ScreenConnect

A malspam campaign is leveraging the Tiflux RMM to gain remote access and persistence on victim machines, abusing legitimate remote management software for stealthy access and persistence.

Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.

Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.

This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

Detects process creation events indicative of remote management tools, potentially signifying legitimate use or malicious exploitation by threat actors abusing RMM software.

This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.