Unusual network connections from the mRemoteNG tool may indicate an adversary using it to establish a C2 channel or maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential abuse of remote management tools by threat actors.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'mremoteng.org'
and InitiatingProcessVersionInfoCompanyName has 'mRemoteNG'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: b4bae4af-5fe3-4217-bef0-c7ac5d51f3d1
name: Remote Management and Monitoring tool - mRemoteNG - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'mremoteng.org'
and InitiatingProcessVersionInfoCompanyName has 'mRemoteNG'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled maintenance using mRemoteNG
Description: An admin uses mRemoteNG to schedule regular maintenance tasks on remote servers, which results in periodic network connections.
Filter/Exclusion: Exclude connections initiated by scheduled tasks with known maintenance scripts or jobs (e.g., maintenance_script.bat or daily_check.sh).
Scenario: Admin using mRemoteNG to manage multiple endpoints
Description: A system administrator uses mRemoteNG to connect to multiple endpoints during a routine system update or patching process.
Filter/Exclusion: Exclude connections from known admin accounts (e.g., [email protected]) during specific time windows (e.g., 8:00 AM - 5:00 PM, Monday-Friday).
Scenario: mRemoteNG used for remote desktop access
Description: An employee uses mRemoteNG to access a remote desktop session for troubleshooting or support, which triggers network connection alerts.
Filter/Exclusion: Exclude connections from known support or helpdesk accounts (e.g., [email protected]) to specific remote desktop hosts.
Scenario: mRemoteNG used for configuration management
Description: A DevOps team uses mRemoteNG to push configuration changes to multiple servers via a script, which results in multiple outbound connections.
Filter/Exclusion: Exclude connections from known DevOps tools or scripts (e.g., config_push.sh) executed during CI/CD pipeline runs.
Scenario: mRemoteNG used for monitoring system health
Description: A monitoring tool uses mRemoteNG to check the health of remote endpoints, resulting in periodic network connections.
Filter/Exclusion: Exclude connections from known monitoring tools (e.g., health_check.exe) or services (e.g., monitoring_service) with known IP ranges or hostnames.