Multiple Remote Management Tool Vendors on Same Host

calendar May 4, 2026 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Command and Control Resources: Investigation Guide Data Source: Elastic Defend Data Source: Sysmon Data Source: SentinelOne Data Source: Microsoft Defender XDR Data Source: Crowdstrike Data Source: Windows Security Event Logs Data Source: Elastic Endgame Data Source: Winlogbeat  ·
Share on: linkedin copy

Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access. Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2026/03/23"
  3integration = [
  4    "endpoint",
  5    "windows",
  6    "sentinel_one_cloud_funnel",
  7    "m365_defender",
  8    "system",
  9    "crowdstrike",
 10]
 11maturity = "production"
 12updated_date = "2026/05/04"
 13
 14[rule]
 15author = ["Elastic"]
 16description = """
 17Identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool
 18vendors are observed starting processes within the same eight-minute window. Legitimate MSP environments may run
 19multiple tools, but this pattern can also indicate compromise, shadow IT, or attacker staging of redundant access.
 20Processes are mapped to a single vendor label so multiple binaries from the same vendor do not inflate the count.
 21"""
 22from = "now-9m"
 23interval = "8m"
 24language = "esql"
 25license = "Elastic License v2"
 26name = "Multiple Remote Management Tool Vendors on Same Host"
 27note = """## Triage and analysis
 28
 29### Investigating Multiple Remote Management Tool Vendors on Same Host
 30
 31This rule aggregates process start events by `host.id`, host name, and a nine-minute time bucket. Data can come from
 32Elastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender XDR, SentinelOne,
 33CrowdStrike FDR, or Elastic Endgame—where ECS process fields are populated. Each known RMM-related process name maps
 34to one **vendor** label (e.g. TeamViewer, AnyDesk, ScreenConnect). If **two or more different vendor labels** appear in
 35the same bucket, the rule signals.
 36
 37### Possible investigation steps
 38
 39- Open **Esql.vendors_seen** and **Esql.processes_name_values** on the alert to see which tools fired in the window.
 40- Confirm whether the host is an MSP-managed jump box, helpdesk workstation, or lab where multiple RMM stacks are expected.
 41- For servers or standard user endpoints, treat as higher risk: review install source, code signatures, and recent logons.
 42- Correlate with other alerts (ingress tool transfer, suspicious scripting, new persistence) on the same `host.id`.
 43- Check asset inventory and change tickets for approved RMM software.
 44
 45### False positive analysis
 46
 47- **MSP / IT tooling**: A technician machine with two approved agents (e.g. RMM + remote support) may match. Tune with
 48  host or organizational unit exceptions, or raise the vendor threshold if your environment standardizes on a known pair.
 49- **Vendor rebrands or bundles**: Rare overlaps during migrations can briefly show two vendors; validate timeline and packages.
 50
 51### Response and remediation
 52
 53- If unauthorized or unexplained: isolate the host, inventory installed remote-access software, remove unapproved tools,
 54  and reset credentials that may have been exposed. Enforce a single approved RMM stack per asset class where possible.
 55"""
 56
 57setup = """## Setup
 58
 59This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 60
 61Setup instructions: https://ela.st/install-elastic-defend
 62
 63### Additional data sources
 64
 65This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 66
 67- [CrowdStrike](https://ela.st/crowdstrike-integration)
 68- [Microsoft Defender XDR](https://ela.st/m365-defender)
 69- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
 70- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
 71- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
 72"""
 73
 74references = [
 75    "https://attack.mitre.org/techniques/T1219/",
 76    "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a",
 77]
 78risk_score = 47
 79rule_id = "c3f8a1d2-4b5e-4c6f-9a8b-1e2d3f4a5b6c"
 80severity = "medium"
 81tags = [
 82    "Domain: Endpoint",
 83    "OS: Windows",
 84    "Use Case: Threat Detection",
 85    "Tactic: Command and Control",
 86    "Resources: Investigation Guide",
 87    "Data Source: Elastic Defend",
 88    "Data Source: Sysmon",
 89    "Data Source: SentinelOne",
 90    "Data Source: Microsoft Defender XDR",
 91    "Data Source: Crowdstrike",
 92    "Data Source: Windows Security Event Logs",
 93    "Data Source: Elastic Endgame",
 94    "Data Source: Winlogbeat",
 95]
 96timestamp_override = "event.ingested"
 97type = "esql"
 98
 99query = '''
100from logs-endpoint.events.process-*, endgame-*, logs-crowdstrike.fdr*, logs-m365_defender.event-*, logs-sentinel_one_cloud_funnel.*, logs-system.security*, logs-windows.sysmon_operational-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
101| where (host.os.type == "windows" or host.os.family == "windows")
102    and event.category == "process"
103    and event.type == "start"
104    and process.name is not null
105| eval Esql.rmm_vendor = case(
106    process.name == "AeroAdmin.exe", "AeroAdmin",
107    process.name == "AnyDesk.exe", "AnyDesk",
108    process.name == "AteraAgent.exe", "Atera",
109    process.name == "AweSun.exe", "AweSun",
110    process.name like "aweray_remote*.exe", "AweSun",
111    process.name == "apc_Admin.exe", "APC",
112    process.name == "apc_host.exe", "APC",
113    process.name == "BASupSrvc.exe", "BeyondTrust",
114    process.name == "bomgar-scc.exe", "BeyondTrust",
115    process.name == "Remote Support.exe", "BeyondTrust",
