← Back to SOC feed Coverage →

Remote Management and Monitoring tool - AnyViewer - Network Connection

kql MEDIUM Azure-Sentinel
T1219
DeviceNetworkEvents
huntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-26T11:00:01Z · Confidence: medium

Hunt Hypothesis

Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels. https://github.com/jischell-msft/Remo

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
        "anyviewer.com", 
        "anyviewer.cn", 
        "aomeisoftware.com", 
        "aomeikeji.com"
    )
    and InitiatingProcessVersionInfoCompanyName has 'AOMEI'
    and InitiatingProcessVersionInfoProductName has 'AnyViewer'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
    RemoteUrl

Analytic Rule Definition

id: 61660f4e-45e0-4ac4-8957-580bcebd033c
name: Remote Management and Monitoring tool - AnyViewer - Network Connection
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceNetworkEvents
  | where Timestamp between (Time_start..Time_end)
  | where RemoteUrl has_any (
          "anyviewer.com", 
          "anyviewer.cn", 
          "aomeisoftware.com", 
          "aomeikeji.com"
      )
      and InitiatingProcessVersionInfoCompanyName has 'AOMEI'
      and InitiatingProcessVersionInfoProductName has 'AnyViewer'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
      RemoteUrl

Required Data Sources

Sentinel TableNotes
DeviceNetworkEventsEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_AnyViewer_netconn.yaml