Remote Management and Monitoring tool - Naverisk - Create Process

Hunt Hypothesis

An adversary is using the Naverisk tool to create malicious processes for persistence or command and control, leveraging its remote management capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential long-term persistence and C2 activities by threat actors exploiting RMM tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has_any (
        'naverisk', 
        'NavMK1 Limited'
    )
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 3063ab0b-a34c-42f2-bcdd-8c5974cc47fd
name: Remote Management and Monitoring tool - Naverisk - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoCompanyName has_any (
          'naverisk', 
          'NavMK1 Limited'
      )
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Naverisk_createproc.yaml)

False Positive Guidance

Scenario: Scheduled Job Execution by Naverisk RMM Tool
Description: A legitimate scheduled job is run by the Naverisk RMM tool to perform routine system maintenance or patching.
Filter/Exclusion: process.parent_process_name == "Naverisk RMM Service" or process.name == "NaveriskJobScheduler.exe"
Scenario: Remote System Monitoring via Naverisk RMM
Description: The Naverisk RMM tool is used to monitor system performance and create processes as part of its monitoring functionality.
Filter/Exclusion: process.name == "NaveriskMonitor.exe" or process.parent_process_name == "Naverisk RMM Agent"
Scenario: Admin Task to Deploy Configuration via Naverisk
Description: An IT admin uses the Naverisk RMM tool to deploy configuration changes across multiple endpoints, which may involve creating new processes.
Filter/Exclusion: process.name == "NaveriskConfigDeployer.exe" or process.parent_process_name == "Naverisk RMM Console"
Scenario: Endpoint Inventory Scan via Naverisk RMM
Description: The Naverisk RMM tool is performing an endpoint inventory scan, which may involve creating temporary processes to gather system information.
Filter/Exclusion: process.name == "NaveriskInventoryScanner.exe" or process.parent_process_name == "Naverisk RMM Agent"
Scenario: Remote Software Installation via Naverisk RMM
Description: The Naverisk RMM tool is used to remotely install software updates or patches, which may trigger process creation as part of the installation process.
Filter/Exclusion: process.name == "NaveriskInstaller.exe" or process.parent_process_name == "Naverisk RMM Service"