A comprehensive Windows security tool designed to detect and analyze Remote Monitoring and Management (RMM) software deployments.
RMM-Hunter is an analysis tool that identifies potentially malicious or unauthorized Remote Monitoring and Management software/connections on Windows systems. Built on Scurvy, a custom low-level OS exploitation repository (private), RMM-Hunter provides security teams with comprehensive visibility into RMM installations that may pose security risks or compliance concerns.
RMM-Hunter now includes a modern web-based interface for both hunting and elimination operations. Simply double-click the executable to launch the web server, which automatically:
- Starts a local web server on port 80 (http://rmm-hunter)
- Adds a DNS entry to your Windows hosts file for easy access via
http://rmm-hunter - Requests UAC elevation if administrator privileges are not already granted
- Opens your default browser automatically to the web interface
- Cleans up the hosts entry when the application exits
The web interface provides:
- Real-time hunt execution with live log streaming via WebSockets
- Interactive elimination interface with visual feedback
- Previous hunt report browsing and analysis
- Modern, responsive UI accessible from any browser on the local machine
The hunt module performs deep system analysis across multiple detection vectors:
- Process Analysis - Identifies suspicious running processes associated with known RMM tools
- Service Enumeration - Detects RMM-related Windows services, including those in unusual installation paths
- Binary Discovery - Locates RMM executables across common and uncommon installation directories
- Registry Analysis - Examines autorun entries and persistence mechanisms
- Network Connection Monitoring - Identifies active outbound connections to known RMM infrastructure
- Scheduled Task Detection - Discovers RMM-related scheduled tasks used for persistence
- Directory Scanning - Searches for RMM installation directories and artifacts
- AutoRun Analysis - Searches for RMM persistence via Windows AutoRuns utilzing COM Services and Registry Keys
RMM-Hunter maintains an extensive signature database covering:
- TeamViewer, AnyDesk, LogMeIn, ScreenConnect
- Remote Utilities, UltraVNC, RealVNC, TightVNC
- Atera, NinjaRMM, ConnectWise, Syncro
- 500+ additional RMM tools and variants
The tool implements intelligent filtering to reduce false positives while flagging suspicious installation paths and configurations.
RMM-Hunter generates comprehensive reports in multiple formats:
- JSON - Machine-readable format for integration with SIEM and automation platforms
- HTML - Interactive web-based report with filtering and search capabilities
The HTML report includes:
- Executive summary with detection statistics
- Detailed findings across all detection categories
- Metadata including detection time and system information
- Built-in search and filter functionality for large result sets
- Windows Operating System (Windows 10/11 or Windows Server 2016+)
- Administrator privileges (required for service and process enumeration)
- The application will automatically request UAC elevation if not running as administrator
- Go 1.24+ (for building from source)
Download the latest compiled binary from the releases page:
Download rmm-hunter.exe
Run with administrator privilegesThe Scurvy Library is not publicly accessible making building this tool from source impossible at the moment.
Launch the web interface by simply running the executable without arguments:
.\rmm-hunter.exeThis will:
- Check for administrator privileges and request UAC elevation if needed
- Start a web server on port 80
- Add
rmm-hunterto your hosts file (pointing to 127.0.0.1) - Automatically open your browser to
http://rmm-hunter
From the web interface, you can:
- Execute hunts with real-time progress monitoring
- View and analyze previous hunt reports
- Perform elimination operations on detected RMM software
- Access all functionality through an intuitive browser-based UI
The hosts file entry is automatically cleaned up when you exit the application.
Execute a comprehensive system scan from the command line:
powershell .\rmm-hunter.exe huntWith custom output file:
powershell .\rmm-hunter.exe hunt --output custom-report.jsonExclude specific RMM tools from detection:
powershell .\rmm-hunter.exe hunt --exclude TeamViewer,AnyDeskThe elimination module provides both web-based and command-line interfaces for removing detected RMM installations from your system. Both interfaces automatically request UAC elevation if administrator privileges are required.
The web interface provides a modern, browser-based elimination experience:
.\rmm-hunter.exeOr explicitly launch the web-based elimination interface:
powershell .\rmm-hunter.exe eliminate --webThe web interface offers:
- Visual representation of all detected RMM components
- Real-time elimination with progress feedback
- Dependency checking to prevent system instability
- Interactive browsing of previous hunt reports
- Live log streaming during operations
Launch the interactive CLI elimination interface:
powershell .\rmm-hunter.exe eliminate --cliThe CLI component operates through a multi-stage interactive workflow designed to provide granular control over the elimination process. When launched, the interface guides you through the following stages:
Stage 1: Report Selection
The interface scans the current directory for JSON hunt reports and presents them in a navigable list. You can browse available reports using arrow keys and select one by pressing Enter. The file picker automatically filters for valid JSON files generated by previous hunt operations.
