The hypothesis is that an adversary is using NinjaRMM to create processes for persistence or command and control, leveraging the legitimate RMM tool’s capabilities to maintain long-term access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of managed endpoints and mitigate lateral movement risks.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has_any (
'NinjaRMM',
'Ninja MSP'
)
and ProcessVersionInfoProductName has 'NinjaRMM'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: a121db5b-c51a-4258-b520-1212824ad24f
name: Remote Management and Monitoring tool - NinjaRMM - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has_any (
'NinjaRMM',
'Ninja MSP'
)
and ProcessVersionInfoProductName has 'NinjaRMM'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using NinjaRMM to deploy a scheduled job that creates a process for a legitimate endpoint monitoring tool like Microsoft Endpoint Manager (MEM).
Filter/Exclusion: Check for known legitimate process names associated with MEM or other enterprise monitoring tools, and exclude processes created by scheduled tasks managed through NinjaRMM.
Scenario: An IT team is using NinjaRMM to remotely install a patching tool like Microsoft Update Assistant across multiple endpoints.
Filter/Exclusion: Exclude processes initiated by known patching tools or during scheduled maintenance windows, and verify the source of the process creation (e.g., via NinjaRMM’s inventory or deployment features).
Scenario: A user is running a remote desktop session (e.g., via RDP) and the process is created as part of the session initialization, such as launching a remote desktop client or a script.
Filter/Exclusion: Filter out processes created from known remote access tools or during RDP sessions, and check for process creation originating from user sessions with valid credentials.
Scenario: A system cleanup task is executed via NinjaRMM that temporarily creates a process to remove old logs or temporary files.
Filter/Exclusion: Exclude processes related to log cleanup, temporary file deletion, or known system maintenance scripts, and verify the task origin in NinjaRMM’s task scheduler.
Scenario: A third-party service (e.g., LogMeIn, TeamViewer) is being installed or updated via NinjaRMM as part of an enterprise IT policy.
Filter/Exclusion: Exclude processes associated with known remote access or collaboration tools, and verify the installation is part of a sanctioned IT policy managed through NinjaRMM.