Elastic Security Detection Rules

First Time Seen Remote Monitoring and Management Tool

Last updated 9 days ago on 2026-03-03
Created 3 years ago on 2023-04-03

About

Adversaries may install legitimate remote monitoring and management (RMM) tools or remote access software on compromised endpoints for command-and-control (C2), persistence, and execution of native commands. This rule detects when a process is started whose name or code signature (or whose parent's name or code signature) resembles commonly abused RMM/remote access tools, including first-time-seen child processes of such tools. New Terms type: host has not seen this process (or child-of-RMM pattern) before within the configured history window.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendData Source: Elastic EndgameData Source: Windows Security Event LogsData Source: SysmonLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Remote Access Tools (T1219)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.process-*endgame-*winlogbeat-*logs-windows.forwarded*logs-windows.sysmon_operational-*logs-system.security*
Related Integrations

endpoint(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

system(external, opens in a new tab or window)

Query
text code block:
host.os.type: "windows" and

   event.category: "process" and event.type: "start" and

    (
        process.code_signature.subject_name : (
            "Action1 Corporation" or
            "AeroAdmin LLC" or
            "Ammyy LLC" or
            "Atera Networks Ltd" or
            "AWERAY PTE. LTD." or
            "BeamYourScreen GmbH" or
            "Bomgar Corporation" or
            "DUC FABULOUS CO.,LTD" or
            "DOMOTZ INC." or
            "DWSNET OÜ" or
            "FleetDeck Inc" or
            "GlavSoft LLC" or
            "GlavSoft LLC." or
            "Hefei Pingbo Network Technology Co. Ltd" or
            "IDrive, Inc." or
            "IMPERO SOLUTIONS LIMITED" or
            "Instant Housecall" or
            "ISL Online Ltd." or
            "LogMeIn, Inc." or
            "Monitoring Client" or
            "MMSOFT Design Ltd." or
            "Nanosystems S.r.l." or
            "NetSupport Ltd" or
            "NetSupport Ltd." or
            "NETSUPPORT LTD." or
            "NinjaRMM, LLC" or
            "Parallels International GmbH" or
            "philandro Software GmbH" or
            "Pro Softnet Corporation" or
            "RealVNC" or
            "RealVNC Limited" or
            "BreakingSecurity.net" or
            "Remote Utilities LLC" or
            "Rocket Software, Inc." or
            "SAFIB" or
            "Servably, Inc." or
            "ShowMyPC INC" or
            "Splashtop Inc." or
            "Superops Inc." or
            "TeamViewer" or
            "TeamViewer GmbH" or
            "TeamViewer Germany GmbH" or
            "Techinline Limited" or
            "uvnc bvba" or
            "Yakhnovets Denis Aleksandrovich IP" or
            "Zhou Huabing" or
            "ZOHO Corporation Private Limited" or
            "Connectwise, LLC" or  
			"ScreenConnect Client"
        ) or

