The hypothesis is that an adversary is using MeshCentral as a remote management tool to establish covert network connections for command and control activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential C2 channels and mitigate persistent threats leveraging RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'meshcentral.com'
and InitiatingProcessVersionInfoCompanyName has 'meshcentral'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: fd366644-9bb6-4c00-870c-526ba9186270
name: Remote Management and Monitoring tool - MeshCentral - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'meshcentral.com'
and InitiatingProcessVersionInfoCompanyName has 'meshcentral'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled maintenance using MeshCentral
Description: An admin schedules a routine system check or patching task through MeshCentral, which triggers network connection activity.
Filter/Exclusion: process.name != "meshcentral.exe" OR process.parent.name != "meshcentral.exe" OR event_id != 1006 (if applicable)
Scenario: Remote desktop session initiated via MeshCentral
Description: A system administrator uses MeshCentral to remotely access a server for troubleshooting, which results in a network connection.
Filter/Exclusion: process.name != "meshcentral.exe" OR user.name != "admin" OR destination_ip != "internal_network_range"
Scenario: MeshCentral used for internal asset inventory
Description: IT staff uses MeshCentral to collect hardware and software inventory data from endpoints, which generates network connection logs.
Filter/Exclusion: process.name != "meshcentral.exe" OR event_id != 1006 OR destination_port != 443 (if inventory traffic uses a different port)
Scenario: MeshCentral integration with Microsoft Intune
Description: MeshCentral is configured to sync device compliance data with Microsoft Intune, causing periodic network connections.
Filter/Exclusion: process.name != "meshcentral.exe" OR destination_ip != "intune.management.endpoint" OR event_id != 1006
Scenario: Admin uses MeshCentral to monitor network traffic
Description: A network administrator uses MeshCentral to monitor and analyze internal network traffic for troubleshooting purposes.
Filter/Exclusion: process.name != "meshcentral.exe" OR user.name != "network_admin" OR destination_port != 80/443 (if monitoring traffic uses a different port)