Remote Management and Monitoring tool - NAble - Create Process

Hunt Hypothesis

A threat hunter should investigate processes created by NAble tools as they may indicate adversaries using remote management tools for persistence or command and control. Proactively hunting for such activity in Azure Sentinel helps identify potential compromise of endpoint systems through abuse of legitimate IT management tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has_any (
        'N-Able',
        'SolarWinds MSP',
        'Remote Monitoring',
        'LogicNow Ltd'
    )
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 16adb026-28ae-4b2e-b1b9-bd53f337eb29
name: Remote Management and Monitoring tool - NAble - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoCompanyName has_any (
          'N-Able',
          'SolarWinds MSP',
          'Remote Monitoring',
          'LogicNow Ltd'
      )
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

MITRE ATT&CK Context

• Tactic: CommandAndControl
• Technique: T1219 — T1219

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_NAble_createproc.yaml)

False Positive Guidance

• Scenario: Scheduled Job for System Maintenance
  Description: A legitimate scheduled job runs a process associated with the RMM tool (e.g., NableAgent.exe) to perform system updates or maintenance tasks.
  Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "scheduled task"

• Scenario: Admin Task to Deploy Configuration Changes
  Description: An administrator uses the RMM tool to push configuration changes to multiple endpoints, which triggers the process creation.
  Filter/Exclusion: process.user == "Domain Admin" or process.command_line contains "deploy config"

• Scenario: Remote PowerShell Script Execution
  Description: A system administrator uses the RMM tool to execute a remote PowerShell script for patch management, which creates a process associated with the tool.
  Filter/Exclusion: process.command_line contains "powershell.exe -Command" or process.parent_process_name == "NableAgent.exe"

• Scenario: Endpoint Backup Process
  Description: The RMM tool is used to initiate a backup process on remote endpoints, which involves creating a process related to the tool.
  Filter/Exclusion: process.command_line contains "backup" or process.parent_process_name == "NableBackupService.exe"

• Scenario: Agent Communication with Management Server
  Description: The RMM agent periodically communicates with the management server, which may trigger process creation events.
  Filter/Exclusion: process.command_line contains "connect to server" or process.parent_process_name == "NableAgent.exe"