Pulseway

Detects process creation events indicative of remote management tools, potentially signifying legitimate use or malicious exploitation by threat actors abusing RMM software.

This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.