Detection rules › YARA-L
Uncommon or Suspicious RMM Tool Execution Detected
This detection rule identifies uncommon or suspicious Remote Monitoring and Management (RMM) tools, leveraging intelligence from the LOL-RMM (Living Off the Land RMM) project. While RMM tools are widely used for IT administration, remote support, and network management, they are also frequently abused by attackers, initial access brokers (IABs), and ransomware operators to establish persistent remote access, execute malicious commands, or deploy additional payloads. This rule detects RMM software that is not commonly observed in the environment, indicating potential unauthorized access or lateral movement.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1219 Remote Access Tools |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaral
/*
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule win_pua_detection_of_uncommon_rmm {
meta:
author = "Georg Lauenstein - suresecure GmbH"
description = "This detection rule identifies uncommon or suspicious Remote Monitoring and Management (RMM) tools, leveraging intelligence from the LOL-RMM (Living Off the Land RMM) project. While RMM tools are widely used for IT administration, remote support, and network management, they are also frequently abused by attackers, initial access brokers (IABs), and ransomware operators to establish persistent remote access, execute malicious commands, or deploy additional payloads. This rule detects RMM software that is not commonly observed in the environment, indicating potential unauthorized access or lateral movement."
rule_id = "mr_f5681a0f-215f-4055-80c7-864ee39bcfb8"
rule_name = "Uncommon or Suspicious RMM Tool Execution Detected"
tactic = "TA0011"
technique = "T1219"
reference = "https://lolrmm.io/"
type = "alert"
platform = "Windows, EDR"
data_source = "Microsoft Sysmon, Windows Event Logs"
severity = "Medium" // Adjust based on your risk assessment
priority = "Medium" // Adjust based on your incident response process
events:
$rmm_tool.metadata.event_type = "PROCESS_LAUNCH"
(
// 247ithelp.com (ConnectWise) RMM
$rmm_tool.target.process.file.full_path = /\\Remote Workforce Client\.exe$/ nocase
) or
(
// Potential Acronic Cyber Protect (Remotix) RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AcronisCyberProtectConnectAgent\.exe$/ nocase
) or
(
// Potential AeroAdmin RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\aeroadmin\.exe|\\AeroAdmin\.exe/ nocase
) or
(
// Potential Air Live Drive RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AirLiveDrive\.exe$/ nocase
) or
(
// Potential AliWangWang-remote-control RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\alitask\.exe$/ nocase
) or
(
// Potential Alpemix RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AlpemixService\.exe$/ nocase
) or
(
// Potential Any Support RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\ManualLauncher\.exe$/ nocase
) or
(
// Potential Anyplace Control RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\apc_host\.exe$/ nocase
) or
(
// Potential aria2 RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\aria2c\.exe$/ nocase
) or
(
// Potential Atera RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AgentPackageNetworkDiscovery\.exe|\\AgentPackageTaskScheduler\.exe|\\AteraAgent\.exe|\\atera_agent\.exe|\\ateraagent\.exe/ nocase
) or
(
// Potential Auvik RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\auvik\.engine\.exe|\\auvik\.agent\.exe/ nocase
) or
(
// Potential Absolute (Computrace) RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\rpcnet\.exe|\\ctes\.exe|\\ctespersitence\.exe|\\cteshostsvc\.exe|\\rpcld\.exe/ nocase
) or
(
// Potential Bluetrait MSP Agent Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\Bluetrait MSP Agent\.exe|\\BluetraitUserAgent\.exe|\\Bluetrait Agent\\libraries\\paexec\.exe/ nocase
) or
(
// Potential BeamYourScreen RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\beamyourscreen\.exe|\\beamyourscreen-host\.exe/ nocase
) or
(
// Potential Connectwise Automate (LabTech) RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\ltsvc\.exe|\\ltsvcmon\.exe|\\lttray\.exe/ nocase
) or
(
// Potential Duplicati RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\Duplicati\.Server\.exe$/ nocase
) or
(
