LOLRMM
Living Off The Land Remote Monitoring & Management - A curated list of RMM tools abused by adversaries for persistence and lateral movement.
Visit https://lolrmm.io/ to explore RMM tools and detection strategies ⚠ The Problem
Remote Monitoring & Management (RMM) tools are legitimate software increasingly abused by attackers for persistence, remote access, and lateral movement. Defenders need visibility into which RMM tools exist and how to detect their abuse.
✓ The Solution
LOLRMM catalogs RMM tools with details on legitimate vs malicious usage patterns, detection strategies, and indicators of compromise.
⚡ Impact
Helps security teams identify unauthorized RMM tools in their environment and build detections for RMM abuse.
Overview
LOLRMM (Living Off The Land RMM) documents Remote Monitoring & Management tools that attackers abuse for malicious purposes. Part of the MagicSword.io project family.
Why RMM Tools?
Attackers love RMM tools because:
- They’re signed and trusted software
- They provide persistent remote access
- They often bypass security controls
- They blend in with legitimate IT operations
Features
- RMM Catalog: Comprehensive list of RMM tools
- Detection Guidance: How to identify RMM abuse
- IOCs: Indicators of compromise for each tool
- Policy Recommendations: Block unauthorized RMM tools
Credit
Co-founded by Michael Haag. Part of the MagicSword.io family of security projects.
Detect RMM tool abuse
Related Modules
AtomicLua
A combination of OffensiveLua and Learning Lua - By Defenders, for Defenders.
Atomics on a Friday
Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.
Bootloaders.io
A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.