The hypothesis is that an adversary is using the ISLOnline tool to establish unauthorized network connections for remote management and potential command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential persistent threats leveraging RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'islonline.net'
and InitiatingProcessVersionInfoCompanyName has_any ('Xlab', 'ISL Online')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: b24a1cca-0419-4c47-b400-b78009561482
name: Remote Management and Monitoring tool - ISLOnline - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'islonline.net'
and InitiatingProcessVersionInfoCompanyName has_any ('Xlab', 'ISL Online')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance via ISLOnline
Description: A system administrator uses ISLOnline to perform routine maintenance tasks, such as patching or configuration updates, which may involve network connections.
Filter/Exclusion: process.name != "ISLOnline.exe" OR process.parent.name == "Task Scheduler" OR process.command_line contains "maintenance"
Scenario: Remote Desktop Session Established via ISLOnline
Description: An IT admin connects to a remote endpoint using ISLOnline for troubleshooting, which may trigger network connection alerts.
Filter/Exclusion: process.name != "ISLOnline.exe" OR process.parent.name == "mstsc.exe" OR process.command_line contains "RDP"
Scenario: ISLOnline Job for Log Collection
Description: A scheduled job runs via ISLOnline to collect system logs from multiple endpoints, which may result in outbound network connections.
Filter/Exclusion: process.name != "ISLOnline.exe" OR process.command_line contains "log collection" OR process.parent.name == "Task Scheduler"
Scenario: ISLOnline Used for Software Deployment
Description: An admin uses ISLOnline to deploy software updates across the network, which may involve outbound connections to download or push updates.
Filter/Exclusion: process.name != "ISLOnline.exe" OR process.command_line contains "software deployment" OR process.parent.name == "Deployment Tool"
Scenario: ISLOnline Monitoring for System Health
Description: ISLOnline is configured to monitor system health metrics, which may involve periodic network connections to check endpoint status.
Filter/Exclusion: process.name != "ISLOnline.exe" OR `process.command_line contains “health