// Potential FixMe.it RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\FixMeit Unattended Access Setup\.exe|\\TiExpertStandalone\.exe|\\FixMeit Client\.exe|\\FixMeit Expert Setup\.exe|\\TiExpertCore\.exe|\\TiClientCore\.exe/ nocase
) or
(
// Potential FleetDeck.io RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\fleetdeck_agent_svc\.exe|\\fleetdeck_commander_svc\.exe|\\fleetdeck_installer\.exe|\\fleetdeck_commander_launcher\.exe|\\fleetdeck_agent\.exe/ nocase
) or
(
// Potential Level.io RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\level-windows-amd64\.exe|\\level\.exe|\\level-remote-control-ffmpeg\.exe/ nocase
) or
(
// Potential NetSupport Manager RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\pcictlui\.exe|\\client32\.exe|\\pcicfgui\.exe/ nocase
) or
(
// Potential NinjaRMM RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\ninjarmmagent\.exe|\\NinjaRMMAgent\.exe|\\NinjaRMMAgenPatcher\.exe|\\ninjarmm-cli\.exe/ nocase
) or
(
// Potential REMCOS RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\remcos/ nocase
) or
(
// Potential Rocket Remote Desktop RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\RocketRemoteDesktop_Setup\.exe$/ nocase
) or
(
// Potential Tactical RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\tacticalrmm\.exe$/ nocase
) or
(
// Potential TightVNC RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\tvnviewer\.exe|\\tvnserver\.exe/ nocase
) or
(
// Potential Zoho Assist RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\zaservice\.exe|\\ZA_Access\.exe|\\ZohoMeeting\.exe|\\Zohours\.exe|\\zohotray\.exe|\\ZohoURSService\.exe|\\Zaservice\.exe|\\za_connect\.exe|\\ZMAgent\.exe/ nocase
)
$rmm_tool.principal.hostname = $hostname
$rmm_tool.target.process.file.full_path = $image
$rmm_tool.extracted.fields["Company"] = $rmm_company_info
// Filter for known RMM Tools based on Customer Information
// not $rmm_tool.target.process.file.full_path in %known_rmm_tools nocase
match:
$hostname, $image, $rmm_company_info over 10m
outcome:
$risk_score = max(65)
$event_count = count_distinct($rmm_tool.metadata.id)
$principal_process_pid = array_distinct($rmm_tool.principal.process.pid)
$principal_process_command_line = array_distinct($rmm_tool.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($rmm_tool.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($rmm_tool.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($rmm_tool.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($rmm_tool.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($rmm_tool.target.process.pid)
$target_process_command_line = array_distinct($rmm_tool.target.process.command_line)
$target_process_file_sha256 = array_distinct($rmm_tool.target.process.file.sha256)
$target_process_file_full_path = array_distinct($rmm_tool.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($rmm_tool.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($rmm_tool.principal.user.userid)
condition:
$rmm_tool
}
Stages and Predicates
Stage 0: match + condition
match:
$hostname, $image, $rmm_company_info over 10m
condition:
$rmm_tool
Fires when at least one $rmm_tool event in the 10m window.
Stage 1: events: $rmm_tool · PROCESS_LAUNCH
$rmm_tool.metadata.event_type = "PROCESS_LAUNCH"
(
// 247ithelp.com (ConnectWise) RMM
$rmm_tool.target.process.file.full_path = /\\Remote Workforce Client\.exe$/ nocase
) or
(
// Potential Acronic Cyber Protect (Remotix) RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AcronisCyberProtectConnectAgent\.exe$/ nocase
) or
(
// Potential AeroAdmin RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\aeroadmin\.exe|\\AeroAdmin\.exe/ nocase
) or
(
// Potential Air Live Drive RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AirLiveDrive\.exe$/ nocase
) or
(
// Potential AliWangWang-remote-control RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\alitask\.exe$/ nocase
) or
(
// Potential Alpemix RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AlpemixService\.exe$/ nocase
) or
(
// Potential Any Support RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\ManualLauncher\.exe$/ nocase
) or
(
// Potential Anyplace Control RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\apc_host\.exe$/ nocase
) or
(
// Potential aria2 RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\aria2c\.exe$/ nocase
) or
(
// Potential Atera RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\AgentPackageNetworkDiscovery\.exe|\\AgentPackageTaskScheduler\.exe|\\AteraAgent\.exe|\\atera_agent\.exe|\\ateraagent\.exe/ nocase
