Syncro

This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

Detects process creation events indicative of remote management tools, potentially signifying legitimate use or malicious exploitation by threat actors abusing RMM software.