Multiple Remote Management Tool Vendors on Same Host
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Multiple Remote Management Tool Vendors on Same Host
editIdentifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count.
Rule type: esql
Rule indices: None
Severity: medium
Risk score: 47
Runs every: 8m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Command and Control
- Resources: Investigation Guide
- Data Source: Elastic Defend
- Data Source: Sysmon
- Data Source: SentinelOne
- Data Source: Microsoft Defender XDR
- Data Source: Crowdstrike
- Data Source: Windows Security Event Logs
- Data Source: Elastic Endgame
- Data Source: Winlogbeat
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Multiple Remote Management Tool Vendors on Same Host
This rule aggregates process start events by host.id, host name, and a nine-minute time bucket. Data can come from
Elastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender XDR, SentinelOne,
CrowdStrike FDR, or Elastic Endgame—where ECS process fields are populated. Each known RMM-related process name maps
to one vendor label (e.g. TeamViewer, AnyDesk, ScreenConnect). If two or more different vendor labels appear in
the same bucket, the rule signals.
Possible investigation steps
- Open Esql.vendors_seen and Esql.processes_name_values on the alert to see which tools fired in the window.
- Confirm whether the host is an MSP-managed jump box, helpdesk workstation, or lab where multiple RMM stacks are expected.
- For servers or standard user endpoints, treat as higher risk: review install source, code signatures, and recent logons.
-
Correlate with other alerts (ingress tool transfer, suspicious scripting, new persistence) on the same
host.id. - Check asset inventory and change tickets for approved RMM software.
False positive analysis
- MSP / IT tooling: A technician machine with two approved agents (e.g. RMM + remote support) may match. Tune with host or organizational unit exceptions, or raise the vendor threshold if your environment standardizes on a known pair.
- Vendor rebrands or bundles: Rare overlaps during migrations can briefly show two vendors; validate timeline and packages.
Response and remediation
- If unauthorized or unexplained: isolate the host, inventory installed remote-access software, remove unapproved tools, and reset credentials that may have been exposed. Enforce a single approved RMM stack per asset class where possible.
Setup
editSetup
This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
Setup instructions: https://ela.st/install-elastic-defend
Additional data sources
This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
Rule query
editfrom logs-endpoint.events.process-*, endgame-*, logs-crowdstrike.fdr*, logs-m365_defender.event-*, logs-sentinel_one_cloud_funnel.*, logs-system.security*, logs-windows.sysmon_operational-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
| where (host.os.type == "windows" or host.os.family == "windows")
and event.category == "process"
and event.type == "start"
and process.name is not null
| eval Esql.rmm_vendor = case(
process.name == "AeroAdmin.exe", "AeroAdmin",
process.name == "AnyDesk.exe", "AnyDesk",
process.name == "AteraAgent.exe", "Atera",
process.name == "AweSun.exe", "AweSun",
process.name like "aweray_remote*.exe", "AweSun",
process.name == "apc_Admin.exe", "APC",
process.name == "apc_host.exe", "APC",
process.name == "BASupSrvc.exe", "BeyondTrust",
process.name == "bomgar-scc.exe", "BeyondTrust",
process.name == "Remote Support.exe", "BeyondTrust",
process.name == "B4-Service.exe", "BeyondTrust",
process.name == "CagService.exe", "BarracudaRMM",
process.name == "domotzagent.exe", "Domotz",
process.name == "domotz-windows-x64-10.exe", "Domotz",
process.name == "dwagsvc.exe", "DWService",
process.name == "DWRCC.exe", "DWService",
process.name like "fleetdeck_commander*.exe", "FleetDeck",
process.name == "getscreen.exe", "GetScreen",
process.name == "g2aservice.exe", "GoTo",
process.name == "GoToAssistService.exe", "GoTo",
process.name == "gotohttp.exe", "GoTo",
process.name == "GoToResolveProcessChecker.exe", "GoTo",
process.name == "GoToResolveUnattended.exe", "GoTo",
