The hypothesis is that an adversary is using DesktopNow, a Remote Management and Monitoring tool, to establish a covert network connection for command and control or persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential abuse of legitimate RMM tools by threat actors leveraging T1219 techniques.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'nchuser.com'
and InitiatingProcessVersionInfoCompanyName has 'NCH Software'
and InitiatingProcessVersionInfoProductName has 'DesktopNow'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 337d4bc9-3087-472a-9007-920cc60fd080
name: Remote Management and Monitoring tool - DesktopNow - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'nchuser.com'
and InitiatingProcessVersionInfoCompanyName has 'NCH Software'
and InitiatingProcessVersionInfoProductName has 'DesktopNow'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Maintenance Task Using DesktopNow
Description: A system administrator schedules a routine maintenance task using DesktopNow to update software or apply patches across managed endpoints.
Filter/Exclusion: process.name != "DesktopNow.exe" OR event_id != 1234 (if the task is logged with a specific event ID).
Scenario: Remote Desktop Protocol (RDP) Session via DesktopNow
Description: An IT admin uses DesktopNow to establish a remote session to troubleshoot a user’s endpoint, which may involve network connections to the target machine.
Filter/Exclusion: process.name != "mstsc.exe" OR process.name != "DesktopNow.exe" OR destination_ip != <internal_network_range>.
Scenario: Software Deployment via DesktopNow
Description: A deployment task is initiated through DesktopNow to push a legitimate software update to multiple endpoints, which may involve network connections to download or install the package.
Filter/Exclusion: process.name != "DesktopNow.exe" OR file_hash == <known_legitimate_software_hash>.
Scenario: System Monitoring via DesktopNow
Description: The IT team uses DesktopNow to monitor system performance and resource usage, which may involve periodic network connections to collect metrics.
Filter/Exclusion: process.name != "DesktopNow.exe" OR event_id != 5000 (if the monitoring task is logged with a specific event ID).
Scenario: Backup Job Triggered by DesktopNow
Description: A backup job is initiated through DesktopNow to transfer data to a remote backup server, which may involve network connections to the backup infrastructure.
Filter/Exclusion: process.name != "DesktopNow.exe" OR destination_ip != <backup_server_ip>.