A malicious actor is using DesktopNow, a Remote Monitoring and Management tool, to create processes that may establish persistence or command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary use of RMM tools for long-term access and exfiltration.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'NCH Software'
and ProcessVersionInfoProductName has 'DesktopNow'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 5c854b68-79c8-4bd7-abe4-7c670b02c938
name: Remote Management and Monitoring tool - DesktopNow - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'NCH Software'
and ProcessVersionInfoProductName has 'DesktopNow'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT Admin Creates Process via DesktopNow for Scheduled Maintenance
Description: An IT administrator uses DesktopNow to deploy a scheduled maintenance script across endpoints.
Filter/Exclusion: process.parent_process_name == "DesktopNow.exe" and process.name == "schtasks.exe" or process.name == "taskhost.exe"
Scenario: DesktopNow Used to Deploy Antivirus Updates
Description: The RMM tool is used to push antivirus definition updates to endpoints.
Filter/Exclusion: process.name == "avastui.exe" or process.name == "mcafee.exe" and process.parent_process_name == "DesktopNow.exe"
Scenario: System Administrator Launches Remote PowerShell via DesktopNow
Description: An admin uses DesktopNow to run a PowerShell script for system configuration or patching.
Filter/Exclusion: process.name == "powershell.exe" and process.parent_process_name == "DesktopNow.exe" and process.command_line contains "Configure-System.ps1"
Scenario: DesktopNow Used to Deploy Configuration Management Tools
Description: The RMM tool is used to deploy tools like Puppet or Chef for configuration management.
Filter/Exclusion: process.name == "puppet.exe" or process.name == "chef-client.exe" and process.parent_process_name == "DesktopNow.exe"
Scenario: DesktopNow Invoked by a Scheduled Task for Log Collection
Description: A scheduled task is configured to use DesktopNow to collect system logs from remote endpoints.
Filter/Exclusion: process.name == "schtasks.exe" and process.parent_process_name == "DesktopNow.exe" and process.command_line contains "Collect-SystemLogs.ps1"