The detection identifies potential abuse of NetSupport, a Remote Monitoring and Management tool, through file signature analysis, which may indicate adversary use for persistence or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of endpoint systems via legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'netsupport'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: b05f18dd-69df-4dc3-9eed-04b29d379ee5
name: Remote Management and Monitoring tool - NetSupport - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'netsupport'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled Maintenance Task Using NetSupport
Description: An IT administrator schedules a routine maintenance task using NetSupport to update software on remote endpoints.
Filter/Exclusion: process.name != "NetSupport.exe" OR process.parent.name != "Task Scheduler"
Scenario: NetSupport Used for Remote Desktop Support
Description: A support technician uses NetSupport to assist a user with a remote desktop session, which involves screen sharing and remote control.
Filter/Exclusion: process.name != "NetSupport.exe" OR process.parent.name != "Remote Desktop Services"
Scenario: NetSupport Agent Installation via Group Policy
Description: The IT department deploys the NetSupport agent to all endpoints via Group Policy during a standard endpoint management process.
Filter/Exclusion: process.name != "NetSupport.exe" OR process.parent.name != "GroupPolicy"
Scenario: NetSupport Used for System Monitoring and Reporting
Description: The IT team uses NetSupport to monitor system performance and generate reports on endpoint health and usage.
Filter/Exclusion: process.name != "NetSupport.exe" OR process.parent.name != "Microsoft Monitoring Agent"
Scenario: NetSupport Integration with SIEM for Log Collection
Description: NetSupport is configured to send logs to a SIEM system for centralized log management and analysis.
Filter/Exclusion: process.name != "NetSupport.exe" OR process.parent.name != "SIEM Agent"