{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nezha-agent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Acronis Cyber Protect Connect","AeroAdmin","APC Remote Management","AnyDesk","AnyAssist","Atera RMM","AweSun Remote Desktop","Barracuda RMM","BeyondTrust Remote Support","CloudRadial","ConnectWise Automate","ConnectWise Control","Devolutions Remote Desktop Manager","Domotz RMM","DWService","FleetDeck Commander","GetScreen","GoTo","HelpWire","ImmyBot RMM","Impero","ISL Online","JumpCloud Agent","Kaseya VSA","Komari","Level.io","LogMeIn","Lunixar Remote","ManageEngine Remote Access Plus","MeshCentral","Microsoft Quick Assist","Mikogo","Nezha Agent","NinjaOne RMM","Parsec","Pulseway RMM","Radmin","RealVNC","Remotely","RemotePC","Remote Utilities","RPCSuite","Rsupport RemoteView","RustDesk","SimpleHelp","Splashtop","SuperOps RMM","Supremo Remote Desktop","TacticalRMM","Tailscale"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access-software","rmm","windows","behavioral-detection"],"_cs_type":"advisory","_cs_vendors":["Acronis","AeroAdmin","American Power Conversion","AnyDesk","AnyAssist","Atera","AweSun","Barracuda Networks","BeyondTrust","CloudRadial","ConnectWise","Devolutions","Domotz","DWService","Famatech","FleetDeck","GetScreen","GoTo","HelpWire","ImmyBot","Impero","ISL Online","JumpCloud","Kaseya","Komari","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Microsoft","Mikogo","Nezha","NinjaOne","Parsec","Pulseway","RealVNC","Remotely","RemotePC","Remote Utilities","RPCSuite","Rsupport","RustDesk","SimpleHelp","Splashtop","SuperOps","Supremo","TacticalRMM","Tailscale","Zoho"],"content_html":"\u003cp\u003eThis detection rule identifies a suspicious behavioral pattern on Windows hosts where processes associated with two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed initiating within the same eight-minute window. This activity is considered suspicious because it can indicate unauthorized activity, such as an attacker establishing redundant persistence and command and control, the presence of shadow IT, or a potential system compromise. While some legitimate Managed Service Provider (MSP) environments might use multiple tools (e.g., ConnectWise Automate and TeamViewer), this pattern on standard user endpoints or servers warrants immediate investigation. The detection mechanism specifically maps known RMM process names to unique vendor labels (e.g., AnyDesk, Splashtop, NinjaOne), preventing false positives from multiple binaries of the same vendor. This detection helps security teams identify anomalous RMM usage, which is a common tactic for initial access brokers and post-exploitation activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis detection focuses on identifying suspicious activity rather than a specific multi-stage attack chain. The presence of multiple RMM tools from distinct vendors typically occurs during the post-compromise phase, as attackers establish persistence and redundant command and control.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf not investigated and addressed, the presence of multiple, potentially unauthorized, remote management tools can lead to severe consequences. Attackers often deploy additional RMM tools to maintain persistence and establish redundant command and control channels, even after their primary access might be remediated. This increases the risk of data exfiltration, further lateral movement, deployment of ransomware, and long-term compromise of the affected host and wider network. Uncontrolled RMM installations also present a significant attack surface due to their elevated privileges and network access capabilities, making the host a critical pivot point for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the described detection logic to identify hosts exhibiting simultaneous process execution from multiple RMM vendors.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 (Process Creation) and Windows process creation logging across your environment to ensure comprehensive coverage for process start events.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts related to MITRE ATT\u0026amp;CK technique T1219 (Remote Access Software) to determine legitimacy.\u003c/li\u003e\n\u003cli\u003eFor hosts triggering this detection, immediately investigate the Esql.vendors_seen and Esql.processes_executable_values fields to identify the specific tools involved.\u003c/li\u003e\n\u003cli\u003eFor servers or standard user endpoints, treat such alerts as high risk; review install sources, code signatures, and recent logons for the involved processes.