Uncommon or Suspicious RMM Tool Execution Detected

Type: alert
Time window: 10m
Match by: hostname, image, rmm_company_info
Author: Georg Lauenstein - suresecure GmbH
Source: github.com/chronicle/detection-rules

This detection rule identifies uncommon or suspicious Remote Monitoring and Management (RMM) tools, leveraging intelligence from the LOL-RMM (Living Off the Land RMM) project. While RMM tools are widely used for IT administration, remote support, and network management, they are also frequently abused by attackers, initial access brokers (IABs), and ransomware operators to establish persistent remote access, execute malicious commands, or deploy additional payloads. This rule detects RMM software that is not commonly observed in the environment, indicating potential unauthorized access or lateral movement.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1219` Remote Access Tools

References

https://lolrmm.io/

Event coverage

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Security-Auditing	Event ID 4688	A new process has been created.

Rule body yaral

/*
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule win_pua_detection_of_uncommon_rmm {

  meta:
    author = "Georg Lauenstein - suresecure GmbH"
    description = "This detection rule identifies uncommon or suspicious Remote Monitoring and Management (RMM) tools, leveraging intelligence from the LOL-RMM (Living Off the Land RMM) project. While RMM tools are widely used for IT administration, remote support, and network management, they are also frequently abused by attackers, initial access brokers (IABs), and ransomware operators to establish persistent remote access, execute malicious commands, or deploy additional payloads. This rule detects RMM software that is not commonly observed in the environment, indicating potential unauthorized access or lateral movement."
    rule_id = "mr_f5681a0f-215f-4055-80c7-864ee39bcfb8"
    rule_name = "Uncommon or Suspicious RMM Tool Execution Detected"
    tactic = "TA0011"
    technique = "T1219"
    reference = "https://lolrmm.io/"
    type = "alert"
    platform = "Windows, EDR"
    data_source = "Microsoft Sysmon, Windows Event Logs"
    severity = "Medium"  // Adjust based on your risk assessment
    priority = "Medium"  // Adjust based on your incident response process

  events:
    $rmm_tool.metadata.event_type = "PROCESS_LAUNCH"

    (
      // 247ithelp.com (ConnectWise) RMM
      $rmm_tool.target.process.file.full_path = /\\Remote Workforce Client\.exe$/ nocase
    ) or

    (
      // Potential Acronic Cyber Protect (Remotix) RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\AcronisCyberProtectConnectAgent\.exe$/ nocase
    ) or

    (
      // Potential AeroAdmin RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\aeroadmin\.exe|\\AeroAdmin\.exe/ nocase
    ) or

    (
      // Potential Air Live Drive RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\AirLiveDrive\.exe$/ nocase
    ) or

    (
      // Potential AliWangWang-remote-control RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\alitask\.exe$/ nocase
    ) or

    (
      // Potential Alpemix RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\AlpemixService\.exe$/ nocase
    ) or

    (
      // Potential Any Support RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\ManualLauncher\.exe$/ nocase
    ) or

    (
      // Potential Anyplace Control RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\apc_host\.exe$/ nocase
    ) or

    (
      // Potential aria2 RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\aria2c\.exe$/ nocase
    ) or

    (
      // Potential Atera RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\AgentPackageNetworkDiscovery\.exe|\\AgentPackageTaskScheduler\.exe|\\AteraAgent\.exe|\\atera_agent\.exe|\\ateraagent\.exe/ nocase
    ) or

    (
      // Potential Auvik RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\auvik\.engine\.exe|\\auvik\.agent\.exe/ nocase
    ) or

    (
      // Potential Absolute (Computrace) RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\rpcnet\.exe|\\ctes\.exe|\\ctespersitence\.exe|\\cteshostsvc\.exe|\\rpcld\.exe/ nocase
    ) or

    (
      // Potential Bluetrait MSP Agent Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\Bluetrait MSP Agent\.exe|\\BluetraitUserAgent\.exe|\\Bluetrait Agent\\libraries\\paexec\.exe/ nocase
    ) or

    (
      // Potential BeamYourScreen RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\beamyourscreen\.exe|\\beamyourscreen-host\.exe/ nocase
    ) or

    (
      // Potential Connectwise Automate (LabTech) RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\ltsvc\.exe|\\ltsvcmon\.exe|\\lttray\.exe/ nocase
    ) or

    (
      // Potential Duplicati RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\Duplicati\.Server\.exe$/ nocase
    ) or

