Attackers may be using Remote Management and Monitoring tools to establish covert network connections for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential adversary use of RMM tools for C2 or long-term access.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'agents.level.io',
'online.level.io',
'builds.level.io',
'downloads.level.io'
)
and InitiatingProcessFileName has 'level'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 809456ed-b3ff-4699-a2fb-837b17555f6c
name: Remote Management and Monitoring tool - Level - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'agents.level.io',
'online.level.io',
'builds.level.io',
'downloads.level.io'
)
and InitiatingProcessFileName has 'level'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance via RMM Tool
Description: An admin uses a Remote Monitoring and Management (RMM) tool like Kaseya VSA or BMC BladeLogic to run a scheduled system maintenance task that establishes a network connection to a remote server for patching or updates.
Filter/Exclusion: Exclude connections to known update servers or IP ranges used by the RMM tool’s backend services.
Scenario: Remote PowerShell Script Execution for Patching
Description: An IT admin uses Microsoft SCCM or Microsoft Intune to execute a PowerShell script remotely on endpoints to apply security patches, which may trigger a network connection to a domain controller or update server.
Filter/Exclusion: Exclude connections to domain controllers or known patch servers based on IP or FQDN.
Scenario: Remote Desktop Protocol (RDP) Session from RMM Tool
Description: An admin uses an RMM tool like ManageEngine ServiceDesk or SolarWinds RMM to initiate an RDP session to a remote endpoint for troubleshooting, which may result in a network connection to the target machine.
Filter/Exclusion: Exclude connections originating from known RMM tool IP ranges or using known RDP ports (e.g., 3389) from RMM tool IPs.
Scenario: Automated Backup Job via RMM Tool
Description: A backup job is initiated via an RMM tool like Sentry PCS or Sparx ITSM to transfer data to a backup server, which may result in a network connection to the backup server.
Filter/Exclusion: Exclude connections to known backup servers or IP ranges used by the RMM tool’s backup infrastructure.
Scenario: Remote Monitoring of Network Traffic via RMM Tool
Description: An admin uses an RMM