116    process.name == "B4-Service.exe", "BeyondTrust",
117    process.name == "CagService.exe", "BarracudaRMM",
118    process.name == "domotzagent.exe", "Domotz",
119    process.name == "domotz-windows-x64-10.exe", "Domotz",
120    process.name == "dwagsvc.exe", "DWService",
121    process.name == "DWRCC.exe", "DWService",
122    process.name like "fleetdeck_commander*.exe", "FleetDeck",
123    process.name == "getscreen.exe", "GetScreen",
124    process.name == "g2aservice.exe", "GoTo",
125    process.name == "GoToAssistService.exe", "GoTo",
126    process.name == "gotohttp.exe", "GoTo",
127    process.name == "GoToResolveProcessChecker.exe", "GoTo",
128    process.name == "GoToResolveUnattended.exe", "GoTo",
129    process.name == "ImperoClientSVC.exe", "Impero",
130    process.name == "ImperoServerSVC.exe", "Impero",
131    process.name == "ISLLight.exe", "ISLOnline",
132    process.name == "ISLLightClient.exe", "ISLOnline",
133    process.name == "jumpcloud-agent.exe", "JumpCloud",
134    process.name == "level.exe", "Level",
135    process.name == "LvAgent.exe", "Level",
136    process.name == "LMIIgnition.exe", "LogMeIn",
137    process.name == "LogMeIn.exe", "LogMeIn",
138    process.name == "Lunixar.exe", "Lunixar",
139    process.name == "LunixarRemote.exe", "Lunixar",
140    process.name == "LunixarUpdater.exe", "Lunixar",
141    process.name == "ManageEngine_Remote_Access_Plus.exe", "ManageEngine",
142    process.name == "MeshAgent.exe", "MeshCentral",
143    process.name == "meshagent.exe", "MeshCentral",
144    process.name == "Mikogo-Service.exe", "Mikogo",
145    process.name == "NinjaRMMAgent.exe", "NinjaOne",
146    process.name == "NinjaRMMAgenPatcher.exe", "NinjaOne",
147    process.name == "ninjarmm-cli.exe", "NinjaOne",
148    process.name == "parsec.exe", "Parsec",
149    process.name == "PService.exe", "Pulseway",
150    process.name == "r_server.exe", "Radmin",
151    process.name == "radmin.exe", "Radmin",
152    process.name == "radmin3.exe", "Radmin",
153    process.name == "rserver3.exe", "Radmin",
154    process.name == "vncserver.exe", "RealVNC",
155    process.name == "vncviewer.exe", "RealVNC",
156    process.name == "winvnc.exe", "RealVNC",
157    process.name == "ROMServer.exe", "RealVNC",
158    process.name == "ROMViewer.exe", "RealVNC",
159    process.name == "RemotePC.exe", "RemotePC",
160    process.name == "RemotePCDesktop.exe", "RemotePC",
161    process.name == "RemotePCService.exe", "RemotePC",
162    process.name == "RemoteDesktopManager.exe", "Devolutions",
163    process.name == "RCClient.exe", "RPCSuite",
164    process.name == "RCService.exe", "RPCSuite",
165    process.name == "RPCSuite.exe", "RPCSuite",
166    process.name == "rustdesk.exe", "RustDesk",
167    process.name == "rutserv.exe", "RemoteUtilities",
168    process.name == "rutview.exe", "RemoteUtilities",
169    process.name == "saazapsc.exe", "Kaseya",
170    process.name like "ScreenConnect*.exe", "ScreenConnect",
171    process.name == "ScreenConnect.ClientService.exe", "ScreenConnect",
172    process.name == "Splashtop-streamer.exe", "Splashtop",
173    process.name == "strwinclt.exe", "Splashtop",
174    process.name == "SRService.exe", "Splashtop",
175    process.name == "smpcview.exe", "Splashtop",
176    process.name == "spclink.exe", "Splashtop",
177    process.name == "rfusclient.exe", "Splashtop",
178    process.name == "Supremo.exe", "Supremo",
179    process.name == "SupremoService.exe", "Supremo",
180    process.name == "Syncro.Overmind.Service.exe", "Splashtop",
181    process.name == "SyncroLive.Agent.Runner.exe", "Splashtop",
182    process.name == "Syncro.Installer.exe", "Splashtop",
183    process.name == "tacticalrmm.exe", "TacticalRMM",
184    process.name == "tailscale.exe", "Tailscale",
185    process.name == "tailscaled.exe", "Tailscale",
186    process.name == "teamviewer.exe", "TeamViewer",
187    process.name == "ticlientcore.exe", "Tiflux",
188    process.name == "TiAgent.exe", "Tiflux",
189    process.name == "ToDesk_Service.exe", "ToDesk",
190    process.name == "twingate.exe", "Twingate",
191    process.name == "tvn.exe", "TightVNC",
192    process.name == "tvnserver.exe", "TightVNC",
193    process.name == "tvnviewer.exe", "TightVNC",
194    process.name == "winwvc.exe", "TightVNC",
195    process.name like "UltraVNC*.exe", "UltraVNC",
196    process.name like "UltraViewer*.exe", "UltraViewer",
197    process.name like "AA_v*.exe", "AnyAssist",
198    process.name == "Velociraptor.exe", "Velociraptor",
199    process.name == "ToolsIQ.exe", "ToolsIQ",
200    process.name == "session_win.exe", "ZohoAssist",
201    process.name == "Zaservice.exe", "ZohoAssist",
202    process.name == "ZohoURS.exe", "ZohoAssist",
203    ""
204  )
205| where Esql.rmm_vendor != "" and Esql.rmm_vendor is not NULL
206| stats Esql.vendor_count = count_distinct(Esql.rmm_vendor),
207        Esql.vendors_seen = values(Esql.rmm_vendor),
208        Esql.processes_executable_values = values(process.executable),
209        Esql.first_seen = min(@timestamp),
210        Esql.last_seen = max(@timestamp)
211  by host.name, host.id
212| where Esql.vendor_count >= 2
213| sort Esql.vendor_count desc
214| keep host.id, host.name, Esql.*
215'''
216
217[[rule.threat]]
218framework = "MITRE ATT&CK"
219
220[[rule.threat.technique]]
221id = "T1219"
222name = "Remote Access Tools"
223reference = "https://attack.mitre.org/techniques/T1219/"
224
225[[rule.threat.technique.subtechnique]]
226id = "T1219.002"
227name = "Remote Desktop Software"
228reference = "https://attack.mitre.org/techniques/T1219/002/"
229
230[rule.threat.tactic]
231id = "TA0011"
232name = "Command and Control"
233reference = "https://attack.mitre.org/tactics/TA0011/"

