A threat hunter should investigate processes created by remote management tools as they may indicate adversary persistence or command and control activity. Proactively hunting for such behavior in Azure Sentinel helps identify potential compromise of endpoints managed by RMM tools, which are commonly abused by attackers.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where FileName startswith "level"
and FolderPath has_any (
@'\Program Files\Level\',
@'\Program Files (x86)\Level\'
)
and isempty(ProcessVersionInfoCompanyName)
and isempty(ProcessVersionInfoProductName)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 42ee6265-ed2d-42b6-9c69-095092dce2e3
name: Remote Management and Monitoring tool - Level - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where FileName startswith "level"
and FolderPath has_any (
@'\Program Files\Level\',
@'\Program Files (x86)\Level\'
)
and isempty(ProcessVersionInfoCompanyName)
and isempty(ProcessVersionInfoProductName)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled Job Execution by RMM Tool
Description: A legitimate scheduled job (e.g., using Microsoft SCCM or Kaseya) is configured to run a process on remote endpoints as part of routine maintenance.
Filter/Exclusion: Check for ProcessName matching known RMM tools (e.g., sccmclient, kaseyaagent) and filter by CommandLine containing known job names or scripts.
Scenario: System Update via RMM Tool
Description: An IT admin uses SolarWinds RMM to deploy a system update across multiple endpoints, which triggers the “Create Process” event.
Filter/Exclusion: Filter by ProcessName like wusa.exe or msiexec.exe and check for CommandLine containing update package names or paths.
Scenario: Remote PowerShell Script Execution
Description: An admin uses ManageEngine ServiceDesk to run a PowerShell script remotely to configure firewall rules or install patches.
Filter/Exclusion: Filter by ProcessName like powershell.exe and check for CommandLine containing known admin scripts or paths like C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Scenario: Remote Monitoring Agent Installation
Description: A BMC BladeLogic agent is being installed on a remote endpoint as part of a standard deployment process.
Filter/Exclusion: Filter by ProcessName like setup.exe or install.exe and check for CommandLine containing known agent installation paths or package names.
Scenario: Remote Task Scheduler Job Execution
Description: A Microsoft Intune task is executed remotely to configure endpoint settings, which results in a process creation event.
Filter/Exclusion: Filter by `