The detection identifies the use of AnyViewer, a remote management tool, to create processes that may indicate adversary persistence or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential abuse of legitimate RMM tools by adversaries leveraging T1219 techniques.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'AOMEI'
and ProcessVersionInfoProductName has 'AnyViewer'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: e8b80bd6-79ce-4562-aac0-d3204089675a
name: Remote Management and Monitoring tool - AnyViewer - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'AOMEI'
and ProcessVersionInfoProductName has 'AnyViewer'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT Admin Creates Process via AnyViewer for Patch Management
Description: An IT administrator uses AnyViewer to remotely execute a patching script on a group of endpoints as part of a scheduled maintenance window.
Filter/Exclusion: process.name == "patch.exe" OR process.name == "msiexec.exe" OR process.parent_process.name == "AnyViewer.exe" AND event_id == 100
Scenario: Scheduled Job to Monitor System Health via AnyViewer
Description: A system health monitoring job is configured to run via AnyViewer to check disk usage, memory, and CPU on remote machines.
Filter/Exclusion: process.name == "healthcheck.exe" OR process.name == "monitor.exe" OR process.parent_process.name == "AnyViewer.exe" AND event_id == 100
Scenario: Remote Desktop Session Initiated via AnyViewer for User Support
Description: A support technician uses AnyViewer to initiate a remote desktop session to assist an end-user with a software issue.
Filter/Exclusion: process.name == "mstsc.exe" OR process.name == "rdp.exe" OR process.parent_process.name == "AnyViewer.exe" AND event_id == 100
Scenario: IT Team Deploys Configuration Management via AnyViewer
Description: An IT team uses AnyViewer to push configuration changes (e.g., group policy updates, firewall rules) to multiple endpoints during a routine configuration update.
Filter/Exclusion: process.name == "configmgr.exe" OR process.name == "gpupdate.exe" OR process.parent_process.name == "AnyViewer.exe" AND event_id == 100
Scenario: Remote Backup Job Executed via AnyViewer
Description: A backup job is scheduled to run via AnyViewer to back up critical data from