Command and Control (TA0011)(external, opens in a new tab or window)
endpoint(external, opens in a new tab or window)
windows(external, opens in a new tab or window)
sentinel_one_cloud_funnel(external, opens in a new tab or window)
m365_defender(external, opens in a new tab or window)
text code block:from logs-endpoint.events.process-*, endgame-*, logs-crowdstrike.fdr*, logs-m365_defender.event-*, logs-sentinel_one_cloud_funnel.*, logs-system.security*, logs-windows.sysmon_operational-*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index | where (host.os.type == "windows" or host.os.family == "windows") and event.category == "process" and event.type == "start" and process.name is not null | eval Esql.rmm_vendor = case( process.name == "AeroAdmin.exe", "AeroAdmin", process.name == "AnyDesk.exe", "AnyDesk", process.name == "AteraAgent.exe", "Atera", process.name == "AweSun.exe", "AweSun", process.name like "aweray_remote*.exe", "AweSun", process.name == "apc_Admin.exe", "APC", process.name == "apc_host.exe", "APC", process.name == "BASupSrvc.exe", "BeyondTrust", process.name == "bomgar-scc.exe", "BeyondTrust", process.name == "Remote Support.exe", "BeyondTrust", process.name == "B4-Service.exe", "BeyondTrust", process.name == "CagService.exe", "BarracudaRMM", process.name == "domotzagent.exe", "Domotz", process.name == "domotz-windows-x64-10.exe", "Domotz", process.name == "dwagsvc.exe", "DWService", process.name == "DWRCC.exe", "DWService", process.name like "fleetdeck_commander*.exe", "FleetDeck", process.name == "getscreen.exe", "GetScreen", process.name == "g2aservice.exe", "GoTo", process.name == "GoToAssistService.exe", "GoTo", process.name == "gotohttp.exe", "GoTo", process.name == "GoToResolveProcessChecker.exe", "GoTo", process.name == "GoToResolveUnattended.exe", "GoTo", process.name == "ImperoClientSVC.exe", "Impero", process.name == "ImperoServerSVC.exe", "Impero", process.name == "ISLLight.exe", "ISLOnline", process.name == "ISLLightClient.exe", "ISLOnline", process.name == "jumpcloud-agent.exe", "JumpCloud", process.name == "level.exe", "Level", process.name == "LvAgent.exe", "Level", process.name == "LMIIgnition.exe", "LogMeIn", process.name == "LogMeIn.exe", "LogMeIn", process.name == "ManageEngine_Remote_Access_Plus.exe", "ManageEngine", process.name == "MeshAgent.exe", "MeshCentral", process.name == "meshagent.exe", "MeshCentral", process.name == "Mikogo-Service.exe", "Mikogo", process.name == "NinjaRMMAgent.exe", "NinjaOne", process.name == "NinjaRMMAgenPatcher.exe", "NinjaOne", process.name == "ninjarmm-cli.exe", "NinjaOne", process.name == "parsec.exe", "Parsec", process.name == "PService.exe", "Pulseway", process.name == "r_server.exe", "Radmin", process.name == "radmin.exe", "Radmin", process.name == "radmin3.exe", "Radmin", process.name == "rserver3.exe", "Radmin", process.name == "vncserver.exe", "RealVNC", process.name == "vncviewer.exe", "RealVNC", process.name == "winvnc.exe", "RealVNC", process.name == "ROMServer.exe", "RealVNC", process.name == "ROMViewer.exe", "RealVNC", process.name == "RemotePC.exe", "RemotePC", process.name == "RemotePCDesktop.exe", "RemotePC", process.name == "RemotePCService.exe", "RemotePC", process.name == "RemoteDesktopManager.exe", "Devolutions", process.name == "RCClient.exe", "RPCSuite", process.name == "RCService.exe", "RPCSuite", process.name == "RPCSuite.exe", "RPCSuite", process.name == "rustdesk.exe", "RustDesk", process.name == "rutserv.exe", "RemoteUtilities", process.name == "rutview.exe", "RemoteUtilities", process.name == "saazapsc.exe", "Kaseya", process.name like "ScreenConnect*.exe", "ScreenConnect", process.name == "ScreenConnect.ClientService.exe", "ScreenConnect", process.name == "Splashtop-streamer.exe", "Splashtop", process.name == "strwinclt.exe", "Splashtop", process.name == "SRService.exe", "Splashtop", process.name == "smpcview.exe", "Splashtop", process.name == "spclink.exe", "Splashtop", process.name == "rfusclient.exe", "Splashtop", process.name == "Supremo.exe", "Supremo", process.name == "SupremoService.exe", "Supremo", process.name == "Syncro.Overmind.Service.exe", "Splashtop", process.name == "SyncroLive.Agent.Runner.exe", "Splashtop", process.name == "Syncro.Installer.exe", "Splashtop", process.name == "tacticalrmm.exe", "TacticalRMM", process.name == "tailscale.exe", "Tailscale", process.name == "tailscaled.exe", "Tailscale", process.name == "teamviewer.exe", "TeamViewer", process.name == "ticlientcore.exe", "Tiflux", process.name == "TiAgent.exe", "Tiflux", process.name == "ToDesk_Service.exe", "ToDesk", process.name == "twingate.exe", "Twingate", process.name == "tvn.exe", "TightVNC", process.name == "tvnserver.exe", "TightVNC", process.name == "tvnviewer.exe", "TightVNC", process.name == "winwvc.exe", "TightVNC", process.name like "UltraVNC*.exe", "UltraVNC", process.name like "UltraViewer*.exe", "UltraViewer", process.name like "AA_v*.exe", "AnyAssist", process.name == "Velociraptor.exe", "Velociraptor", process.name == "ToolsIQ.exe", "ToolsIQ", process.name == "session_win.exe", "ZohoAssist", process.name == "Zaservice.exe", "ZohoAssist", process.name == "ZohoURS.exe", "ZohoAssist", "" ) | where Esql.rmm_vendor != "" and Esql.rmm_vendor is not NULL | stats Esql.vendor_count = count_distinct(Esql.rmm_vendor), Esql.vendors_seen = values(Esql.rmm_vendor), Esql.processes_executable_values = values(process.executable), Esql.first_seen = min(@timestamp), Esql.last_seen = max(@timestamp) by host.name, host.id | where Esql.vendor_count >= 2 | sort Esql.vendor_count desc | keep host.id, host.name, Esql.*
Install detection rules in Elastic Security
Detect Multiple Remote Management Tool Vendors on Same Host in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).