    (
      // Potential FixMe.it RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\FixMeit Unattended Access Setup\.exe|\\TiExpertStandalone\.exe|\\FixMeit Client\.exe|\\FixMeit Expert Setup\.exe|\\TiExpertCore\.exe|\\TiClientCore\.exe/ nocase
    ) or

    (
      // Potential FleetDeck.io RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\fleetdeck_agent_svc\.exe|\\fleetdeck_commander_svc\.exe|\\fleetdeck_installer\.exe|\\fleetdeck_commander_launcher\.exe|\\fleetdeck_agent\.exe/ nocase
    ) or

    (
      // Potential Level.io RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\level-windows-amd64\.exe|\\level\.exe|\\level-remote-control-ffmpeg\.exe/ nocase
    ) or

    (
      // Potential NetSupport Manager RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\pcictlui\.exe|\\client32\.exe|\\pcicfgui\.exe/ nocase
    ) or

    (
      // Potential NinjaRMM RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\ninjarmmagent\.exe|\\NinjaRMMAgent\.exe|\\NinjaRMMAgenPatcher\.exe|\\ninjarmm-cli\.exe/ nocase
    ) or

    (
      // Potential REMCOS RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\remcos/ nocase
    ) or

    (
      // Potential Rocket Remote Desktop RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\RocketRemoteDesktop_Setup\.exe$/ nocase
    ) or

    (
      // Potential Tactical RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\tacticalrmm\.exe$/ nocase
    ) or

    (
      // Potential TightVNC RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\tvnviewer\.exe|\\tvnserver\.exe/ nocase
    ) or

    (
      // Potential Zoho Assist RMM Tool Process Activity
      $rmm_tool.target.process.file.full_path = /\\zaservice\.exe|\\ZA_Access\.exe|\\ZohoMeeting\.exe|\\Zohours\.exe|\\zohotray\.exe|\\ZohoURSService\.exe|\\Zaservice\.exe|\\za_connect\.exe|\\ZMAgent\.exe/ nocase
    )

    $rmm_tool.principal.hostname = $hostname
    $rmm_tool.target.process.file.full_path = $image
    $rmm_tool.extracted.fields["Company"] = $rmm_company_info

    // Filter for known RMM Tools based on Customer Information
    // not $rmm_tool.target.process.file.full_path in %known_rmm_tools nocase

  match:
    $hostname, $image, $rmm_company_info over 10m

  outcome:
    $risk_score = max(65)
    $event_count = count_distinct($rmm_tool.metadata.id)
    $principal_process_pid = array_distinct($rmm_tool.principal.process.pid)
    $principal_process_command_line = array_distinct($rmm_tool.principal.process.command_line)
    $principal_process_file_sha256 = array_distinct($rmm_tool.principal.process.file.sha256)
    $principal_process_file_full_path = array_distinct($rmm_tool.principal.process.file.full_path)
    $principal_process_product_specific_process_id = array_distinct($rmm_tool.principal.process.product_specific_process_id)
    $principal_process_parent_process_product_specific_process_id = array_distinct($rmm_tool.principal.process.parent_process.product_specific_process_id)
    $target_process_pid = array_distinct($rmm_tool.target.process.pid)
    $target_process_command_line = array_distinct($rmm_tool.target.process.command_line)
    $target_process_file_sha256 = array_distinct($rmm_tool.target.process.file.sha256)
    $target_process_file_full_path = array_distinct($rmm_tool.target.process.file.full_path)
    $target_process_product_specific_process_id = array_distinct($rmm_tool.target.process.product_specific_process_id)
    $principal_user_userid = array_distinct($rmm_tool.principal.user.userid)

  condition:
    $rmm_tool
}

Detection logic

Fires when at least one $rmm_tool event in the 10m window.

Events

`$rmm_tool` `PROCESS_LAUNCH` (`1`, `4688`)

