{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/meshcentral/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["01com","Action1","Addigy","AeroAdmin","Ammyy Admin","AnyDesk","Anyplace Control","AnySupport","Atera RMM","Aurelius Host","Auvik","Aweray Remote","Backdrop Cloud","Barracuda MSP","BeamYourScreen","BeAnywhere","BeInSync","BeyondTrust Remote Support","Bomgar Remote Support","CentraStage","Centurion Technologies","ConnectWise","ConnectWise Control (ScreenConnect)","CrossLoop","DameWare","Datto RMM","Deskday","DeskRoll","Desktop Streaming","Distant Desktop","Donkz","DWService","eHorus","Electric AI RMM","EMCO Remote Installer","Ericom Connect","FastSupport","FastViewer","FixMe.IT","FleetDeck","GatherPlace","GoToAssist","GoToResolve","GetScreen","Goverlan","HeartbeatRM","HelpMe.net","HelpWire","HopToDesk","Hosted RMM","ImmyBot","Impero Remote Monitoring","Instant Housecall","IntelliAdmin","Internap CDN","Internet ID","Iperius Remote","ISL Online","Itarian","ITSupport247","JumpCloud","Jump Desktop","JumpTo","Kabuto","Kaseya VSA","Kickidler","Laplink","Level.io","Liongard","LiteManager","LogicNow","LogMeIn","LogMeIn Rescue","Lunixar","MeshCentral","Mikogo","Miradore","MSP360","MyGreenPC","N-able RMM","Naverisk","NCH Software","NetOp Remote Control","NetSupport Manager","NetViewer","NinjaOne","NoMachine","NTRsupport","Opti-Tune","Oray Remote Control","Panorama9","Parsec","PCVisit","Pilixo","Playanext","Pulseway","Qetqo","R-HUD","Real-Time Collaboration","Remmon","Remote.It","Remote Management","RemoteCall","Remote Desktop","RemotePC","RemoteToPC","Remote Utilities","Remotix","Remotly","RepairShopr","RMansys","RMM Service","Royal Apps","Rport","RUDesktop","RustDesk","Rview","ScreenMeet","Servably","Server-Eye","Set.Me","ShowMyPC","SignalServer","SimpleHelp","Skyfex","Sorillus","Splashtop","SpyAnywhere","Spytech-Web","StartSupport","SuperOps.ai","Supremo Control","SWI Remote Support","SyncroMSP","Syspectr","System Monitor","Tactical RMM","Tailscale","TeamViewer","Techinline","Tele-Desk","TiFlux","TightVNC","tmate","ToDesk","Twingate","UltraViewer","UltraVNC","VNC Connect","Weezo","Xeox","Zoho Assist"],"_cs_severities":["medium"],"_cs_tags":["windows","command-and-control","endpoint","rmm","remote-access"],"_cs_type":"advisory","_cs_vendors":["01com","Action1","Addigy","AeroAdmin","Ammyy","AnyDesk","Anyplace Control","AnySupport","Atera","Aurelius Host","Auvik","Aweray","Barracuda MSP","BeamYourScreen","BeAnywhere","BeInSync","BeyondTrust","Bomgar","CentraStage","Centurion Technologies","ConnectWise","CrossLoop","DameWare","Datto","Deskday.ai","DeskRoll","Desktop Streaming","Distant Desktop","Donkz","DWService","eHorus","Electric AI","EMCO Software","Ericom","FastViewer","FixMe.IT","FleetDeck","GatherPlace","GoTo","GetScreen","Goverlan","HeartbeatRM","HelpWire","HopToDesk","Hosted RMM","ImmyBot","Impero Software","Instant Housecall","IntelliAdmin","Internap CDN","Internet ID","Iperius Remote","ISL Online","Itarian","ITSupport247","JumpCloud","Jump Desktop","Kabuto","Kaseya","Kickidler","Laplink","Level.io","Liongard","LiteManager","LogicNow","LogMeIn","Lunixar","MeshCentral","Mikogo","Miradore","MSP360","MyGreenPC","N-able","Naverisk","NCH Software","NetOp","NetSupport","NetViewer","NinjaOne","NoMachine","NTRsupport","Opti-Tune","Oray","Panorama9","Parsec","PCVisit","Pilixo","Playanext","Pulseway","Qetqo","R-HUD","Real-Time Collaboration","Remmon","Remote.It","Remote Management","RemoteCall","Remote Desktop","RemotePC","Remote Utilities","Remotix","Remotly","RepairShopr","RMansys","RMM Service","Royal Apps","Rport","RUDesktop","RustDesk","Rview","ScreenConnect","ScreenMeet","Servably","Server-Eye","Set.Me","ShowMyPC","SignalServer","SimpleHelp","Skyfex","Sorillus","Splashtop","SpyAnywhere","Spytech-Web","StartSupport","SuperOps.ai","Supremo Control","SWI","SyncroMSP","Syspectr","System Monitor","Tactical RMM","Tailscale","TeamViewer","Techinline","Tele-Desk","TiFlux","TightVNC","tmate","ToDesk","Twingate","UltraViewer","UltraVNC","VNC","Weezo","Xeox","Zoho"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of suspicious DNS queries directed towards domains associated with Remote Monitoring and Management (RMM) and remote access software. Threat actors frequently exploit legitimate RMM tools for various malicious purposes, including establishing command and control (C2), maintaining persistence within compromised environments, and facilitating lateral movement. The detection rule specifically targets DNS queries made by non-browser processes, aiming to surface activity from unapproved RMM clients, malicious scripts, or other unexpected software attempting to contact these services. This approach helps defenders identify unauthorized remote access, which could indicate a compromise, or the illicit use of legitimate tools for adversary operations, enabling timely response and mitigation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: A user