) or
(
// Potential Auvik RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\auvik\.engine\.exe|\\auvik\.agent\.exe/ nocase
) or
(
// Potential Absolute (Computrace) RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\rpcnet\.exe|\\ctes\.exe|\\ctespersitence\.exe|\\cteshostsvc\.exe|\\rpcld\.exe/ nocase
) or
(
// Potential Bluetrait MSP Agent Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\Bluetrait MSP Agent\.exe|\\BluetraitUserAgent\.exe|\\Bluetrait Agent\\libraries\\paexec\.exe/ nocase
) or
(
// Potential BeamYourScreen RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\beamyourscreen\.exe|\\beamyourscreen-host\.exe/ nocase
) or
(
// Potential Connectwise Automate (LabTech) RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\ltsvc\.exe|\\ltsvcmon\.exe|\\lttray\.exe/ nocase
) or
(
// Potential Duplicati RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\Duplicati\.Server\.exe$/ nocase
) or
(
// Potential FixMe.it RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\FixMeit Unattended Access Setup\.exe|\\TiExpertStandalone\.exe|\\FixMeit Client\.exe|\\FixMeit Expert Setup\.exe|\\TiExpertCore\.exe|\\TiClientCore\.exe/ nocase
) or
(
// Potential FleetDeck.io RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\fleetdeck_agent_svc\.exe|\\fleetdeck_commander_svc\.exe|\\fleetdeck_installer\.exe|\\fleetdeck_commander_launcher\.exe|\\fleetdeck_agent\.exe/ nocase
) or
(
// Potential Level.io RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\level-windows-amd64\.exe|\\level\.exe|\\level-remote-control-ffmpeg\.exe/ nocase
) or
(
// Potential NetSupport Manager RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\pcictlui\.exe|\\client32\.exe|\\pcicfgui\.exe/ nocase
) or
(
// Potential NinjaRMM RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\ninjarmmagent\.exe|\\NinjaRMMAgent\.exe|\\NinjaRMMAgenPatcher\.exe|\\ninjarmm-cli\.exe/ nocase
) or
(
// Potential REMCOS RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\remcos/ nocase
) or
(
// Potential Rocket Remote Desktop RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\RocketRemoteDesktop_Setup\.exe$/ nocase
) or
(
// Potential Tactical RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\tacticalrmm\.exe$/ nocase
) or
(
// Potential TightVNC RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\tvnviewer\.exe|\\tvnserver\.exe/ nocase
) or
(
// Potential Zoho Assist RMM Tool Process Activity
$rmm_tool.target.process.file.full_path = /\\zaservice\.exe|\\ZA_Access\.exe|\\ZohoMeeting\.exe|\\Zohours\.exe|\\zohotray\.exe|\\ZohoURSService\.exe|\\Zaservice\.exe|\\za_connect\.exe|\\ZMAgent\.exe/ nocase
)
$rmm_tool.principal.hostname = $hostname
$rmm_tool.target.process.file.full_path = $image
$rmm_tool.extracted.fields["Company"] = $rmm_company_info
// Filter for known RMM Tools based on Customer Information
// not $rmm_tool.target.process.file.full_path in %known_rmm_tools nocase
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
target.process.file.full_path | regex_match |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
risk_score | max(65) |
event_count | count_distinct($rmm_tool.metadata.id) |
principal_process_pid | array_distinct($rmm_tool.principal.process.pid) |
principal_process_command_line | array_distinct($rmm_tool.principal.process.command_line) |
principal_process_file_sha256 | array_distinct($rmm_tool.principal.process.file.sha256) |
principal_process_file_full_path | array_distinct($rmm_tool.principal.process.file.full_path) |
principal_process_product_specific_process_id | array_distinct($rmm_tool.principal.process.product_specific_process_id) |
principal_process_parent_process_product_specific_process_id | array_distinct($rmm_tool.principal.process.parent_process.product_specific_process_id) |
target_process_pid | array_distinct($rmm_tool.target.process.pid) |
target_process_command_line | array_distinct($rmm_tool.target.process.command_line) |
target_process_file_sha256 | array_distinct($rmm_tool.target.process.file.sha256) |
target_process_file_full_path | array_distinct($rmm_tool.target.process.file.full_path) |
target_process_product_specific_process_id | array_distinct($rmm_tool.target.process.product_specific_process_id) |
principal_user_userid | array_distinct($rmm_tool.principal.user.userid) |