Triage and analysis

Investigating Multiple Remote Management Tool Vendors on Same Host

This rule aggregates process start events by host.id, host name, and a nine-minute time bucket. Data can come from Elastic Defend, Sysmon, Winlogbeat, Windows Security / forwarded events, Microsoft Defender XDR, SentinelOne, CrowdStrike FDR, or Elastic Endgame—where ECS process fields are populated. Each known RMM-related process name maps to one vendor label (e.g. TeamViewer, AnyDesk, ScreenConnect). If two or more different vendor labels appear in the same bucket, the rule signals.

Possible investigation steps

  • Open Esql.vendors_seen and Esql.processes_name_values on the alert to see which tools fired in the window.
  • Confirm whether the host is an MSP-managed jump box, helpdesk workstation, or lab where multiple RMM stacks are expected.
  • For servers or standard user endpoints, treat as higher risk: review install source, code signatures, and recent logons.
  • Correlate with other alerts (ingress tool transfer, suspicious scripting, new persistence) on the same host.id.
  • Check asset inventory and change tickets for approved RMM software.

False positive analysis

  • MSP / IT tooling: A technician machine with two approved agents (e.g. RMM + remote support) may match. Tune with host or organizational unit exceptions, or raise the vendor threshold if your environment standardizes on a known pair.
  • Vendor rebrands or bundles: Rare overlaps during migrations can briefly show two vendors; validate timeline and packages.

Response and remediation

  • If unauthorized or unexplained: isolate the host, inventory installed remote-access software, remove unapproved tools, and reset credentials that may have been exposed. Enforce a single approved RMM stack per asset class where possible.

References

Related rules

to-top