The hypothesis is that an adversary is using a Remote Management and Monitoring tool to execute arbitrary processes and maintain persistent access to target systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise through abuse of legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'getscreen.me'
and ProcessVersionInfoProductName has 'getscreen.me'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: c231063d-dff3-478f-8c5c-95417a111333
name: Remote Management and Monitoring tool - GetScreen - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'getscreen.me'
and ProcessVersionInfoProductName has 'getscreen.me'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT Admin Using GetScreen to Monitor a Remote Endpoint
Description: A legitimate IT administrator is using a Remote Management and Monitoring (RMM) tool like Kaseya VSA or ConnectWise RMM to remotely monitor a user’s screen for troubleshooting purposes.
Filter/Exclusion: Check for the presence of known RMM tool processes (e.g., kaseya.exe, connectwise.exe) or use a filter like process.parent_process_name contains "RMM Tool".
Scenario: Scheduled Job to Create a Process for System Maintenance
Description: A scheduled task is configured to run a maintenance script that creates a new process as part of system cleanup or patching. This could be part of a tool like Microsoft Endpoint Manager (MEM) or System Center Configuration Manager (SCCM).
Filter/Exclusion: Filter by process.parent_process_name contains "Task Scheduler" or process.command_line contains "sccm".
Scenario: Remote Desktop Session Creating a Process
Description: A user is connected via Remote Desktop Protocol (RDP) and is running a legitimate process (e.g., notepad.exe, cmd.exe) as part of normal remote work.
Filter/Exclusion: Filter by process.parent_process_name contains "rdp.exe" or process.parent_process_name contains "mstsc.exe".
Scenario: Automated Patching Tool Creating a Process
Description: An automated patching tool like Microsoft Update or Windows Server Update Services (WSUS) is running a process to apply updates to a remote machine.
Filter/Exclusion: Filter by process.command_line contains "wuauclt.exe" or process.command_line contains "wusa.exe".
**Scenario: IT Team Using a Third-Party RMM