire organization, including Office 365, cloud applications, and identity platforms. What is Defender Experts for Hunting? Defender Experts for Hunting is a specialized managed service from Microsoft that provides proactive, human-led threat hunting across a broad range of organizational environments. Unlike automated detection, this service involves active threat hunting by Microsoft’s seasoned security experts, who analyze activities across endpoints, cloud applications, email, and identity platforms. Defender Experts for Hunting focuses on detecting advanced threats and human adversary behaviors, particularly those involving sophisticated or “hands-on-keyboard” attacks, and provides organizations with detailed alerts, expert guidance, and remediation recommendations. Overview of the Plugin Microsoft’s Defender Experts Plugin is a comprehensive threat hunting tool that expands traditional security boundaries. It goes beyond endpoints to investigate Office 365, cloud applications, and identity platforms, where Microsoft’s seasoned security professionals build detections to investigate these suspicious activities. The plugin specializes in tracking sophisticated threats, especially those posed by human adversaries and hands-on-keyboard attacks. The plugin is skills-based leaning on KQL for Advanced Hunting Queries (AHQs) to scan across Defender tables for risky behaviors and suspicious activities, with support for tables such as CloudAppEvents, EmailEvents, EmailAttachmentInfo, and AADSignIn. These queries are not a one-off, as Defender Experts will continue to contribute to the plugin in line with our normal research efforts. Some of the threat detection “skills” included in this plugin are: Suspicious Use of AzureHound: Flags potentially unauthorized data gathering using AzureHound on devices. Reconnaissance Activity Using Network Logs: Detects reconnaissance behavior by analyzing network logs and identifying specific command-line activity. Cobalt Strike DNS Beaconing: Detects suspicious DNS queries associated with Cobalt Strike beacons. By leveraging Microsoft’s Defender Experts Plugin, organizations can benefit from the deep expertise and proactive approach of Microsoft’s security researchers. This tool ensures that potential threats are not only identified but also thoroughly investigated and addressed with the eventual addition of Promptbooks, thus enhancing the overall security posture of the organization. Furthermore, the integration of the Defender Experts Plugin with Copilot for Security’s GitHub allows for seamless collaboration and information sharing among the greater security community. Step-by-Step Guided Walkthrough Getting started with the Defender Experts Security Copilot Plugin is straightforward: 1 - Download the Defender Experts plugin (YAML) from GitHub. 2 - Access Security Copilot 3 - In the bottom-left corner, click the Plugins icon. 4 - Under Custom upload, select Upload plugin. 5 - Upload the Defender Experts Plugin. 6 - Click Add to finalize. 7 - Find the plugin under Custom. 8 - Your installation will now include specialized prompts in Defender Experts, with skills tailored for effective collaboration with Copilot for Security’s capabilities. Conclusion The Defender Experts Plugin is a vital addition to any organization’s cybersecurity arsenal. By incorporating proactive threat hunting and leveraging the expertise of Microsoft’s security analysts, this plugin helps organizations to stay ahead of potential threats and maintain a robust security posture. Embrace this powerful tool and take your cybersecurity defenses to the next level. Let’s get started securing your environment with Defender Experts for Hunting! If you’re interested in learning more about our Defender Experts services, visit the following resources: Microsoft Defender Experts for XDR web page Microsoft Defender Experts for XDR docs page Microsoft Defender Experts for Hunting web page Microsoft Defender Experts for Hunting docs page
