<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rmm on Matt Swann — Detection Engineering &amp; Threat Intel</title><link>http://mattswann.dev/tags/rmm/</link><description>Recent content in Rmm on Matt Swann — Detection Engineering &amp; Threat Intel</description><image><title>Matt Swann — Detection Engineering &amp; Threat Intel</title><url>http://mattswann.dev/og-image.png</url><link>http://mattswann.dev/og-image.png</link></image><generator>Hugo</generator><language>en-us</language><lastBuildDate>Fri, 10 Jul 2026 09:00:00 -0600</lastBuildDate><atom:link href="http://mattswann.dev/tags/rmm/index.xml" rel="self" type="application/rss+xml"/><item><title>Detecting Suspicious RMM Tool Execution Chains in Microsoft Defender (T1219)</title><link>http://mattswann.dev/posts/suspicious-rmm-execution-chains/</link><pubDate>Fri, 10 Jul 2026 09:00:00 -0600</pubDate><guid>http://mattswann.dev/posts/suspicious-rmm-execution-chains/</guid><description>One of the most common initial access vectors into environments by threat actors is through use of legitimate RMM tooling, offering both hands-on-keyboard access as well as stealth. Read more below for some considerations on detecting such activity.</description></item></channel></rss>