Skip to content
Threat Feed
medium advisory

Multiple Remote Management Tool Vendors on Same Host

The presence of multiple remote monitoring and management (RMM) tools from different vendors on a single Windows host within a short time frame may indicate compromise, shadow IT, or attacker staging for redundant access.

This detection identifies Windows hosts where processes associated with two or more distinct remote monitoring and management (RMM) or remote access tool vendors are observed starting within an eight-minute window. While legitimate MSP environments may utilize multiple tools, this activity can also indicate a security compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access mechanisms. The detection maps process names to a single vendor label, preventing multiple binaries from the same vendor from inflating the count. The rule is based on observed techniques used by threat actors to maintain access to compromised systems.

Attack Chain

  1. An attacker gains initial access to a Windows host through methods not covered in this specific detection (e.g., phishing, exploit).
  2. The attacker installs a first remote management tool such as TeamViewer (teamviewer.exe) or AnyDesk (AnyDesk.exe) to gain remote access.
  3. The attacker establishes persistence using the first RMM tool, ensuring continued access to the compromised system.
  4. The attacker installs a second remote management tool from a different vendor, for example, Splashtop (Splashtop-streamer.exe) or RustDesk (rustdesk.exe).
  5. The attacker configures the second RMM tool for persistence, creating a redundant remote access method.
  6. The presence of multiple RMM tools from different vendors allows the attacker to maintain access even if one tool is detected or removed.
  7. The attacker uses the redundant access to perform malicious activities such as data exfiltration, lateral movement, or ransomware deployment.

Impact

A successful attack can lead to unauthorized remote access, data theft, malware deployment, and disruption of services. The presence of multiple RMM tools significantly increases the attacker's chances of maintaining persistent access to the compromised system, escalating the potential damage. If the multiple RMM tools are unauthorized installations, this indicates a breakdown of IT asset management and change control.

Recommendation

  • Deploy the Sigma rule Multiple Remote Management Tool Vendors on Same Host to your SIEM and tune for your environment (see rule below).
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the RMM tools installed (see rule description).
  • Use asset inventory tools to identify all RMM software installed on endpoints and servers (see Data Source tags).
  • Enforce a policy of one approved RMM stack per asset class where possible to limit the attack surface (see Response and remediation in the content section).
  • Review and harden processes to prevent the installation of unauthorized software (see Attack Chain).

Detection coverage 3

Multiple Remote Management Tool Vendors on Same Host

medium

Detects a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. This pattern can indicate compromise, shadow IT, or attacker staging of redundant access.

sigma tactics: command_and_control techniques: T1219 sources: process_creation, windows

Suspicious RMM Tool Installation via Command Line

low

Detects the execution of command-line tools often used to install remote management software, potentially indicating unauthorized RMM tool deployment.

sigma tactics: command_and_control techniques: T1219 sources: process_creation, windows

RMM Tool Launch from Unusual Directory

medium

Detects the launch of common Remote Management and Monitoring tools from unusual directories, which could indicate malicious activity.

sigma tactics: command_and_control techniques: T1219 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →