Multiple Remote Management Tool Vendors on Same Host

Mar 23, 2026 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Command and Control Resources: Investigation Guide Data Source: Elastic Defend Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender for Endpoint Data Source: CrowdStrike Data Source: Windows Security Event Logs Data Source: Elastic Endgame Data Source: Winlogbeat ·

Share on:

Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/03/23"
  3integration = [
  4    "endpoint",
  5    "windows",
  6    "sentinel_one_cloud_funnel",
  7    "m365_defender",
  8    "system",
  9    "crowdstrike",
 10]
 11maturity = "production"
 12updated_date = "2026/03/23"
 13
 14[rule]
 15author = ["Elastic"]
 16description = """
 17Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool
 18vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run
 19multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access.
 20Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count.
 21"""
 22from = "now-9m"
 23interval = "8m"
 24language = "esql"
 25license = "Elastic License v2"
 26name = "Multiple Remote Management Tool Vendors on Same Host"
 27note = """## Triage and analysis
 28
 29### Investigating Multiple Remote Management Tool Vendors on Same Host
 30
 31This rule aggregates process start events by `host.id`, host name, and a nine-minute time bucket. Data can come from
 32Elastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender for Endpoint, SentinelOne,
 33CrowdStrike FDR, or Elastic Endgame—where ECS process fields are populated. Each known RMM-related process name maps
 34to one **vendor** label (e.g. TeamViewer, AnyDesk, ScreenConnect). If **two or more different vendor labels** appear in
 35the same bucket, the rule signals.
 36
 37### Possible investigation steps
 38
 39- Open **Esql.vendors_seen** and **Esql.processes_name_values** on the alert to see which tools fired in the window.
 40- Confirm whether the host is an MSP-managed jump box, helpdesk workstation, or lab where multiple RMM stacks are expected.
 41- For servers or standard user endpoints, treat as higher risk: review install source, code signatures, and recent logons.
 42- Correlate with other alerts (ingress tool transfer, suspicious scripting, new persistence) on the same `host.id`.
 43- Check asset inventory and change tickets for approved RMM software.
 44
 45### False positive analysis
 46
 47- **MSP / IT tooling**: A technician machine with two approved agents (e.g. RMM + remote support) may match. Tune with
 48  host or organizational unit exceptions, or raise the vendor threshold if your environment standardizes on a known pair.
 49- **Vendor rebrands or bundles**: Rare overlaps during migrations can briefly show two vendors; validate timeline and packages.
 50
 51### Response and remediation
 52
 53- If unauthorized or unexplained: isolate the host, inventory installed remote-access software, remove unapproved tools,
 54  and reset credentials that may have been exposed. Enforce a single approved RMM stack per asset class where possible.
 55"""
 56references = [
 57    "https://attack.mitre.org/techniques/T1219/",
 58    "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a",
 59]
 60risk_score = 47
 61rule_id = "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c"
 62severity = "medium"
 63tags = [
 64    "Domain: Endpoint",
 65    "OS: Windows",
 66    "Use Case: Threat Detection",
 67    "Tactic: Command and Control",
 68    "Resources: Investigation Guide",
 69    "Data Source: Elastic Defend",
 70    "Data Source: Sysmon",
 71    "Data Source: SentinelOne",
 72    "Data Source: Microsoft Defender for Endpoint",
 73    "Data Source: CrowdStrike",
 74    "Data Source: Windows Security Event Logs",
 75    "Data Source: Elastic Endgame",
 76    "Data Source: Winlogbeat",
 77]
 78timestamp_override = "event.ingested"
 79type = "esql"
 80
 81query = '''
 82from logs-endpoint.events.process-*, endgame-*, logs-crowdstrike.fdr*, logs-m365_defender.event-*, logs-sentinel_one_cloud_funnel.*, logs-system.security*, logs-windows.sysmon_operational-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
 83| where (host.os.type == "windows" or host.os.family == "windows")
 84    and event.category == "process"
 85    and event.type == "start"
 86    and process.name is not null
 87| eval Esql.rmm_vendor = case(
 88    process.name == "AeroAdmin.exe", "AeroAdmin",
 89    process.name == "AnyDesk.exe", "AnyDesk",
 90    process.name == "AteraAgent.exe", "Atera",
 91    process.name == "AweSun.exe", "AweSun",
 92    process.name like "aweray_remote*.exe", "AweSun",
 93    process.name == "apc_Admin.exe", "APC",
 94    process.name == "apc_host.exe", "APC",
 95    process.name == "BASupSrvc.exe", "BeyondTrust",
 96    process.name == "bomgar-scc.exe", "BeyondTrust",
 97    process.name == "Remote Support.exe", "BeyondTrust",
 98    process.name == "B4-Service.exe", "BeyondTrust",
 99    process.name == "CagService.exe", "BarracudaRMM",
100    process.name == "domotzagent.exe", "Domotz",
101    process.name == "domotz-windows-x64-10.exe", "Domotz",
102    process.name == "dwagsvc.exe", "DWService",
103    process.name == "DWRCC.exe", "DWService",
