First Time Seen DNS Query to RMM Domain

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. Intended to surface RMM clients, scripts, or other non-browser activity contacting these services.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/03/03"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2026/07/02"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from processes that are not browsers. 
 11Intended to surface RMM clients, scripts, or other non-browser activity contacting these services.
 12"""
 13from = "now-7205m"
 14interval = "5m"
 15language = "esql"
 16license = "Elastic License v2"
 17name = "First Time Seen DNS Query to RMM Domain"
 18note = """## Triage and analysis
 19
 20### Investigating First Time Seen DNS Query to RMM Domain
 21
 22This rule flags DNS queries to commonly abused RMM or remote access domains when the requesting process is not a browser. Legitimate RMM and remote desktop software is frequently abused for C2, persistence, and lateral movement.
 23
 24### Possible investigation steps
 25
 26- Identify the process process.executable that performed the DNS query and verify if it is an approved RMM or remote access tool.
 27- Review the full process tree and parent process to understand how the binary was launched.
 28- Check process.code_signature for trusted RMM publishers; unsigned or unexpected signers may indicate abuse or trojanized installers.
 29- Correlate with the companion rule "First Time Seen Remote Monitoring and Management Tool" for the same host to see if the RMM process was first-time seen.
 30- Investigate other alerts for the same host or user in the past 48 hours.
 31
 32### False positive analysis
 33
 34- Approved RMM or remote support tools used by IT will trigger this rule; consider allowlisting by process path or code signer for known managed tools.
 35- Some updaters or installers (e.g. signed by the RMM vendor) may resolve these domains; combine with process name or parent context to reduce noise.
 36
 37### Response and remediation
 38
 39- If unauthorized RMM use is confirmed: isolate the host, remove the RMM software, rotate credentials, and block the domains at DNS/firewall where policy permits.
 40- Enforce policy that only approved RMM tools from approved publishers may be used, and only by authorized staff.
 41"""
 42
 43setup = """## Setup
 44
 45This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 46
 47Setup instructions: https://ela.st/install-elastic-defend
 48
 49### Additional data sources
 50
 51This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 52
 53- [Sysmon Event ID 22 - DNS Query](https://ela.st/sysmon-event-22-setup)
 54"""
 55
 56references = [
 57    "https://attack.mitre.org/techniques/T1219/002/",
 58    "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a",
 59    "https://lolrmm.io/",
 60]
 61risk_score = 47
 62rule_id = "e5f6a7b8-c9d0-8e1f-2a3b-4c5d6e7f8a9b"
 63severity = "medium"
 64tags = [
 65    "Domain: Endpoint",
 66    "OS: Windows",
 67    "Use Case: Threat Detection",
 68    "Tactic: Command and Control",
 69    "Resources: Investigation Guide",
 70    "Data Source: Elastic Defend",
 71    "Data Source: Sysmon"
 72]
 73timestamp_override = "event.ingested"
 74type = "esql"
 75
 76query = '''
 77FROM logs-endpoint.events.network-*, logs-windows.sysmon_operational-* METADATA _index
 78| WHERE host.os.type == "windows"
 79    AND event.category == "network"
 80    AND event.action in ("lookup_requested", "DNSEvent (DNS query)")
 81    AND dns.question.name IS NOT NULL
 82
 83// Exclude browser processes
 84| WHERE NOT
 85    process.name IN (
 86        "chrome.exe", "msedge.exe", "MicrosoftEdge.exe", "MicrosoftEdgeCP.exe",
 87        "firefox.exe", "iexplore.exe", "safari.exe", "brave.exe",
 88        "opera.exe", "vivaldi.exe", "msedgewebview2.exe"
 89    )
 90
 91// Extract the parent domain (last two labels, e.g. example.com)
 92| GROK dns.question.name """(?:[^.]+\.)+(?<parent_domain>[^.]+\.[^.]+)$"""
 93| EVAL parent_domain = COALESCE(parent_domain, dns.question.name)
 94
 95// Known RMM parent domains, add or remove entries here as your environment changes.
 96| WHERE parent_domain IN (
 97    "01com.com",
 98    "247ithelp.com",
 99    "action1.com",
100    "addigy.com",
101    "aeroadmin.com",
102    "ammyy.com",
103    "anydesk.com",
104    "anyplace-control.com",
105    "anysupport.net",
106    "atera.com",
107    "aurelius.host",
108    "auvik.com",
109    "aweray.com",
110    "aweray.net",
111    "backdrop.cloud",
112    "barracudamsp.com",
113    "beamyourscreen.com",
114    "beanywhere.com",
115    "beinsync.com",
116    "beinsync.net",
117    "beyondtrustcloud.com",
118    "bomgar.com",
119    "bomgarcloud.com",
120    "centrastage.net",
121    "centuriontech.com",
122    "connectwise.com",
123    "crossloop.com",
124    "dameware.com",
125    "datto.com",
126    "datto.net",
127    "deskday.ai",
128    "deskroll.com",
129    "desktopstreaming.com",
130    "distantdesktop.com",
131    "donkz.nl",
132    "dwservice.net",
133    "ehorus.com",
134    "electric.ai",
135    "emcosoftware.com",
136    "ericom.com",
137    "fastsupport.com",
138    "fastviewer.com",
139    "fixme.it",
140    "fleetdeck.io",
141    "gatherplace.com",
142    "gatherplace.net",
143    "getgo.com",
144    "getscreen.me",
145    "gotoassist.at",
146    "gotoassist.com",
147    "gotoassist.me",
148    "gotohttp.com",
149    "gotoresolve.com",
