Remote Management and Monitoring tool - ConnectWise - Create Process

Hunt Hypothesis

The detection identifies the use of the ConnectWise RMM tool to create processes, which may indicate adversary persistence or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential abuse of legitimate RMM tools by threat actors.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has_any (
        'ConnectWise', 
        'Continuum Managed', 
        'ScreenConnect'
    )
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 83f7b313-b955-4988-b524-b2da55c67b43
name: Remote Management and Monitoring tool - ConnectWise - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoCompanyName has_any (
          'ConnectWise', 
          'Continuum Managed', 
          'ScreenConnect'
      )
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_ConnectWise_createproc.yaml)

False Positive Guidance

Scenario: Scheduled Job Execution via ConnectWise
Description: A legitimate scheduled job in ConnectWise is configured to create a process for system maintenance (e.g., patching or log cleanup).
Filter/Exclusion: process.parent_process_name == "connectwise" OR process.command_line LIKE "%scheduled_job%"
Scenario: Admin Task to Deploy Software via ConnectWise
Description: An IT admin is using ConnectWise to deploy a software update across endpoints, which triggers a process creation event.
Filter/Exclusion: process.parent_process_name == "connectwise" AND process.file_path LIKE "%software_update%"
Scenario: ConnectWise Agent Service Initialization
Description: The ConnectWise agent service starts up and creates a process as part of its normal initialization routine.
Filter/Exclusion: process.parent_process_name == "connectwise_agent" OR process.file_path LIKE "%connectwise_agent.exe"
Scenario: Remote System Monitoring via ConnectWise
Description: A system monitoring task initiated through ConnectWise is running a diagnostic script that creates a process.
Filter/Exclusion: process.parent_process_name == "connectwise" AND process.file_path LIKE "%diagnostic_script%"
Scenario: ConnectWise Integration with Third-Party Tools
Description: ConnectWise is integrated with a third-party tool (e.g., Microsoft Intune or SCCM) and the integration process creates a new process.
Filter/Exclusion: process.parent_process_name == "connectwise" AND process.file_path LIKE "%third_party_integration%"