process.name == "ImperoClientSVC.exe", "Impero",
process.name == "ImperoServerSVC.exe", "Impero",
process.name == "ISLLight.exe", "ISLOnline",
process.name == "ISLLightClient.exe", "ISLOnline",
process.name == "jumpcloud-agent.exe", "JumpCloud",
process.name == "level.exe", "Level",
process.name == "LvAgent.exe", "Level",
process.name == "LMIIgnition.exe", "LogMeIn",
process.name == "LogMeIn.exe", "LogMeIn",
process.name == "Lunixar.exe", "Lunixar",
process.name == "LunixarRemote.exe", "Lunixar",
process.name == "LunixarUpdater.exe", "Lunixar",
process.name == "ManageEngine_Remote_Access_Plus.exe", "ManageEngine",
process.name == "MeshAgent.exe", "MeshCentral",
process.name == "meshagent.exe", "MeshCentral",
process.name == "Mikogo-Service.exe", "Mikogo",
process.name == "NinjaRMMAgent.exe", "NinjaOne",
process.name == "NinjaRMMAgenPatcher.exe", "NinjaOne",
process.name == "ninjarmm-cli.exe", "NinjaOne",
process.name == "parsec.exe", "Parsec",
process.name == "PService.exe", "Pulseway",
process.name == "r_server.exe", "Radmin",
process.name == "radmin.exe", "Radmin",
process.name == "radmin3.exe", "Radmin",
process.name == "rserver3.exe", "Radmin",
process.name == "vncserver.exe", "RealVNC",
process.name == "vncviewer.exe", "RealVNC",
process.name == "winvnc.exe", "RealVNC",
process.name == "ROMServer.exe", "RealVNC",
process.name == "ROMViewer.exe", "RealVNC",
process.name == "RemotePC.exe", "RemotePC",
process.name == "RemotePCDesktop.exe", "RemotePC",
process.name == "RemotePCService.exe", "RemotePC",
process.name == "RemoteDesktopManager.exe", "Devolutions",
process.name == "RCClient.exe", "RPCSuite",
process.name == "RCService.exe", "RPCSuite",
process.name == "RPCSuite.exe", "RPCSuite",
process.name == "rustdesk.exe", "RustDesk",
process.name == "rutserv.exe", "RemoteUtilities",
process.name == "rutview.exe", "RemoteUtilities",
process.name == "saazapsc.exe", "Kaseya",
process.name like "ScreenConnect*.exe", "ScreenConnect",
process.name == "ScreenConnect.ClientService.exe", "ScreenConnect",
process.name == "Splashtop-streamer.exe", "Splashtop",
process.name == "strwinclt.exe", "Splashtop",
process.name == "SRService.exe", "Splashtop",
process.name == "smpcview.exe", "Splashtop",
process.name == "spclink.exe", "Splashtop",
process.name == "rfusclient.exe", "Splashtop",
process.name == "Supremo.exe", "Supremo",
process.name == "SupremoService.exe", "Supremo",
process.name == "Syncro.Overmind.Service.exe", "Splashtop",
process.name == "SyncroLive.Agent.Runner.exe", "Splashtop",
process.name == "Syncro.Installer.exe", "Splashtop",
process.name == "tacticalrmm.exe", "TacticalRMM",
process.name == "tailscale.exe", "Tailscale",
process.name == "tailscaled.exe", "Tailscale",
process.name == "teamviewer.exe", "TeamViewer",
process.name == "ticlientcore.exe", "Tiflux",
process.name == "TiAgent.exe", "Tiflux",
process.name == "ToDesk_Service.exe", "ToDesk",
process.name == "twingate.exe", "Twingate",
process.name == "tvn.exe", "TightVNC",
process.name == "tvnserver.exe", "TightVNC",
process.name == "tvnviewer.exe", "TightVNC",
process.name == "winwvc.exe", "TightVNC",
process.name like "UltraVNC*.exe", "UltraVNC",
process.name like "UltraViewer*.exe", "UltraViewer",
process.name like "AA_v*.exe", "AnyAssist",
process.name == "Velociraptor.exe", "Velociraptor",
process.name == "ToolsIQ.exe", "ToolsIQ",
process.name == "session_win.exe", "ZohoAssist",
process.name == "Zaservice.exe", "ZohoAssist",
process.name == "ZohoURS.exe", "ZohoAssist",
""
)
| where Esql.rmm_vendor != "" and Esql.rmm_vendor is not NULL
| stats Esql.vendor_count = count_distinct(Esql.rmm_vendor),
Esql.vendors_seen = values(Esql.rmm_vendor),
Esql.processes_executable_values = values(process.executable),
Esql.first_seen = min(@timestamp),
Esql.last_seen = max(@timestamp)
by host.name, host.id
| where Esql.vendor_count >= 2
| sort Esql.vendor_count desc
| keep host.id, host.name, Esql.*
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Remote Access Tools
- ID: T1219
- Reference URL: https://attack.mitre.org/techniques/T1219/
-
Sub-technique:
- Name: Remote Desktop Software
- ID: T1219.002
- Reference URL: https://attack.mitre.org/techniques/T1219/002/