104    process.name like "fleetdeck_commander*.exe", "FleetDeck",
105    process.name == "getscreen.exe", "GetScreen",
106    process.name == "g2aservice.exe", "GoTo",
107    process.name == "GoToAssistService.exe", "GoTo",
108    process.name == "gotohttp.exe", "GoTo",
109    process.name == "GoToResolveProcessChecker.exe", "GoTo",
110    process.name == "GoToResolveUnattended.exe", "GoTo",
111    process.name == "ImperoClientSVC.exe", "Impero",
112    process.name == "ImperoServerSVC.exe", "Impero",
113    process.name == "ISLLight.exe", "ISLOnline",
114    process.name == "ISLLightClient.exe", "ISLOnline",
115    process.name == "jumpcloud-agent.exe", "JumpCloud",
116    process.name == "level.exe", "Level",
117    process.name == "LvAgent.exe", "Level",
118    process.name == "LMIIgnition.exe", "LogMeIn",
119    process.name == "LogMeIn.exe", "LogMeIn",
120    process.name == "ManageEngine_Remote_Access_Plus.exe", "ManageEngine",
121    process.name == "MeshAgent.exe", "MeshCentral",
122    process.name == "meshagent.exe", "MeshCentral",
123    process.name == "Mikogo-Service.exe", "Mikogo",
124    process.name == "NinjaRMMAgent.exe", "NinjaOne",
125    process.name == "NinjaRMMAgenPatcher.exe", "NinjaOne",
126    process.name == "ninjarmm-cli.exe", "NinjaOne",
127    process.name == "parsec.exe", "Parsec",
128    process.name == "PService.exe", "Pulseway",
129    process.name == "r_server.exe", "Radmin",
130    process.name == "radmin.exe", "Radmin",
131    process.name == "radmin3.exe", "Radmin",
132    process.name == "rserver3.exe", "Radmin",
133    process.name == "vncserver.exe", "RealVNC",
134    process.name == "vncviewer.exe", "RealVNC",
135    process.name == "winvnc.exe", "RealVNC",
136    process.name == "ROMServer.exe", "RealVNC",
137    process.name == "ROMViewer.exe", "RealVNC",
138    process.name == "RemotePC.exe", "RemotePC",
139    process.name == "RemotePCDesktop.exe", "RemotePC",
140    process.name == "RemotePCService.exe", "RemotePC",
141    process.name == "RemoteDesktopManager.exe", "Devolutions",
142    process.name == "RCClient.exe", "RPCSuite",
143    process.name == "RCService.exe", "RPCSuite",
144    process.name == "RPCSuite.exe", "RPCSuite",
145    process.name == "rustdesk.exe", "RustDesk",
146    process.name == "rutserv.exe", "RemoteUtilities",
147    process.name == "rutview.exe", "RemoteUtilities",
148    process.name == "saazapsc.exe", "Kaseya",
149    process.name like "ScreenConnect*.exe", "ScreenConnect",
150    process.name == "ScreenConnect.ClientService.exe", "ScreenConnect",
151    process.name == "Splashtop-streamer.exe", "Splashtop",
152    process.name == "strwinclt.exe", "Splashtop",
153    process.name == "SRService.exe", "Splashtop",
154    process.name == "smpcview.exe", "Splashtop",
155    process.name == "spclink.exe", "Splashtop",
156    process.name == "rfusclient.exe", "Splashtop",
157    process.name == "Supremo.exe", "Supremo",
158    process.name == "SupremoService.exe", "Supremo",
159    process.name == "Syncro.Overmind.Service.exe", "Splashtop",
160    process.name == "SyncroLive.Agent.Runner.exe", "Splashtop",
161    process.name == "Syncro.Installer.exe", "Splashtop",
162    process.name == "tacticalrmm.exe", "TacticalRMM",
163    process.name == "tailscale.exe", "Tailscale",
164    process.name == "tailscaled.exe", "Tailscale",
165    process.name == "teamviewer.exe", "TeamViewer",
166    process.name == "ticlientcore.exe", "Tiflux",
167    process.name == "TiAgent.exe", "Tiflux",
168    process.name == "ToDesk_Service.exe", "ToDesk",
169    process.name == "twingate.exe", "Twingate",
170    process.name == "tvn.exe", "TightVNC",
171    process.name == "tvnserver.exe", "TightVNC",
172    process.name == "tvnviewer.exe", "TightVNC",
173    process.name == "winwvc.exe", "TightVNC",
174    process.name like "UltraVNC*.exe", "UltraVNC",
175    process.name like "UltraViewer*.exe", "UltraViewer",
176    process.name like "AA_v*.exe", "AnyAssist",
177    process.name == "Velociraptor.exe", "Velociraptor",
178    process.name == "ToolsIQ.exe", "ToolsIQ",
179    process.name == "session_win.exe", "ZohoAssist",
180    process.name == "Zaservice.exe", "ZohoAssist",
181    process.name == "ZohoURS.exe", "ZohoAssist",
182    ""
183  )
184| where Esql.rmm_vendor != "" and Esql.rmm_vendor is not NULL
185| stats Esql.vendor_count = count_distinct(Esql.rmm_vendor),
186        Esql.vendors_seen = values(Esql.rmm_vendor),
187        Esql.processes_executable_values = values(process.executable),
188        Esql.first_seen = min(@timestamp),
189        Esql.last_seen = max(@timestamp)
190  by host.name, host.id
191| where Esql.vendor_count >= 2
192| sort Esql.vendor_count desc
193| keep host.id, host.name, Esql.*
194'''
195
196[[rule.threat]]
197framework = "MITRE ATT&CK"
198[[rule.threat.technique]]
199id = "T1219"
200name = "Remote Access Tools"
201reference = "https://attack.mitre.org/techniques/T1219/"
202[[rule.threat.technique.subtechnique]]
203id = "T1219.002"
204name = "Remote Desktop Software"
205reference = "https://attack.mitre.org/techniques/T1219/002/"
206
207[rule.threat.tactic]
208id = "TA0011"
209name = "Command and Control"
210reference = "https://attack.mitre.org/tactics/TA0011/"

