The hypothesis is that an adversary is using IperiusRemote to create persistence by establishing a remote management process. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential adversary use of RMM tools for long-term access and command and control.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Enter Srl'
and ProcessVersionInfoProductName has 'Iperius Remote'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 62e701c0-0c0d-4f8c-b6f6-f7428b9b255a
name: Remote Management and Monitoring tool - IperiusRemote - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Enter Srl'
and ProcessVersionInfoProductName has 'Iperius Remote'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled backup job using IperiusRemote
Description: A system administrator schedules a nightly backup job using IperiusRemote, which creates a process as part of the backup operation.
Filter/Exclusion: Check for process parent process (e.g., schtasks.exe or task scheduler), or filter by known backup-related command-line arguments or paths (e.g., C:\Program Files\IperiusRemote\backup.exe).
Scenario: IperiusRemote used for remote system monitoring
Description: An IT admin uses IperiusRemote to monitor disk usage and system performance on remote endpoints, which triggers the “Create Process” detection.
Filter/Exclusion: Filter by process name or command-line arguments related to monitoring (e.g., monitor.exe, --monitor flag), or check for known admin tasks in the IperiusRemote logs.
Scenario: IperiusRemote configured for remote PowerShell execution
Description: An admin configures IperiusRemote to execute PowerShell scripts on remote systems for patch management or configuration updates.
Filter/Exclusion: Filter by process command-line arguments containing powershell.exe or specific script paths, or check for known admin tasks in the IperiusRemote configuration.
Scenario: IperiusRemote used for remote software deployment
Description: A deployment task uses IperiusRemote to push software updates to multiple endpoints, which creates a process on the target systems.
Filter/Exclusion: Filter by process command-line arguments containing deployment-related flags or paths (e.g., deploy.exe, --install), or check for known deployment tasks in the IperiusRemote logs.
Scenario: IperiusRemote used for remote log collection
Description: A security team uses IperiusRemote to collect logs from