```yaml title: Unauthorized RMM Tool Deployment id: edr-win-persist-rmm-deployment status: stable description: > Detects execution of remote monitoring and management tools commonly abused for persistence after initial access — AteraAgent, RustDesk, PDQ Connect, MeshCentral, Supremo, and others. Proofpoint reports RMM abuse is increasingly the first choice for post-exploitation persistence. references: - https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice - https://hunt.io/blog/thegentlemen-ransomware-toolkit-russian-proton66-server author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.persistence - attack.command_and_control - attack.t1219 logsource: category: process_creation product: windows detection: selection: Product|contains: - 'AteraAgent' - 'PDQConnect' - 'RustDesk' - 'MeshCentral' - 'Supremo' - 'N-able Take Control' condition: selection falsepositives: - Authorized MSP deployments of listed tools (maintain an approved RMM allowlist) level: medium ```