        process.name.caseless : (
            AA_v*.exe or
            "AeroAdmin.exe" or
            "AnyDesk.exe" or
            "apc_Admin.exe" or
            "apc_host.exe" or
            "AteraAgent.exe" or
            aweray_remote*.exe or
            "AweSun.exe" or
            "AgentMon.exe" or
            "B4-Service.exe" or
            "BASupSrvc.exe" or
            "bomgar-scc.exe" or
            "domotzagent.exe" or
            "domotz-windows-x64-10.exe" or
            "dwagsvc.exe" or
            "DWRCC.exe" or
            "ImperoClientSVC.exe" or
            "ImperoServerSVC.exe" or
            "ISLLight.exe" or
            "ISLLightClient.exe" or
            fleetdeck_commander*.exe or
            "getscreen.exe" or
            "g2aservice.exe" or
            "GoToAssistService.exe" or
            "gotohttp.exe" or
            "jumpcloud-agent.exe" or
            "level.exe" or
            "LvAgent.exe" or
            "LMIIgnition.exe" or
            "LogMeIn.exe" or
            "ManageEngine_Remote_Access_Plus.exe" or
            "MeshAgent.exe" or
            "Mikogo-Service.exe" or
            "NinjaRMMAgent.exe" or
            "NinjaRMMAgenPatcher.exe" or
            "ninjarmm-cli.exe" or
            "parsec.exe" or
            "PService.exe" or
            "quickassist.exe" or
            "r_server.exe" or
            "radmin.exe" or
            "radmin3.exe" or
            "RCClient.exe" or
            "RCService.exe" or
            "RemoteDesktopManager.exe" or
            "RemotePC.exe" or
            "RemotePCDesktop.exe" or
            "RemotePCService.exe" or
            "rfusclient.exe" or
            "ROMServer.exe" or
            "ROMViewer.exe" or
            "RPCSuite.exe" or
            "rserver3.exe" or
            "rustdesk.exe" or
            "rutserv.exe" or
            "rutview.exe" or
            "saazapsc.exe" or
            ScreenConnect*.exe or
            "session_win.exe" or
            "Remote Support.exe" or
            "smpcview.exe" or
            "spclink.exe" or
            "Splashtop-streamer.exe" or
            "Syncro.Overmind.Service.exe" or
            "SyncroLive.Agent.Runner.exe" or
            "SRService.exe" or
            "strwinclt.exe" or
            "Supremo.exe" or
            "SupremoService.exe" or
            "tacticalrmm.exe" or
            "tailscale.exe" or
            "tailscaled.exe" or
            "teamviewer.exe" or
            "ToDesk_Service.exe" or
            "twingate.exe" or
            "TiClientCore.exe" or
            "TSClient.exe" or
            "tvn.exe" or
            "tvnserver.exe" or
            "tvnviewer.exe" or
            UltraVNC*.exe or
            UltraViewer*.exe or
            "vncserver.exe" or
            "vncviewer.exe" or
            "winvnc.exe" or
            "winwvc.exe" or
            "Zaservice.exe" or
            "ZohoURS.exe" or
            "Velociraptor.exe" or
            "ToolsIQ.exe" or
            "CagService.exe" or 
			"ScreenConnect.ClientService.exe" or 
			"TiAgent.exe" or 
			"GoToResolveProcessChecker.exe" or 
			"GoToResolveUnattended.exe"
        ) or
        process.name : (
            AA_v*.exe or
            "AeroAdmin.exe" or
            "AnyDesk.exe" or
            "apc_Admin.exe" or
            "apc_host.exe" or
            "AteraAgent.exe" or
            aweray_remote*.exe or
            "AweSun.exe" or
            "AgentMon.exe" or
            "B4-Service.exe" or
            "BASupSrvc.exe" or
            "bomgar-scc.exe" or
            "CagService.exe" or
            "domotzagent.exe" or
            "domotz-windows-x64-10.exe" or
            "dwagsvc.exe" or
            "DWRCC.exe" or
            "ImperoClientSVC.exe" or
            "ImperoServerSVC.exe" or
            "ISLLight.exe" or
            "ISLLightClient.exe" or
            fleetdeck_commander*.exe or
            "getscreen.exe" or
            "g2aservice.exe" or
            "GoToAssistService.exe" or
            "gotohttp.exe" or
            "jumpcloud-agent.exe" or
            "level.exe" or
            "LvAgent.exe" or
            "LMIIgnition.exe" or
            "LogMeIn.exe" or
            "ManageEngine_Remote_Access_Plus.exe" or
            "MeshAgent.exe" or
            "meshagent.exe" or
            "Mikogo-Service.exe" or
            "NinjaRMMAgent.exe" or
            "NinjaRMMAgenPatcher.exe" or
            "ninjarmm-cli.exe" or
            "parsec.exe" or
            "PService.exe" or
            "quickassist.exe" or
            "r_server.exe" or
            "radmin.exe" or
            "radmin3.exe" or
            "RCClient.exe" or
            "RCService.exe" or
            "RemoteDesktopManager.exe" or
            "RemotePC.exe" or
            "RemotePCDesktop.exe" or
            "RemotePCService.exe" or
            "rfusclient.exe" or
            "ROMServer.exe" or
            "ROMViewer.exe" or
            "RPCSuite.exe" or
            "rserver3.exe" or
            "rustdesk.exe" or
            "rutserv.exe" or
            "rutview.exe" or
            "saazapsc.exe" or
            ScreenConnect*.exe or
            "session_win.exe" or
            "Remote Support.exe" or
            "smpcview.exe" or
            "spclink.exe" or
            "Splashtop-streamer.exe" or
            "Syncro.Overmind.Service.exe" or
            "SyncroLive.Agent.Runner.exe" or
            "SRService.exe" or
            "strwinclt.exe" or
            "Supremo.exe" or
            "SupremoService.exe" or
            "tacticalrmm.exe" or
            "tailscale.exe" or
            "tailscaled.exe" or
            "teamviewer.exe" or
            "TiClientCore.exe" or
            "ToDesk_Service.exe" or
            "twingate.exe" or