150    "goverlan.com",
151    "heartbeatrm.com",
152    "helpme.net",
153    "helpwire.app",
154    "hoptodesk.com",
155    "hostedrmm.com",
156    "immy.bot",
157    "immybot.com",
158    "imperosoftware.com",
159    "instanthousecall.com",
160    "instanthousecall.net",
161    "intelliadmin.com",
162    "internapcdn.net",
163    "internetid.ru",
164    "iperius-rs.com",
165    "iperius.net",
166    "iperiusremote.com",
167    "islonline.com",
168    "islonline.net",
169    "itarian.com",
170    "itsupport247.net",
171    "jumpcloud.com",
172    "jumpdesktop.com",
173    "jumpto.me",
174    "kabuto.io",
175    "kabutoservices.com",
176    "kaseya.com",
177    "kaseya.net",
178    "kickidler.com",
179    "laplink.com",
180    "level.io",
181    "liongard.com",
182    "litemanager.com",
183    "litemanager.ru",
184    "logicnow.com",
185    "logmein-gateway.com",
186    "logmein.com",
187    "logmeininc.com",
188    "logmeinrescue.com",
189    "logmeinrescue.eu",
190    "lunixar.com",
191    "meshcentral.com",
192    "mikogo.com",
193    "mikogo4.com",
194    "miradore.com",
195    "msp360.com",
196    "mygreenpc.com",
197    "n-able.com",
198    "naverisk.com",
199    "nchuser.com",
200    "netop.com",
201    "netsupportmanager.com",
202    "netsupportsoftware.com",
203    "netviewer.com",
204    "ninjaone.com",
205    "ninjarmm.com",
206    "ninjarmm.net",
207    "nomachine.com",
208    "ntrsupport.com",
209    "opti-tune.com",
210    "optitune.us",
211    "oray.com",
212    "oray.net",
213    "panorama9.com",
214    "parsec.app",
215    "parsecusercontent.com",
216    "pcvisit.de",
217    "pilixo.com",
218    "playanext.com",
219    "pulseway.com",
220    "qetqo.com",
221    "r-hud.net",
222    "real-time-collaboration.com",
223    "remmon.hu",
224    "remote.it",
225    "remote.management",
226    "remotecall.com",
227    "remotedesktop.com",
228    "remotepc.com",
229    "remotetopc.com",
230    "remoteutilities.com",
231    "remotix.com",
232    "remotly.com",
233    "repairshopr.com",
234    "rmansys.ru",
235    "rmmservice.ca",
236    "rmmservice.eu",
237    "royalapps.com",
238    "rport.io",
239    "rudesktop.ru",
240    "rustdesk.com",
241    "rview.com",
242    "screenconnect.com",
243    "screenmeet.com",
244    "scrn.mt",
245    "servably.com",
246    "server-eye.de",
247    "set.me",
248    "setme.net",
249    "showmypc.com",
250    "signalserver.xyz",
251    "simple-help.com",
252    "skyfex.com",
253    "sorillus.com",
254    "splashtop.com",
255    "splashtop.eu",
256    "spyanywhere.com",
257    "spytech-web.com",
258    "startsupport.com",
259    "superops.ai",
260    "superops.com",
261    "superopsalpha.com",
262    "superopsbeta.com",
263    "supremocontrol.com",
264    "swi-rc.com",
265    "swi-tc.com",
266    "syncroapi.com",
267    "syncromsp.com",
268    "syspectr.com",
269    "system-monitor.com",
270    "systemmonitor.us",
271    "tacticalrmm.com",
272    "tailscale.com",
273    "teamviewer.com",
274    "techinline.net",
275    "tele-desk.com",
276    "tiflux.com",
277    "tightvnc.com",
278    "tmate.io",
279    "todesk.com",
280    "twingate.com",
281    "ultraviewer.net",
282    "ultravnc.com",
283    "vnc.com",
284    "weezo.me",
285    "weezo.net",
286    "xeox.com",
287    "zoho.eu",
288    "zohoassist.com",
289    "zohoassist.jp"
290)
291
292// Aggregate by parent domain and get 1st time seen timestamp as well as unique count of agents
293| STATS
294    event_count = COUNT(*),
295    Esql.first_time_seen = MIN(@timestamp),
296    Esql.count_distinct_host_id = COUNT_DISTINCT(host.id),
297    Esql.process_executable_values = VALUES(process.executable),
298    Esql.dns_question_name_values = VALUES(dns.question.name),
299    Esql.host_name_values = VALUES(host.name),
300    Esql.host_id_values = VALUES(host.id),
301    Esql.user_name_values = VALUES(user.name),
302    Esql.user_id_values = VALUES(user.id),
303    Esql.namespace_values = VALUES(data_stream.namespace) BY parent_domain
304
305// Calculate the time difference between first time seen and rule execution time
306| eval Esql.recent = DATE_DIFF("minute", Esql.first_time_seen, now())
307
308// First time seen is within 6m of the rule execution time and first seen in the last 5 days as per the rule from schedule and limited to 1 unique host
309| where Esql.recent <= 6 and Esql.count_distinct_host_id == 1
310
311// populate fields for rule exception and triage
312| eval host.name = MV_FIRST(Esql.host_name_values),
313       host.id = MV_FIRST(Esql.host_id_values),
314       user.name = MV_FIRST(Esql.user_name_values),
315       user.id = MV_FIRST(Esql.user_id_values),
316       data_stream.namespace = MV_FIRST(Esql.namespace_values),
317       process.executable = MV_FIRST(Esql.process_executable_values),
318       dns.question.name = MV_FIRST(Esql.dns_question_name_values)
319| keep host.name, host.id, user.name, user.id, data_stream.namespace, process.executable, dns.question.name, Esql.*
320'''
321
322
323[[rule.threat]]
324framework = "MITRE ATT&CK"
325[[rule.threat.technique]]
326id = "T1219"
327name = "Remote Access Tools"
328reference = "https://attack.mitre.org/techniques/T1219/"
329[[rule.threat.technique.subtechnique]]
330id = "T1219.002"
331name = "Remote Desktop Software"
332reference = "https://attack.mitre.org/techniques/T1219/002/"
333
334[rule.threat.tactic]
335id = "TA0011"
336name = "Command and Control"
337reference = "https://attack.mitre.org/tactics/TA0011/"

