Product
Suspicious DNS Queries to Remote Monitoring and Management Domains from Non-Browser Processes
1 rule 193 IOCsThis brief details the detection of DNS queries targeting commonly abused Remote Monitoring and Management (RMM) or remote access software domains, originating from non-browser processes, which is a common tactic for command and control, persistence, and lateral movement by threat actors.
Suspicious Activity: Multiple Remote Management Tool Vendors on Same Host
1 TTPThis brief describes a behavioral detection for Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tools from different vendors are observed starting processes within an eight-minute window, indicating potential compromise, shadow IT, or attacker staging of redundant access.
First Time Seen Remote Monitoring and Management Tool Detection
1 rule 3 TTPs 5 IOCsAdversaries are leveraging legitimate Remote Monitoring and Management (RMM) and remote access tools on Windows endpoints for command-and-control, persistence, and execution, with detection focusing on the first observed instance of these tools on a host.