Unusual network connections from remote management tools may indicate adversaries establishing C2 channels or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential compromise of managed endpoints.
KQL Query
let rmm_networkSet = datatable(URI:string,RMM_Tool:string)[
'server.action1.com','action1',
'prod.addigy.com','addigy',
'grtmprod.addigy.com','addigy',
'agents.addigy.com','addigy',
'aeroadmin.com','aeroadmin',
'ammyy.com','ammyy',
'anydesk.com','anydesk',
'api.playanext.com','anydesk',
'anyviewer.com','anyviewer',
'anyviewer.cn','anyviewer',
'aomeisoftware.com','anyviewer',
'aomeikeji.com','anyviewer',
'atera.com','atera',
'atera-agent-heartbeat','atera',
'aweray.com','aweray',
'aweray.net','aweray',
'awerayimg.com','aweray',
'awesun.app','aweray',
'barracudamsp.com','barracuda rmm',
'license.bomgar.com','beyondtrust',
'bomgarcloud.com','beyondtrust',
'beyondtrustcloud.com','beyondtrust',
'remotedesktop-pa.googleapis.com','chrome remote desktop',
'myconnectwise.com','connectwise',
'connectwise.com','connectwise',
'screenconnect.com','connectwise',
'itsupport247.net','connectwise / Continuum Managed',
'beanywhere.com','Dameware',
'licenseserver.solarwinds.com','Dameware',
'swi-rc.com','Dameware',
'swi-tc.com','Dameware',
'rmm.datto.com','datto',
'agent.centrastage.net','datto',
'audit.centrastage.net','datto',
'monitoring.centrastage.net','datto',
'agent-notifications.centrastage.net','datto',
'agent-comms.centrastage.net','datto',
'update.centrastage.net','datto',
'realtime.centrastage.net','datto',
'ts.centrastage.net','datto',
'nchuser.com','desktopNow',
'distantdesktop.com','distantdesktop',
'signalserver.xyz','distantdesktop',
'dwservice.net','dwservice',
'fleetdeck.io','fleetdeck',
'getscreen.me','getscreen',
'getscreen.ru','getscreen',
'iperius.com','Iperius Remote',
'iperius-r1.com','Iperius Remote',
'iperius-r2.com','Iperius Remote',
'iperius-r3.com','Iperius Remote',
'iperius-r4.com','Iperius Remote',
'iperiusremote.de','Iperius Remote',
'entersrl.it','Iperius Remote',
'islonline.net','ISL Online',
'kaseya.com','Kaseya VSA',
'stun.kaseya.com','Kaseya VSA',
'managedsupport.kaseya.net','Kaseya VSA',
'kaseya.net','Kaseya VSA',
'agents.level.io','level.io',
'online.level.io','level.io',
'builds.level.io','level.io',
'downloads.level.io','level.io',
'litemanager.ru','LiteManager',
'litemanager.com','LiteManager',
'update-cdn.logmein.com','LogMeIn',
'secure.logmein.com','LogMeIn',
'update.logmein.com','LogMeIn',
'logmeinrescue.com','LogMeIn',
'logmeinrescue.eu','LogMeIn',
'logmeinrescue-enterprise.com','LogMeIn',
'logmeinrescue-enterprise.eu','LogMeIn',
'remotelyanywhere.com','LogMeIn',
'gotoassist.com','LogMeIn',
'logmeininc.com','LogMeIn',
'logme.in','LogMeIn',
'getgo.com','LogMeIn',
'goto.com','LogMeIn',
'goto-rtc.com','LogMeIn',
'gotomypc.com','LogMeIn',
'logmeincdn.http.internapcdn.net','LogMeIn',
'logmein-gateway.com','LogMeIn',
'meshcentral.com','meshcentral',
'mremoteng.org','mRemoteNG',
'rm.mspbackups.com','MSP360',
'client.rmm.mspbackups.com','MSP360',
'settings.services.mspbackups.com','MSP360',
'connect.ra.msp360.com','MSP360',
'foris.cloudberrylab.com','MSP360',
'remote.management','N-Able',
'logicnow.com','N-Able',