            "TSClient.exe" or
            "tvn.exe" or
            "tvnserver.exe" or
            "tvnviewer.exe" or
            UltraVNC*.exe or
            UltraViewer*.exe or
            "vncserver.exe" or
            "vncviewer.exe" or
            "winvnc.exe" or
            "winwvc.exe" or
            "Zaservice.exe" or
            "ZohoURS.exe" or
            "Velociraptor.exe" or
            "ToolsIQ.exe" or 
			"ScreenConnect.ClientService.exe" or 
			"TiAgent.exe" or 
			"GoToResolveProcessChecker.exe" or 
			"GoToResolveUnattended.exe"
        ) or
        process.parent.code_signature.subject_name : (
            "Action1 Corporation" or
            "AeroAdmin LLC" or
            "Ammyy LLC" or
            "Atera Networks Ltd" or
            "AWERAY PTE. LTD." or
            "BeamYourScreen GmbH" or
            "Bomgar Corporation" or
            "DUC FABULOUS CO.,LTD" or
            "DOMOTZ INC." or
            "DWSNET OÜ" or
            "FleetDeck Inc" or
            "GlavSoft LLC" or
            "GlavSoft LLC." or
            "Hefei Pingbo Network Technology Co. Ltd" or
            "IDrive, Inc." or
            "IMPERO SOLUTIONS LIMITED" or
            "Instant Housecall" or
            "ISL Online Ltd." or
            "LogMeIn, Inc." or
            "Monitoring Client" or
            "MMSOFT Design Ltd." or
            "Nanosystems S.r.l." or
            "NetSupport Ltd" or
            "NetSupport Ltd." or
            "NETSUPPORT LTD." or
            "NinjaRMM, LLC" or
            "Parallels International GmbH" or
            "philandro Software GmbH" or
            "Pro Softnet Corporation" or
            "RealVNC" or
            "RealVNC Limited" or
            "BreakingSecurity.net" or
            "Remote Utilities LLC" or
            "Rocket Software, Inc." or
            "SAFIB" or
            "Servably, Inc." or
            "ShowMyPC INC" or
            "Splashtop Inc." or
            "Superops Inc." or
            "TeamViewer" or
            "TeamViewer GmbH" or
            "TeamViewer Germany GmbH" or
            "Techinline Limited" or
            "uvnc bvba" or
            "Yakhnovets Denis Aleksandrovich IP" or
            "Zhou Huabing" or
            "ZOHO Corporation Private Limited" or
            "Connectwise, LLC" or 
			"ScreenConnect Client"
        ) or
        process.parent.name: (
            AA_v*.exe or
            "AeroAdmin.exe" or
            "AnyDesk.exe" or
            "apc_Admin.exe" or
            "apc_host.exe" or
            "AteraAgent.exe" or
            aweray_remote*.exe or
            "AweSun.exe" or
            "AgentMon.exe" or
            "B4-Service.exe" or
            "BASupSrvc.exe" or
            "bomgar-scc.exe" or
            "domotzagent.exe" or
            "domotz-windows-x64-10.exe" or
            "dwagsvc.exe" or
            "DWRCC.exe" or
            "ImperoClientSVC.exe" or
            "ImperoServerSVC.exe" or
            "ISLLight.exe" or
            "ISLLightClient.exe" or
            fleetdeck_commander*.exe or
            "getscreen.exe" or
            "g2aservice.exe" or
            "GoToAssistService.exe" or
            "gotohttp.exe" or
            "jumpcloud-agent.exe" or
            "level.exe" or
            "LvAgent.exe" or
            "LMIIgnition.exe" or
            "LogMeIn.exe" or
            "ManageEngine_Remote_Access_Plus.exe" or
            "MeshAgent.exe" or
            "Mikogo-Service.exe" or
            "NinjaRMMAgent.exe" or
            "NinjaRMMAgenPatcher.exe" or
            "ninjarmm-cli.exe" or
            "parsec.exe" or
            "PService.exe" or
            "quickassist.exe" or
            "r_server.exe" or
            "radmin.exe" or
            "radmin3.exe" or
            "RCClient.exe" or
            "RCService.exe" or
            "RemoteDesktopManager.exe" or
            "RemotePC.exe" or
            "RemotePCDesktop.exe" or
            "RemotePCService.exe" or
            "rfusclient.exe" or
            "ROMServer.exe" or
            "ROMViewer.exe" or
            "RPCSuite.exe" or
            "rserver3.exe" or
            "rustdesk.exe" or
            "rutserv.exe" or
            "rutview.exe" or
            "saazapsc.exe" or
            ScreenConnect*.exe or
            "session_win.exe" or
            "Remote Support.exe" or
            "smpcview.exe" or
            "spclink.exe" or
            "Splashtop-streamer.exe" or
            "Syncro.Overmind.Service.exe" or
            "SyncroLive.Agent.Runner.exe" or
            "SRService.exe" or
            "strwinclt.exe" or
            "Supremo.exe" or
            "SupremoService.exe" or
            "tacticalrmm.exe" or
            "tailscale.exe" or
            "tailscaled.exe" or
            "teamviewer.exe" or
            "ToDesk_Service.exe" or
            "twingate.exe" or
            "TiClientCore.exe" or
            "TSClient.exe" or
            "tvn.exe" or
            "tvnserver.exe" or
            "tvnviewer.exe" or
            UltraVNC*.exe or
            UltraViewer*.exe or
            "vncserver.exe" or
            "vncviewer.exe" or
            "winvnc.exe" or
            "winwvc.exe" or
            "Zaservice.exe" or
            "ZohoURS.exe" or
            "Velociraptor.exe" or
            "ToolsIQ.exe" or
            "CagService.exe" or 
			"TiAgent.exe" or 
			"GoToResolveProcessChecker.exe" or 
			"GoToResolveUnattended.exe"
        )
  ) and
  not (process.pe.original_file_name : ("G2M.exe" or "Updater.exe" or "powershell.exe") and process.code_signature.subject_name : "LogMeIn, Inc.")

Install detection rules in Elastic Security

Detect First Time Seen Remote Monitoring and Management Tool in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).