Multiple Remote Management Tool Vendors on Same Host
The presence of multiple remote monitoring and management (RMM) tools from different vendors on a single Windows host within a short time frame may indicate compromise, shadow IT, or attacker staging for redundant access.
This detection identifies Windows hosts where processes associated with two or more distinct remote monitoring and management (RMM) or remote access tool vendors are observed starting within an eight-minute window. While legitimate MSP environments may utilize multiple tools, this activity can also indicate a security compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access mechanisms. The detection maps process names to a single vendor label, preventing multiple binaries from the same vendor from inflating the count. The rule is based on observed techniques used by threat actors to maintain access to compromised systems.
Attack Chain
- An attacker gains initial access to a Windows host through methods not covered in this specific detection (e.g., phishing, exploit).
- The attacker installs a first remote management tool such as TeamViewer (teamviewer.exe) or AnyDesk (AnyDesk.exe) to gain remote access.
- The attacker establishes persistence using the first RMM tool, ensuring continued access to the compromised system.
- The attacker installs a second remote management tool from a different vendor, for example, Splashtop (Splashtop-streamer.exe) or RustDesk (rustdesk.exe).
- The attacker configures the second RMM tool for persistence, creating a redundant remote access method.
- The presence of multiple RMM tools from different vendors allows the attacker to maintain access even if one tool is detected or removed.
- The attacker uses the redundant access to perform malicious activities such as data exfiltration, lateral movement, or ransomware deployment.
Impact
A successful attack can lead to unauthorized remote access, data theft, malware deployment, and disruption of services. The presence of multiple RMM tools significantly increases the attacker's chances of maintaining persistent access to the compromised system, escalating the potential damage. If the multiple RMM tools are unauthorized installations, this indicates a breakdown of IT asset management and change control.
Recommendation
- Deploy the Sigma rule
Multiple Remote Management Tool Vendors on Same Hostto your SIEM and tune for your environment (see rule below). - Investigate any alerts generated by the Sigma rule to determine the legitimacy of the RMM tools installed (see rule
description). - Use asset inventory tools to identify all RMM software installed on endpoints and servers (see
Data Sourcetags). - Enforce a policy of one approved RMM stack per asset class where possible to limit the attack surface (see
Response and remediationin the content section). - Review and harden processes to prevent the installation of unauthorized software (see
Attack Chain).
Detection coverage 3
Multiple Remote Management Tool Vendors on Same Host
mediumDetects a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window. This pattern can indicate compromise, shadow IT, or attacker staging of redundant access.
Suspicious RMM Tool Installation via Command Line
lowDetects the execution of command-line tools often used to install remote management software, potentially indicating unauthorized RMM tool deployment.
RMM Tool Launch from Unusual Directory
mediumDetects the launch of common Remote Management and Monitoring tools from unusual directories, which could indicate malicious activity.
Detection queries are available on the platform. Get full rules →