The hypothesis is that an adversary is using DistantDesktop to create persistence by establishing a remote management process on target systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and prevent long-term persistence through legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Distant Software'
and ProcessVersionInfoProductName has 'Distant Desktop'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: cbc0887e-d1df-4a33-bef6-4794539d8ecb
name: Remote Management and Monitoring tool - DistantDesktop - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Distant Software'
and ProcessVersionInfoProductName has 'Distant Desktop'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT Admin Creates a Process via DistantDesktop for Patch Management
Description: An IT administrator uses DistantDesktop to remotely execute a patching script on a Windows endpoint.
Filter/Exclusion: process.name == "msiexec.exe" && process.args contains "patch" or process.name == "wmic.exe" && process.args contains "path"
Scenario: Scheduled Job Execution via DistantDesktop for System Maintenance
Description: A scheduled job is triggered through DistantDesktop to perform routine system cleanup or log rotation.
Filter/Exclusion: process.name == "schtasks.exe" || process.name == "taskhost.exe" or process.args contains "schtasks"
Scenario: Remote PowerShell Script Execution for Configuration Management
Description: An IT admin uses DistantDesktop to run a PowerShell script that configures system settings across multiple endpoints.
Filter/Exclusion: process.name == "powershell.exe" && process.args contains "Configure-System.ps1" or process.args contains "Set-ItemProperty"
Scenario: Remote Process Creation for Software Deployment
Description: A deployment tool like SCCM or Microsoft Endpoint Manager uses DistantDesktop to launch a setup.exe for software installation.
Filter/Exclusion: process.name == "setup.exe" && process.args contains " /s" || process.name == "msiexec.exe" && process.args contains "/i"
Scenario: Remote Monitoring Tool Integration via DistantDesktop
Description: A legitimate monitoring tool like Nagios or PRTG is configured to run a check script via DistantDesktop.
Filter/Exclusion: process.name == "nagios.exe" || process.name == "prtg_agent.exe" or process.args contains "check_disk"