'logicnow.us','N-Able',
'system-monitor.com','N-Able',
'systemmonitor.eu.com','N-Able',
'systemmonitor.co.uk','N-Able',
'systemmonitor.us','N-Able',
'n-able.com','N-Able',
'solarwindsmsp.com','N-Able',
'rmm-host.com','N-Able',
'activate.netsupportsoftware.com','NetSupport',
'geo.netsupportsoftware.com','NetSupport',
'ninjarmm.com','Ninja RMM',
'opti-tune.com','OptiTune',
'optitune.us','OptiTune',
'panorama9.com','panorama9',
'kessel-ws.parsec.app','parsec',
'kessel-api.parsec.app','parsec',
'builds.parsec.app','parsec',
'builds.parsecgaming.com','parsec',
'public.parsec.app','parsec',
'parsecusercontent.com','parsec',
'stun.parsec.app','parsec',
'stun6.parsec.app','parsec',
'pcvisit.de','pcvisit',
'cloudflare-pcvisit.com','pcvisit',
'pdq.com','pdq',
'pdq.tools','pdq',
'pulseway.com','pulseway',
'activate.famatech.com','RAdmin',
'radminte.com','RAdmin',
'services.vnc.com','realVNC',
'update-check.realvnc.com','realVNC',
'remotepc.com','remotepc',
'rustdesk.com','rustdesk',
'screenmeet.com','screenmeet',
'server-eye.de','server-eye',
'showmypc.com','ShowMyPC',
'rmshelp.me','Simple-Help',
'splashtop.com','Splashtop',
'splashtop.eu','Splashtop',
'nanosystems.it','SupRemo',
'supremocontrol.com','SupRemo',
'syncromsp.com','SynchroMSP',
'servably.com','SynchroMSP',
'syncroapi.com','SynchroMSP',
'icanhazip.tacticalrmm.io','TacticalRMM',
'tacticalrmm.io','TacticalRMM',
'teamviewer.com','TeamViewer',
'teamviewer.cn','TeamViewer',
'ultraviewer.com','UltraViewer',
'xmreality.com','XMReality',
'assist.zoho.com','ZohoAssist',
'assist.zoho.eu','ZohoAssist',
'assist.zoho.com.au','ZohoAssist',
'assist.zoho.in','ZohoAssist',
'assist.zoho.jp','ZohoAssist',
'assist.zoho.uk','ZohoAssist',
'assistlab.zoho.com','ZohoAssist',
'downloads.zohocdn.com','ZohoAssist',
'download-accl.zoho.in','ZohoAssist',
'zohoassist.com','ZohoAssist',
'zohopublic.com','ZohoAssist',
'zohopublic.eu','ZohoAssist',
'meeting.zoho.com','ZohoAssist',
'meeting.zoho.eu','ZohoAssist',
'static.zohocdn.com','ZohoAssist',
'zohodl.com.cn','ZohoAssist',
'zohowebstatic.com','ZohoAssist',
'zohostatic.in','ZohoAssist'
];
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any ((rmm_networkSet | distinct URI))
| extend RemoteUrl = trim_start(@'http[s]?://',RemoteUrl)
| extend RemoteUrl = tostring(split(RemoteUrl,'/')[0])
| extend RemoteUrl = tostring(split(RemoteUrl,':')[0])
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl, InitiatingProcessFileName
id: c65e2d45-2560-4ea5-913b-d3d88de10c42
name: Remote Management and Monitoring tool - All Tools - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let rmm_networkSet = datatable(URI:string,RMM_Tool:string)[
'server.action1.com','action1',
'prod.addigy.com','addigy',
'grtmprod.addigy.com','addigy',
'agents.addigy.com','addigy',
'aeroadmin.com','aeroadmin',
'ammyy.com','ammyy',
'anydesk.com','anydesk',
'api.playanext.com','anydesk',
'anyviewer.com','anyviewer',
'anyviewer.cn','anyviewer',
'aomeisoftware.com','anyviewer',
'aomeikeji.com','anyviewer',
'atera.com','atera',
'atera-agent-heartbeat','atera',
'aweray.com','aweray',
'aweray.net','aweray',
'awerayimg.com','aweray',
'awesun.app','aweray',
'barracudamsp.com','barracuda rmm',