Triage and analysis

Investigating First Time Seen DNS Query to RMM Domain

This rule flags DNS queries to commonly abused RMM or remote access domains when the requesting process is not a browser. Legitimate RMM and remote desktop software is frequently abused for C2, persistence, and lateral movement.

Possible investigation steps

  • Identify the process process.executable that performed the DNS query and verify if it is an approved RMM or remote access tool.
  • Review the full process tree and parent process to understand how the binary was launched.
  • Check process.code_signature for trusted RMM publishers; unsigned or unexpected signers may indicate abuse or trojanized installers.
  • Correlate with the companion rule "First Time Seen Remote Monitoring and Management Tool" for the same host to see if the RMM process was first-time seen.
  • Investigate other alerts for the same host or user in the past 48 hours.

False positive analysis

  • Approved RMM or remote support tools used by IT will trigger this rule; consider allowlisting by process path or code signer for known managed tools.
  • Some updaters or installers (e.g. signed by the RMM vendor) may resolve these domains; combine with process name or parent context to reduce noise.

Response and remediation

  • If unauthorized RMM use is confirmed: isolate the host, remove the RMM software, rotate credentials, and block the domains at DNS/firewall where policy permits.
  • Enforce policy that only approved RMM tools from approved publishers may be used, and only by authorized staff.

References

Related rules

to-top