target.process.file.full_path matches "\\Remote Workforce Client\.exe$"
target.process.file.full_path matches "\\AcronisCyberProtectConnectAgent\.exe$"
target.process.file.full_path matches "\\aeroadmin\.exe|\\AeroAdmin\.exe"
target.process.file.full_path matches "\\AirLiveDrive\.exe$"
target.process.file.full_path matches "\\alitask\.exe$"
target.process.file.full_path matches "\\AlpemixService\.exe$"
target.process.file.full_path matches "\\ManualLauncher\.exe$"
target.process.file.full_path matches "\\apc_host\.exe$"
target.process.file.full_path matches "\\aria2c\.exe$"
target.process.file.full_path matches "\\AgentPackageNetworkDiscovery\.exe|\\AgentPackageTaskScheduler\.exe|\\AteraAgent\.exe|\\atera_agent\.exe|\\ateraagent\.exe"
target.process.file.full_path matches "\\auvik\.engine\.exe|\\auvik\.agent\.exe"
target.process.file.full_path matches "\\rpcnet\.exe|\\ctes\.exe|\\ctespersitence\.exe|\\cteshostsvc\.exe|\\rpcld\.exe"
target.process.file.full_path matches "\\Bluetrait MSP Agent\.exe|\\BluetraitUserAgent\.exe|\\Bluetrait Agent\\libraries\\paexec\.exe"
target.process.file.full_path matches "\\beamyourscreen\.exe|\\beamyourscreen-host\.exe"
target.process.file.full_path matches "\\ltsvc\.exe|\\ltsvcmon\.exe|\\lttray\.exe"
target.process.file.full_path matches "\\Duplicati\.Server\.exe$"
target.process.file.full_path matches "\\FixMeit Unattended Access Setup\.exe|\\TiExpertStandalone\.exe|\\FixMeit Client\.exe|\\FixMeit Expert Setup\.exe|\\TiExpertCore\.exe|\\TiClientCore\.exe"
target.process.file.full_path matches "\\fleetdeck_agent_svc\.exe|\\fleetdeck_commander_svc\.exe|\\fleetdeck_installer\.exe|\\fleetdeck_commander_launcher\.exe|\\fleetdeck_agent\.exe"
target.process.file.full_path matches "\\level-windows-amd64\.exe|\\level\.exe|\\level-remote-control-ffmpeg\.exe"
target.process.file.full_path matches "\\pcictlui\.exe|\\client32\.exe|\\pcicfgui\.exe"
target.process.file.full_path matches "\\ninjarmmagent\.exe|\\NinjaRMMAgent\.exe|\\NinjaRMMAgenPatcher\.exe|\\ninjarmm-cli\.exe"
target.process.file.full_path matches "\\remcos"
target.process.file.full_path matches "\\RocketRemoteDesktop_Setup\.exe$"
target.process.file.full_path matches "\\tacticalrmm\.exe$"
target.process.file.full_path matches "\\tvnviewer\.exe|\\tvnserver\.exe"
target.process.file.full_path matches "\\zaservice\.exe|\\ZA_Access\.exe|\\ZohoMeeting\.exe|\\Zohours\.exe|\\zohotray\.exe|\\ZohoURSService\.exe|\\Zaservice\.exe|\\za_connect\.exe|\\ZMAgent\.exe"

Correlation

Match key: $hostname (principal.hostname), $image (target.process.file.full_path), $rmm_company_info (extracted.fields["Company"])
Within: 10m

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

Field	Expression
`risk_score`	`max(65)`
`event_count`	`count_distinct($rmm_tool.metadata.id)`
`principal_process_pid`	`array_distinct($rmm_tool.principal.process.pid)`
`principal_process_command_line`	`array_distinct($rmm_tool.principal.process.command_line)`
`principal_process_file_sha256`	`array_distinct($rmm_tool.principal.process.file.sha256)`
`principal_process_file_full_path`	`array_distinct($rmm_tool.principal.process.file.full_path)`
`principal_process_product_specific_process_id`	`array_distinct($rmm_tool.principal.process.product_specific_process_id)`
`principal_process_parent_process_product_specific_process_id`	`array_distinct($rmm_tool.principal.process.parent_process.product_specific_process_id)`
`target_process_pid`	`array_distinct($rmm_tool.target.process.pid)`
`target_process_command_line`	`array_distinct($rmm_tool.target.process.command_line)`
`target_process_file_sha256`	`array_distinct($rmm_tool.target.process.file.sha256)`
`target_process_file_full_path`	`array_distinct($rmm_tool.target.process.file.full_path)`
`target_process_product_specific_process_id`	`array_distinct($rmm_tool.target.process.product_specific_process_id)`
`principal_user_userid`	`array_distinct($rmm_tool.principal.user.userid)`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Uncommon or Suspicious RMM Tool Execution Detected

MITRE ATT&CK coverage

References

Event coverage

Rule body yaral

Detection logic

Events

`$rmm_tool` `PROCESS_LAUNCH` (`1`, `4688`)

Correlation

Outcome

Keyboard shortcuts

Search operators

Uncommon or Suspicious RMM Tool Execution Detected

MITRE ATT&CK coverage

References

Event coverage

Rule body yaral

Detection logic

Events

$rmm_tool PROCESS_LAUNCH (1, 4688)

Correlation

Outcome

`$rmm_tool` `PROCESS_LAUNCH` (`1`, `4688`)