Remote Management and Monitoring tool - MeshCentral - Create Process

Hunt Hypothesis

The detection identifies the use of MeshCentral, a remote management tool, to create processes that may indicate adversary persistence or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential abuse of legitimate RMM tools by adversaries leveraging T1219 techniques.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoProductName has 'meshcentral'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 7306e156-49a7-4ff6-9d8f-d6e6d531e426
name: Remote Management and Monitoring tool - MeshCentral - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoProductName has 'meshcentral'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

MITRE ATT&CK Context

• Tactic: CommandAndControl
• Technique: T1219 — T1219

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_MeshCentral_createproc.yaml)

False Positive Guidance

• Scenario: IT Admin Deploys MeshCentral for Remote Access
  Description: An IT administrator is setting up MeshCentral to allow remote access for troubleshooting endpoints.
  Filter/Exclusion: process.name != "meshcentral.exe" OR process.parent.name == "powershell.exe" AND process.command_line contains "New-Item"

• Scenario: Scheduled Job to Generate Reports via MeshCentral
  Description: A scheduled task runs a script that uses MeshCentral to generate system reports for compliance.
  Filter/Exclusion: process.name == "meshcentral.exe" AND process.command_line contains "generateReport" OR process.parent.name == "taskeng.exe"

• Scenario: MeshCentral Used for Patch Management
  Description: IT uses MeshCentral to push patches to endpoints during a maintenance window.
  Filter/Exclusion: process.name == "meshcentral.exe" AND process.command_line contains "applyPatch" OR process.parent.name == "msiexec.exe"

• Scenario: Admin Uses MeshCentral to Monitor System Health
  Description: An admin uses MeshCentral to monitor system performance and collect metrics.
  Filter/Exclusion: process.name == "meshcentral.exe" AND process.command_line contains "monitorSystem" OR process.parent.name == "explorer.exe"

• Scenario: MeshCentral Integration with Active Directory for User Management
  Description: MeshCentral is integrated with Active Directory to manage user access and permissions.
  Filter/Exclusion: process.name == "meshcentral.exe" AND process.command_line contains "syncAD" OR process.parent.name == "lsass.exe"