Vendor

ScreenConnect

4 briefs RSS

First Time Seen Remote Monitoring and Management Tool Execution

Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.

Elastic Defend +101 remote-access rmm command-and-control persistence

3r Jan 24, 2024

medium advisory

Suspicious DNS Queries to RMM Domains from Non-Browser Processes

2 rules

Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.

Elastic Endpoint +1 command-and-control remote-access windows

2r Jan 3, 2024

medium advisory

Multiple Remote Management Tool Vendors on Same Host

2 rules

This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

AeroAdmin +60 remote-access-tool command-and-control rmm windows

2r Jan 3, 2024

medium advisory

Multiple Remote Management Tool Vendors on Same Host

3 rules

This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

AeroAdmin +55 command-and-control rmm windows threat-detection

3r Jan 2, 2024