\u003c/li\u003e\n\u003cli\u003eCorrelate alerts with other suspicious activities (e.g., ingress tool transfer, suspicious scripting, new persistence mechanisms) on the same host.\u003c/li\u003e\n\u003cli\u003eEstablish and enforce a clear policy for approved RMM software, ideally limiting to a single approved stack per asset class to reduce false positives and attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:47:17Z","date_published":"2026-07-03T15:47:17Z","id":"https://feed.craftedsignal.io/briefs/2026-07-multiple-rmm-vendors-same-host/","summary":"This brief describes a behavioral detection for Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tools from different vendors are observed starting processes within an eight-minute window, indicating potential compromise, shadow IT, or attacker staging of redundant access.","title":"Suspicious Activity: Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2026-07-multiple-rmm-vendors-same-host/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AA","Acronis Cyber Protect Connect Agent","AeroAdmin","AgentMon","AnyDesk","APC Admin","APC Host","AteraAgent","Aweray Remote","AweSun","B4-Service","BASupSrvc","Bomgar SCC","CagService","CloudRaCmd","CloudRaSd","CloudRaService","ConnectWise Control","Domotz Agent","DWSNET Agent","DameWare Remote Control","FleetDeck Commander","GetScreen","GoToAssist Service","GoTo Resolve","HelpWire","ImmyAgent","ImmyBot Agent Ephemeral","ImmyUpdater","Impero Client SVC","Impero Server SVC","ISL Light","ISL Light Client","JumpCloud Agent","Komari","Komari Agent","Level","LogMeIn Rescue","LogMeIn Ignition","LogMeIn","LTSvc","LTSvcMon","LTTray","Lunixar","Lunixar Remote","Lunixar Updater","LvAgent","ManageEngine Remote Access Plus","MeshAgent","Mikogo-Service","Nezha-agent","NinjaRMM Agent","NinjaRMM Agent Patcher","NinjaRMM CLI","Parsec","PService","Quick Assist","Radmin","RC EngMgr U","RCClient","RCMgrSVC","RCService","Remote Support","RemoteDesktopManager","Remotely Agent","Remotely Desktop","RemotePC","RemotePCDesktop","RemotePCService","RemoteView","RFUS Client","RMM Agent","ROMServer","ROMViewer","RPCSuite","RustDesk","RUTserv","RUTview","RV Agent","RV Agtray","SAAzAPSC","ScreenConnect","ScreenConnect Client Service","Session Win","SimpleGatewayService","SimpleHelp Customer","SMPC View","SPCLink","Splashtop Streamer","Splashtop SOS","SPSRV","SRAgent","SRService","SRManager","SRServer","STRWinClt","Supremo","SupremoService","Syncro App Runner","Syncro Installer","Syncro Overmind Service","Syncro Service","SyncroLive Agent","SyncroLive Agent Runner","SyncroLive Service","TacticalRMM","Tailscale","TeamViewer","TeamViewer Desktop","TeamViewer Service","TiAgent","TiClientCore","ToDesk Service","ToolsIQ","TSClient","TVN","TVNServer","TVNViewer","Twingate","UltraVNC","UltraViewer","Velociraptor","VNC Server","VNC Viewer","WinVNC","ZA Access","ZA Connect","Zaservice","ZMAgent","Zoho Meeting","ZohoURS","ZohoURSService","Zohotray"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","persistence","execution","rmm","remote-access","windows"],"_cs_type":"advisory","_cs_vendors":["Action1 Corporation","Aeroadmin LLC","AmidaWare LLC","Ammyy LLC","AnyDesk Software GmbH","AOMEI International Network Limited","Atera Networks Ltd","AWERAY PTE. LTD.","BeamYourScreen GmbH","Bomgar Corporation","BreakingSecurity.net","ConnectWise, Inc.","Devolutions Inc","DOMOTZ INC.","DUC FABULOUS CO.,LTD","DWSNET OÜ","Electronic Team, Inc.","Famatech Corp.","FleetDeck Inc","GlavSoft LLC","GoTo Technologies USA, LLC","Hefei Pingbo Network Technology Co. Ltd","IDrive, Inc.","Impero Solutions Limited","Instant Housecall","ISL Online Ltd.","JumpCloud Inc","Level Software, Inc.","LogMeIn, Inc.","LUNIXAR SAS DE CV","MMSOFT Design Ltd.","MSPBytes Corp","N-ABLE TECHNOLOGIES LTD","Nanosystems S.r.l.","NetSupport Ltd","NinjaOne LLC","NinjaRMM, LLC","Parallels International GmbH","philandro Software GmbH","Pro Softnet Corporation","PURSLANE","RealVNC Limited","REMOTE UTILITIES PTE. LTD.","Rocket Software, Inc.","Rsupport Co., Ltd.","SAFIB","Servably, Inc.","ShowMyPC INC","SimpleHelp Ltd","Splashtop Inc.","Superops Inc.","Tailscale Inc.","TeamViewer Germany GmbH","Techinline Limited","uvnc bvba","ZOHO Corporation Private Limited"],"content_html":"\u003cp\u003eAdversaries frequently exploit the trusted nature and broad capabilities of legitimate Remote Monitoring and Management (RMM) and remote access software to maintain covert access and control over compromised Windows systems. This threat brief focuses on the detection of these tools when they are observed for the first time on a given endpoint, indicating potential