The hypothesis is that the detected network connection may indicate an adversary using IperiusRemote as a remote management tool for persistence or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary use of legitimate RMM tools for malicious purposes.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'iperius',
'entersrl.it',
'iperiusremote.de'
)
and InitiatingProcessVersionInfoCompanyName has 'Enter Srl'
and InitiatingProcessVersionInfoProductName has 'Iperius Remote'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: be82cbca-f831-4e96-82ce-e779169a0a87
name: Remote Management and Monitoring tool - IperiusRemote - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'iperius',
'entersrl.it',
'iperiusremote.de'
)
and InitiatingProcessVersionInfoCompanyName has 'Enter Srl'
and InitiatingProcessVersionInfoProductName has 'Iperius Remote'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Backups via IperiusRemote
Description: Legitimate scheduled backups using IperiusRemote may trigger network connection alerts if the tool is communicating with its remote server.
Filter/Exclusion: process.name != "iperiusremote.exe" OR destination.port != 443 (if backups use a different port) OR process.parent.name == "task scheduler"
Scenario: Remote System Administration via IperiusRemote
Description: IT administrators may use IperiusRemote to remotely manage endpoints, which can result in outbound network connections.
Filter/Exclusion: process.parent.name == "explorer.exe" OR process.parent.name == "mstsc.exe" (if using Remote Desktop) OR user.name == "Domain Admins"
Scenario: IperiusRemote Agent Communication with Central Server
Description: The IperiusRemote agent regularly communicates with the central server for updates and status checks, which can be flagged as suspicious.
Filter/Exclusion: destination.ip == <known IperiusRemote server IP> OR destination.domain == "iperiusremote.com"
Scenario: Remote Monitoring of Virtual Machines via IperiusRemote
Description: IT teams may use IperiusRemote to monitor and manage virtual machines, which can result in outbound network traffic.
Filter/Exclusion: process.name == "iperiusremote.exe" AND destination.port == 443 AND source.ip == <VM management subnet>
Scenario: IperiusRemote Used for Patch Management
Description: IperiusRemote may be used to push patches to endpoints, which involves network connections to the remote server.
Filter/Exclusion: process.name == "iperiusremote.exe" AND `destination.port == 44