falls victim to a phishing email or exploits an internet-facing vulnerability, allowing an attacker to gain an initial foothold on a system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution \u0026amp; Staging\u003c/strong\u003e: Malicious code is executed, often disguised as a legitimate application or utility, which may download further tools or scripts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRMM Tool Deployment\u003c/strong\u003e: The attacker deploys a legitimate, but often unauthorized or cracked, RMM or remote access client on the compromised system. This could be done through direct installation or by leveraging existing system capabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (C2) Initialization\u003c/strong\u003e: The newly deployed RMM client attempts to establish a connection to its control server, which involves performing DNS queries to its service domains (e.g., \u003ccode\u003eteamviewer.com\u003c/code\u003e, \u003ccode\u003eanydesk.com\u003c/code\u003e, \u003ccode\u003econnectwise.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistent Remote Access\u003c/strong\u003e: Successful connection to the RMM domain provides the attacker with persistent remote access to the compromised system, often bypassing traditional firewall rules due to the nature of RMM applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance \u0026amp; Lateral Movement\u003c/strong\u003e: Using the RMM tool, the attacker conducts internal reconnaissance, maps the network, and moves laterally to other systems within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Achievement\u003c/strong\u003e: The attacker executes their final objectives, which may include data exfiltration, deployment of ransomware, or further propagation of malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of RMM tools by threat actors can lead to severe organizational impact. Successful exploitation can result in unauthorized, persistent access to critical systems, enabling extensive data exfiltration of sensitive information, deployment of ransomware causing significant operational disruption and financial losses, or complete network compromise. Organizations across all sectors, particularly those relying on legitimate RMM for IT support, are susceptible. If the attack succeeds, it can undermine an organization's security posture, lead to regulatory non-compliance, and damage reputation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule (or its ESQL equivalent) to your SIEM/endpoint security platform and tune for your environment to detect suspicious DNS queries.\u003c/li\u003e\n\u003cli\u003eEnsure that DNS query logging is enabled for all Windows endpoints, ideally via Sysmon Event ID 22 or Elastic Defend, to provide the necessary telemetry for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by the \u003ccode\u003eDetect DNS Query to Remote Monitoring/Management (RMM) Domain from Non-Browser Process\u003c/code\u003e rule, focusing on the \u003ccode\u003eprocess.executable\u003c/code\u003e and its parent process.\u003c/li\u003e\n\u003cli\u003eReview the code signatures (\u003ccode\u003eprocess.code_signature\u003c/code\u003e) of flagged processes to verify legitimacy and prevent abuse of trojanized RMM installers.\u003c/li\u003e\n\u003cli\u003eBlock the RMM domains listed in the IOC table at the DNS resolver and firewall levels for any systems not explicitly authorized to use such tools.\u003c/li\u003e\n\u003cli\u003eImplement and enforce a strict policy for approved RMM tools and publishers, ensuring only authorized staff use managed, legitimate software for remote support.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T14:01:27Z","date_published":"2026-07-06T14:01:27Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rmm-dns-queries/","summary":"This brief details the detection of DNS queries targeting commonly abused Remote Monitoring and Management (RMM) or remote access software domains, originating from non-browser processes, which is a common tactic for command and control, persistence, and lateral movement by threat actors.","title":"Suspicious DNS Queries to Remote Monitoring and Management Domains from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2026-07-rmm-dns-queries/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Acronis Cyber Protect Connect","AeroAdmin","APC Remote Management","AnyDesk","AnyAssist","Atera RMM","AweSun Remote Desktop","Barracuda RMM","BeyondTrust Remote Support","CloudRadial","ConnectWise Automate","ConnectWise Control","Devolutions Remote Desktop Manager","Domotz RMM","DWService","FleetDeck Commander","GetScreen","GoTo","HelpWire","ImmyBot RMM","Impero","ISL Online","JumpCloud Agent","Kaseya VSA","Komari","Level.io","LogMeIn","Lunixar Remote","ManageEngine Remote Access Plus","MeshCentral","Microsoft Quick Assist","Mikogo","Nezha Agent","NinjaOne RMM","Parsec","Pulseway RMM","Radmin","RealVNC","Remotely","RemotePC","Remote