What is LOLRMM? The Community-Driven Project Exposing Remote Monitoring Tool Abuse
Attackers increasingly rely on legitimate RMM tools for persistence, lateral movement, and credential access. LOLRMM catalogs these abused tools and their artifacts, giving defenders the visibility needed to distinguish authorized access from attacker tradecraft.
Remote Monitoring and Management (RMM) tools are the backbone of modern IT operations. They help MSPs manage thousands of endpoints, push updates, and troubleshoot issues remotely. They're also the perfect weapon for attackers who want persistent, legitimate-looking access to your network.
That's where LOLRMM comes in.
Origins: A Weekend Project That Became Essential Threat Intelligence
LOLRMM started as a weekend idea in August 2024. What began as a simple question - "How many RMM tools are attackers actually abusing?"- turned into a community-driven intelligence project that now catalogs hundreds of remote monitoring tools and their artifacts.
The initial push happened over a single weekend. As I posted on X:
"LOLRMM Day 1 and 2 update. Spec created. Everything validates against it. 328~ RMM YAML's. Filled with artifacts. We're still working to clean a few things up - dupes, incorrect items added. We're going to need the most here from the community."
The project took shape fast. We built CSV and JSON API routes, created a Streamlit app with built-in validation for reviewing and updating entries, and launched a site where you could browse RMM tools with all their technical artifacts documented. Massive thanks to @_josehelps, @nas_bench, and @Kostastsale for jumping in that first weekend to push the project forward.
The real catalyst came from Steven Dick, who provided a massive trove of RMM intelligence that formed the foundation of the project. The community response was overwhelming - security researchers, incident responders, and defenders from across the industry contributed RMM lists, artifact details, and real-world abuse cases.
What LOLRMM Actually Is
LOLRMM (Living Off the Land RMM) is a structured catalog of legitimate remote monitoring and management tools that attackers abuse to blend in with normal IT operations. Think of it as the RMM version of LOLBAS (Living Off the Land Binaries and Scripts).
Each entry in LOLRMM documents:
- Executable names and paths where RMM agents install themselves
- Network indicators including command-and-control domains and ports
- File artifacts like configuration files, logs, and persistence mechanisms
- Registry keys used for installation and configuration
- Certificates used to sign the software
The project fills a critical gap in threat intelligence. When an attacker drops AnyDesk or ScreenConnect on a compromised endpoint, it looks identical to legitimate remote support activity. LOLRMM gives defenders the visibility to track these tools, whether they're authorized or not.
How Attackers Abuse RMM Tools
RMM abuse has become one of the most reliable tactics in the modern attacker playbook. Recent incidents show exactly why:
Ransomware operators love RMM tools. Groups like Black Basta, LockBit, and ALPHV have all leveraged legitimate remote management software to maintain persistence and move laterally across networks. The tools provide built-in credential theft, file transfer capabilities, and remote command execution—everything an attacker needs, wrapped in software that security teams expect to see.
Initial access brokers sell RMM-compromised networks. Underground markets regularly feature network access sold with RMM tools pre-installed. An attacker buys access, logs in through ScreenConnect or Atera, and immediately has full remote control. No exploit needed, no malware to detect.
Business Email Compromise (BEC) attackers use RMM for financial theft. Once they've compromised an executive's email, attackers convince IT staff to install "remote support tools" to "fix email issues." Within minutes, they have full access to financial systems and can initiate fraudulent wire transfers.
The pattern is consistent: attackers exploit trust in legitimate software. When ConnectWise ScreenConnect, AnyDesk, or Splashtop appears in your environment, your security tools see authorized software doing authorized things. The attacker blends into normal business operations.
Recent threat intelligence shows this isn't slowing down. RMM abuse appeared in over 60% of ransomware incidents analyzed in 2024, and the trend continues to accelerate. Attackers know that signature-based detection won't catch them, behavior analytics struggle with legitimate tools, and most organizations lack visibility into which RMM tools should actually be present in their environment.
How MagicSword Stops RMM Abuse
This is where threat-informed application control makes the difference.
MagicSword integrates LOLRMM intelligence directly into Application Control policies, giving you deterministic blocking of unauthorized RMM tools while allowing your legitimate remote management software to function normally.
Here's how it works:
Our platform continuously updates Application Control policies with LOLRMM artifacts - file hashes, certificate information, and publisher details for hundreds of remote monitoring tools. When an attacker tries to drop AnyDesk on a workstation but your organization uses ScreenConnect, MagicSword blocks the execution at the kernel level. No behavioral analysis required, no machine learning uncertainty, just policy-based enforcement that says "this RMM tool is not authorized here."
The intelligence layer provides immediate context. When MagicSword blocks an RMM tool, you don't just get an alert about a blocked executable. You get threat attribution showing which ransomware groups commonly use that tool, which MITRE ATT&CK techniques it enables, and executive-friendly visualizations that communicate the actual risk prevented.
The difference is visibility combined with enforcement. Most organizations can't answer the question "which RMM tools are actually authorized in our environment?" MagicSword makes this explicit. You define your approved remote management tools, and everything else gets blocked automatically, with full attribution explaining why it matters.
For MSPs managing hundreds of clients, this becomes even more critical. Different clients use different RMM tools, but attackers use the same playbook across all of them. MagicSword's per-tenant policies ensure that each client environment only allows their specific authorized tools while blocking the entire LOLRMM catalog of alternatives that attackers might deploy.
The Bottom Line
LOLRMM started as a weekend project and became essential threat intelligence because it addresses a real problem: legitimate tools being weaponized at scale. The community-driven approach means the catalog stays current with new RMM tools entering the market and new abuse patterns emerging from incidents.
But intelligence alone doesn't stop attacks. You need enforcement that turns threat knowledge into defensive action.
MagicSword bridges that gap, turning LOLRMM intelligence into kernel-level protection that stops attackers from using your IT tools against you. Because in 2026, defending against RMM abuse isn't optional anymore. It's the price of doing business in an environment where attackers have learned to look exactly like your help desk.
Want to keep up with how modern attacks actually work? Subscribe to the MagicSword newsletter for practical research, real-world attack tradecraft, and prevention-focused intelligence from the team tracking abused tools every day.
If you want to see how this intelligence turns into real blocking, stopping abused tools before they execute, you can book a demo here.
Written by
Written by
Michael Haag
Threat Researcher
In the intricate chessboard of cybersecurity, my role oscillates between a master tactician and a relentless hunter. As an expert in detection engineering and threat hunting, I don't just respond to the digital threats, I anticipate them, ensuring that the digital realm remains sovereign.