Stage 2: Category Selection
After loading a report, you are presented with seven elimination categories corresponding to the detection vectors from the hunt module. Each category is accessible via numeric keys (1-7):
- AutoRuns - Registry-based persistence mechanisms
- Binaries - Executable files on disk
- Connections - Active network connections
- Directories - Installation directories
- Processes - Running processes
- Scheduled Tasks - Task Scheduler entries
- Services - Windows services
Stage 3: Item List View
Upon selecting a category, the interface displays all detected items within that category. Each item shows relevant identifying information such as process names, file paths, service names, or connection details. Items that have already been eliminated are marked with a checkmark and displayed in green to provide visual feedback on remediation progress. You can navigate through the list using arrow keys and select an item for detailed inspection by pressing Enter.
Stage 4: Detail View and Elimination
The detail view presents comprehensive information about the selected item, including all metadata collected during the hunt phase. For each item type, the interface displays specific details:
For processes, you see the process name, PID, parent PID, command-line arguments, creation time, and executable path. For services, the display includes service name, display name, service type, start type, binary path, start account, and description. For autoruns, you see the entry name, launch string, registry location, image path, arguments, and file hashes (MD5, SHA1, SHA256). For binaries and directories, the full path is shown. For network connections, local and remote addresses, remote hostname, connection state, associated PID, and process name are displayed. For scheduled tasks, the name, author, state, enabled status, last result, next run time, last run time, and task path are presented.
From the detail view, pressing the exclamation mark (!) key initiates the elimination process for that specific item. The system performs intelligent dependency checking before elimination to prevent system instability.
Dependency Validation
Before eliminating binaries or directories, the system checks whether any active processes or enabled services are currently using those resources. If a dependency is detected, a warning modal appears explaining the conflict and suggesting the proper elimination order. For example, if you attempt to delete a binary that is currently in use by a running process, the system will warn you to eliminate the process first. Similarly, if a directory contains binaries used by active services, you must stop and remove those services before the directory can be deleted.
Elimination Actions
Each category type performs specific elimination operations:
Processes are terminated using their PID. Services are stopped and then deleted from the service control manager. Binaries are removed from the filesystem. Directories are recursively deleted along with all contents. AutoRun entries are removed from their respective registry locations. Scheduled tasks are disabled and then deleted from the Task Scheduler. Network connections result in the creation of Windows Firewall outbound block rules for the remote host, preventing future connections to that destination.
State Persistence
After each successful elimination, the system updates the JSON report file to mark the item as eliminated. This ensures that if you exit and restart the elimination interface, previously eliminated items remain marked and visually distinguished. The persistent state allows you to work through large result sets across multiple sessions without losing track of your progress.
Navigation
Throughout the interface, you can navigate backward using the left arrow key to return to the previous screen. Pressing 'q', 'Esc', or 'Ctrl+C' at any point will exit the application. The interface provides contextual help at each stage, displaying available keyboard shortcuts and actions.
RMM-Hunter is built on Scurvy, a custom low-level OS exploitation repository (private). Scurvy provides the core capabilities for low-level Windows API interactions, process and service management, registry operations, network connection enumeration, and WMI query execution. The modular architecture allows for extensible detection capabilities while maintaining performance and stability.
json { "processes": [...], "services": [...], "binaries": [...], "autoRuns": [...], "scheduledTasks": [...], "outboundConnections": [...], "directories": [...] }```
Interactive web-based report with:
- Sortable tables
- Real-time search filtering
- Category-based navigation
- Responsive design for mobile viewing
RMM-Hunter employs multiple detection strategies:
- Signature-based Detection - Matches against known RMM executable names and paths
- Behavioral Analysis - Identifies suspicious installation locations and configurations
- Network Indicators - Detects connections to known RMM infrastructure domains
- Persistence Mechanisms - Analyzes autorun entries and scheduled tasks
Requires administrative privileges for complete system visibility (UAC elevation prompt will appear if needed). May generate false positives in environments with legitimate RMM deployments. Network detection requires active connections at scan time. The web server requires port 80 to be available on the local machine.
Contributions are welcome. Please submit pull requests with detailed descriptions of changes, test coverage for new detection signatures, and documentation updates.
This project is licensed under the MIT License - see the LICENSE file for details.
If you use RMM-Hunter in your project or research, please provide attribution by including:
- A link back to this repository:
https://github.com/KrakenTech/RMM-Hunter - Credit to KrakenTech LLC (https://krakensec.tech)
Example attribution:
This project uses RMM-Hunter by KrakenTech LLC
https://github.com/KrakenTech/RMM-HunterThis tool is intended for authorized security assessments and forensic analysis only. Users are responsible for ensuring compliance with applicable laws and regulations. Unauthorized use of this tool may violate computer fraud and abuse laws.
For issues, questions, or feature requests, please open an issue on the GitHub repository.
Note: The underlying Scurvy repository is a custom low-level OS exploitation framework that is not publicly accessible and is maintained privately.
v1.2.0: https://app.any.run/tasks/03b6afcd-308c-4056-bafc-e6514185d922