'license.bomgar.com','beyondtrust',
'bomgarcloud.com','beyondtrust',
'beyondtrustcloud.com','beyondtrust',
'remotedesktop-pa.googleapis.com','chrome remote desktop',
'myconnectwise.com','connectwise',
'connectwise.com','connectwise',
'screenconnect.com','connectwise',
'itsupport247.net','connectwise / Continuum Managed',
'beanywhere.com','Dameware',
'licenseserver.solarwinds.com','Dameware',
'swi-rc.com','Dameware',
'swi-tc.com','Dameware',
'rmm.datto.com','datto',
'agent.centrastage.net','datto',
'audit.centrastage.net','datto',
'monitoring.centrastage.net','datto',
'agent-notifications.centrastage.net','datto',
'agent-comms.centrastage.net','datto',
'update.centrastage.net','datto',
'realtime.centrastage.net','datto',
'ts.centrastage.net','datto',
'nchuser.com','desktopNow',
'distantdesktop.com','distantdesktop',
'signalserver.xyz','distantdesktop',
'dwservice.net','dwservice',
'fleetdeck.io','fleetdeck',
'getscreen.me','getscreen',
'getscreen.ru','getscreen',
'iperius.com','Iperius Remote',
'iperius-r1.com','Iperius Remote',
'iperius-r2.com','Iperius Remote',
'iperius-r3.com','Iperius Remote',
'iperius-r4.com','Iperius Remote',
'iperiusremote.de','Iperius Remote',
'entersrl.it','Iperius Remote',
'islonline.net','ISL Online',
'kaseya.com','Kaseya VSA',
'stun.kaseya.com','Kaseya VSA',
'managedsupport.kaseya.net','Kaseya VSA',
'kaseya.net','Kaseya VSA',
'agents.level.io','level.io',
'online.level.io','level.io',
'builds.level.io','level.io',
'downloads.level.io','level.i| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Microsoft Intune to deploy a security update via a scheduled task that initiates a network connection to Microsoft’s update servers.
Filter/Exclusion: Exclude connections to update.microsoft.com or *.windows.net from the rule, or add a condition for tasks associated with known IT management tools.
Scenario: An Ansible Tower job is running to configure remote servers, which involves establishing a secure SSH connection to multiple endpoints in the network.
Filter/Exclusion: Exclude SSH connections originating from known Ansible Tower hosts or filter based on the presence of Ansible-related headers or job IDs in the connection metadata.
Scenario: A SolarWinds N-central agent is performing a routine health check and connects to the central server to report system metrics.
Filter/Exclusion: Exclude connections to the known SolarWinds server IP or domain, or filter based on the presence of the SolarWinds agent process or service name.
Scenario: A Microsoft Endpoint Manager (MEM) device compliance policy is being enforced, which triggers a network connection to Microsoft’s cloud services to validate device compliance status.
Filter/Exclusion: Exclude connections to deviceupdate.microsoft.com or *.microsoft.com associated with MEM services, or filter by the presence of the MEM agent process.
Scenario: A Kaseya VSA scheduled job is running to push configuration changes to remote endpoints, which requires establishing a network connection to the VSA server.
Filter/Exclusion: Exclude connections to the known Kaseya VSA server IP or domain, or filter based on the presence of the Kaseya VSA service or job name in the event data.