Utilities","RPCSuite","Rsupport RemoteView","RustDesk","SimpleHelp","Splashtop","SuperOps RMM","Supremo Remote Desktop","TacticalRMM","Tailscale"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access-software","rmm","windows","behavioral-detection"],"_cs_type":"advisory","_cs_vendors":["Acronis","AeroAdmin","American Power Conversion","AnyDesk","AnyAssist","Atera","AweSun","Barracuda Networks","BeyondTrust","CloudRadial","ConnectWise","Devolutions","Domotz","DWService","Famatech","FleetDeck","GetScreen","GoTo","HelpWire","ImmyBot","Impero","ISL Online","JumpCloud","Kaseya","Komari","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Microsoft","Mikogo","Nezha","NinjaOne","Parsec","Pulseway","RealVNC","Remotely","RemotePC","Remote Utilities","RPCSuite","Rsupport","RustDesk","SimpleHelp","Splashtop","SuperOps","Supremo","TacticalRMM","Tailscale","Zoho"],"content_html":"\u003cp\u003eThis detection rule identifies a suspicious behavioral pattern on Windows hosts where processes associated with two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed initiating within the same eight-minute window. This activity is considered suspicious because it can indicate unauthorized activity, such as an attacker establishing redundant persistence and command and control, the presence of shadow IT, or a potential system compromise. While some legitimate Managed Service Provider (MSP) environments might use multiple tools (e.g., ConnectWise Automate and TeamViewer), this pattern on standard user endpoints or servers warrants immediate investigation. The detection mechanism specifically maps known RMM process names to unique vendor labels (e.g., AnyDesk, Splashtop, NinjaOne), preventing false positives from multiple binaries of the same vendor. This detection helps security teams identify anomalous RMM usage, which is a common tactic for initial access brokers and post-exploitation activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis detection focuses on identifying suspicious activity rather than a specific multi-stage attack chain. The presence of multiple RMM tools from distinct vendors typically occurs during the post-compromise phase, as attackers establish persistence and redundant command and control.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf not investigated and addressed, the presence of multiple, potentially unauthorized, remote management tools can lead to severe consequences. Attackers often deploy additional RMM tools to maintain persistence and establish redundant command and control channels, even after their primary access might be remediated. This increases the risk of data exfiltration, further lateral movement, deployment of ransomware, and long-term compromise of the affected host and wider network. Uncontrolled RMM installations also present a significant attack surface due to their elevated privileges and network access capabilities, making the host a critical pivot point for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the described detection logic to identify hosts exhibiting simultaneous process execution from multiple RMM vendors.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Windows process creation logging across your environment to ensure comprehensive coverage for process start events.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts related to MITRE ATT\u0026amp;CK technique T1219 (Remote Access Software) to determine legitimacy.\u003c/li\u003e\n\u003cli\u003eFor hosts triggering this detection, immediately investigate the Esql.vendors_seen and Esql.processes_executable_values fields to identify the specific tools involved.\u003c/li\u003e\n\u003cli\u003eFor servers or standard user endpoints, treat such alerts as high risk; review install sources, code signatures, and recent logons for the involved processes.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts with other suspicious activities (e.g., ingress tool transfer, suspicious scripting, new persistence mechanisms) on the same host.\u003c/li\u003e\n\u003cli\u003eEstablish and enforce a clear policy for approved RMM software, ideally limiting to a single approved stack per asset class to reduce false positives and attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:47:17Z","date_published":"2026-07-03T15:47:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-multiple-rmm-vendors-same-host/","summary":"This brief describes a behavioral detection for Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tools from different vendors are observed starting processes within an eight-minute window, indicating potential compromise, shadow IT, or attacker staging of redundant access.","title":"Suspicious Activity: Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2026-07-multiple-rmm-vendors-same-host/"}],"language":"en","title":"CraftedSignal Threat Feed - MeshCentral","version":"https://jsonfeed.org/version/1.1"}