<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ConnectWise Automate - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/connectwise-automate/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 15:47:17 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/connectwise-automate/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Activity: Multiple Remote Management Tool Vendors on Same Host</title><link>https://feed.craftedsignal.io/briefs/2026-07-multiple-rmm-vendors-same-host/</link><pubDate>Fri, 03 Jul 2026 15:47:17 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-multiple-rmm-vendors-same-host/</guid><description>This brief describes a behavioral detection for Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tools from different vendors are observed starting processes within an eight-minute window, indicating potential compromise, shadow IT, or attacker staging of redundant access.</description><content:encoded><![CDATA[<p>This detection rule identifies a suspicious behavioral pattern on Windows hosts where processes associated with two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed initiating within the same eight-minute window. This activity is considered suspicious because it can indicate unauthorized activity, such as an attacker establishing redundant persistence and command and control, the presence of shadow IT, or a potential system compromise. While some legitimate Managed Service Provider (MSP) environments might use multiple tools (e.g., ConnectWise Automate and TeamViewer), this pattern on standard user endpoints or servers warrants immediate investigation. The detection mechanism specifically maps known RMM process names to unique vendor labels (e.g., AnyDesk, Splashtop, NinjaOne), preventing false positives from multiple binaries of the same vendor. This detection helps security teams identify anomalous RMM usage, which is a common tactic for initial access brokers and post-exploitation activities.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>This detection focuses on identifying suspicious activity rather than a specific multi-stage attack chain. The presence of multiple RMM tools from distinct vendors typically occurs during the post-compromise phase, as attackers establish persistence and redundant command and control.</p>
<h2 id="impact">Impact</h2>
<p>If not investigated and addressed, the presence of multiple, potentially unauthorized, remote management tools can lead to severe consequences. Attackers often deploy additional RMM tools to maintain persistence and establish redundant command and control channels, even after their primary access might be remediated. This increases the risk of data exfiltration, further lateral movement, deployment of ransomware, and long-term compromise of the affected host and wider network. Uncontrolled RMM installations also present a significant attack surface due to their elevated privileges and network access capabilities, making the host a critical pivot point for further malicious activities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the described detection logic to identify hosts exhibiting simultaneous process execution from multiple RMM vendors.</li>
<li>Enable Sysmon Event ID 1 (Process Creation) and Windows process creation logging across your environment to ensure comprehensive coverage for process start events.</li>
<li>Investigate alerts related to MITRE ATT&amp;CK technique T1219 (Remote Access Software) to determine legitimacy.</li>
<li>For hosts triggering this detection, immediately investigate the Esql.vendors_seen and Esql.processes_executable_values fields to identify the specific tools involved.</li>
<li>For servers or standard user endpoints, treat such alerts as high risk; review install sources, code signatures, and recent logons for the involved processes.</li>
<li>Correlate alerts with other suspicious activities (e.g., ingress tool transfer, suspicious scripting, new persistence mechanisms) on the same host.</li>
<li>Establish and enforce a clear policy for approved RMM software, ideally limiting to a single approved stack per asset class to reduce false positives and attack surface.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>command-and-control</category><category>remote-access-software</category><category>rmm</category><category>windows</category><category>behavioral-detection</category></item></channel></rss>