Triage and analysis

Investigating Multiple Remote Management Tool Vendors on Same Host

This rule aggregates process start events by host.id, host name, and a nine-minute time bucket. Data can come from Elastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender for Endpoint, SentinelOne, CrowdStrike FDR, or Elastic Endgame—where ECS process fields are populated. Each known RMM-related process name maps to one vendor label (e.g. TeamViewer, AnyDesk, ScreenConnect). If two or more different vendor labels appear in the same bucket, the rule signals.

Possible investigation steps

Open Esql.vendors_seen and Esql.processes_name_values on the alert to see which tools fired in the window.
Confirm whether the host is an MSP-managed jump box, helpdesk workstation, or lab where multiple RMM stacks are expected.
For servers or standard user endpoints, treat as higher risk: review install source, code signatures, and recent logons.
Correlate with other alerts (ingress tool transfer, suspicious scripting, new persistence) on the same host.id.
Check asset inventory and change tickets for approved RMM software.

False positive analysis

MSP / IT tooling: A technician machine with two approved agents (e.g. RMM + remote support) may match. Tune with host or organizational unit exceptions, or raise the vendor threshold if your environment standardizes on a known pair.
Vendor rebrands or bundles: Rare overlaps during migrations can briefly show two vendors; validate timeline and packages.

Response and remediation

If unauthorized or unexplained: isolate the host, inventory installed remote-access software, remove unapproved tools, and reset credentials that may have been exposed. Enforce a single approved RMM stack per asset class where possible.

References

Remote Access Tools, Technique T1219 - Enterprise | MITRE ATT&CK®

G1024 Akira Akira uses legitimate utilities such as AnyDesk and PuTTy for maintaining remote access to victim environments.[6][7] G1043 BlackByte BlackByte has used tools such as AnyDesk in victim ...

Read More
Protecting Against Malicious Use of Remote Monitoring and Management Software | CISA

Summary The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the ...

Read More