Product
medium
advisory
Suspicious DNS Queries to Remote Monitoring and Management Domains from Non-Browser Processes
1 rule 193 IOCsThis brief details the detection of DNS queries targeting commonly abused Remote Monitoring and Management (RMM) or remote access software domains, originating from non-browser processes, which is a common tactic for command and control, persistence, and lateral movement by threat actors.
01com +151
windows
command-and-control
endpoint
rmm
remote-access
1r
193i
medium
advisory
Suspicious Activity: Multiple Remote Management Tool Vendors on Same Host
1 TTPThis brief describes a behavioral detection for Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tools from different vendors are observed starting processes within an eight-minute window, indicating potential compromise, shadow IT, or attacker staging of redundant access.
Acronis Cyber Protect Connect +49
command-and-control
remote-access-software
rmm
windows
behavioral-detection
1t