The detection identifies the use of Ammyy, a Remote Management and Monitoring tool, to create processes that may indicate adversary persistence or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential abuse of legitimate RMM tools by adversaries leveraging T1219 techniques.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Ammyy'
and ProcessVersionInfoProductName has 'Ammyy Admin'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceNameid: 60b5405c-81b6-46b4-91ef-d668e06e727e
name: Remote Management and Monitoring tool - Ammyy - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Ammyy'
and ProcessVersionInfoProductName has 'Ammyy Admin'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT Admin Using Ammyy to Remotely Manage a User’s Machine
Description: A system administrator uses Ammyy to remotely access a user’s endpoint for troubleshooting or support.
Filter/Exclusion: Check for the presence of a known admin account (e.g., Administrator, ITSupport) or use a filter like process.parent_process_name == "Ammyy.exe" and process.user == "ITSupport".
Scenario: Scheduled Job to Update Ammyy on Multiple Endpoints
Description: A scheduled task runs to update the Ammyy client on multiple endpoints as part of a regular patching process.
Filter/Exclusion: Use a filter like process.command_line contains "update" or process.parent_process_name == "Task Scheduler" and verify the process is initiated by a trusted service account.
Scenario: Ammyy Used for Remote Desktop Support by Help Desk
Description: The help desk uses Ammyy to provide remote desktop support to end-users.
Filter/Exclusion: Filter by the user account (e.g., helpdeskuser) or check for the presence of a ticketing system or support log entry in the event log.
Scenario: Ammyy Installed as Part of a Standard Endpoint Management Package
Description: The IT department deploys Ammyy as part of a standard endpoint management package to all endpoints.
Filter/Exclusion: Use a filter like process.parent_process_name == "GroupPolicy", process.parent_process_name == "msiexec.exe", or check for a known deployment tool (e.g., SCCM, Intune).
Scenario: Ammyy Used for Remote Monitoring of Network Devices
Description: Ammyy is used to monitor and manage network devices (e.g., routers,