unauthorized deployment. While these tools are essential for IT administration, their abuse facilitates command-and-control (C2), enables persistence, and allows for the execution of arbitrary commands. Notable campaigns, such as those leading to domain-wide ransomware (as highlighted by The DFIR Report), often involve the misuse of RMM solutions like SimpleHelp, AnyDesk, and ConnectWise Control. This detection method identifies suspicious installations by monitoring process names and code signatures for commonly abused RMM tools, specifically triggering when a \u003ccode\u003ehost.id\u003c/code\u003e and \u003ccode\u003eprocess.name\u003c/code\u003e pair has not been seen within a defined 7-day historical window.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: Adversaries gain initial access to an organization's network, often through methods such as phishing, exploiting vulnerable public-facing applications, or supply chain compromises.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution\u003c/strong\u003e: After establishing a foothold, the adversary deploys a legitimate RMM agent or client onto the compromised Windows host. This deployment may occur via various methods, including malicious ISO files (as referenced in a DFIR report) or existing remote access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence\u003c/strong\u003e: The installed RMM tool is configured by the adversary to ensure continued access to the compromised system, often by establishing itself as a service or through other autorun mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control\u003c/strong\u003e: The RMM agent initiates an outbound connection to an adversary-controlled server, establishing a stable and often encrypted C2 channel that blends with legitimate network traffic.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution via RMM\u003c/strong\u003e: The adversary leverages the RMM tool's remote execution capabilities to deploy additional malware, execute commands, exfiltrate data, or initiate further lateral movement within the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The adversary achieves their final objective, which can range from data exfiltration and espionage to the deployment of ransomware, encrypting critical organizational data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe abuse of RMM tools by adversaries can lead to severe organizational impact. When compromised, RMM tools provide a high level of control over the affected endpoints, enabling attackers to bypass traditional security controls due to the legitimate nature of the software. This can result in widespread data exfiltration, system damage through unauthorized software installations or configurations, and ultimately, significant financial losses due to ransomware deployment and business disruption. CISA has issued advisories highlighting the use of RMM tools in ransomware campaigns, underscoring the critical risk these compromises pose to organizations across all sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;First Time Seen Remote Monitoring and Management Tool (Windows)\u0026quot; to your SIEM and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon process creation and code signing event logging is enabled across all Windows endpoints to provide the necessary telemetry for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate all alerts generated by this rule immediately, focusing on the \u003ccode\u003eprocess.executable\u003c/code\u003e, \u003ccode\u003eprocess.command_line\u003c/code\u003e, and \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eReview network logs for suspicious outbound connections from newly observed RMM processes.\u003c/li\u003e\n\u003cli\u003eEstablish clear organizational policies for RMM tool deployment and usage, including strict change management processes and whitelisting of authorized RMM executables and signers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:36:36Z","date_published":"2026-07-03T15:36:36Z","id":"https://feed.craftedsignal.io/briefs/2026-07-first-seen-rmm/","summary":"Adversaries are leveraging legitimate Remote Monitoring and Management (RMM) and remote access tools on Windows endpoints for command-and-control, persistence, and execution, with detection focusing on the first observed instance of these tools on a host.","title":"First Time Seen Remote Monitoring and Management Tool Detection","url":"https://feed.craftedsignal.io/briefs/2026-07-first-seen-rmm/"}],"language":"en","title":"CraftedSignal Threat Feed - Nezha-Agent","version":"https://jsonfeed.org/version/1.1"}