The hypothesis is that an adversary is using NetSupport, a Remote Management and Monitoring tool, to create persistence or establish a command and control channel by executing malicious processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential abuse of legitimate RMM tools by advanced threats.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'netsupport'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 54ce8c70-403e-4659-88f7-8bd63a10fdca
name: Remote Management and Monitoring tool - NetSupport - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'netsupport'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT Admin Launching NetSupport Agent via Scheduled Job
Description: A system administrator schedules a task to install or update the NetSupport agent on multiple endpoints as part of a routine patching process.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks"
Scenario: NetSupport Used for Remote Desktop Support Session
Description: An IT support technician uses NetSupport to remotely assist an end-user by taking control of their machine for troubleshooting.
Filter/Exclusion: process.user_name contains "ITSupportUser" or process.command_line contains "RemoteSupport"
Scenario: NetSupport Agent Installation via Group Policy
Description: The NetSupport agent is deployed via Group Policy to all endpoints in the domain as part of an enterprise endpoint management strategy.
Filter/Exclusion: process.parent_process_name == "gpupdate.exe" or process.command_line contains "GroupPolicy"
Scenario: NetSupport Used for System Monitoring and Reporting
Description: The NetSupport tool is configured to monitor system performance and generate reports, which is a common use case in enterprise environments.
Filter/Exclusion: process.command_line contains "monitor" or process.command_line contains "report"
Scenario: NetSupport Process Launched by Windows Task Scheduler for Maintenance
Description: A maintenance task, such as log cleanup or configuration check, is scheduled via Task Scheduler and uses the NetSupport process as part of its execution.
Filter/Exclusion: process.parent_process_name == "TaskScheduler" or process.command_line contains "TaskScheduler"