The hypothesis is that an adversary is using NinjaRMM to establish a covert network connection for command and control, leveraging the legitimate RMM tool for persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential C2 channels and mitigate advanced persistent threats that exploit remote management tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'ninjarmm.com'
and InitiatingProcessVersionInfoCompanyName has_any (
'NinjaRMM',
'Ninja MSP'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: b766a587-e494-4bdd-9af5-97084d54c1cf
name: Remote Management and Monitoring tool - NinjaRMM - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'ninjarmm.com'
and InitiatingProcessVersionInfoCompanyName has_any (
'NinjaRMM',
'Ninja MSP'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system updates via NinjaRMM
Description: NinjaRMM may initiate scheduled system updates that involve network connections to download patches or updates from Microsoft servers.
Filter/Exclusion: Check for connections to known Microsoft update servers (e.g., update.microsoft.com, download.microsoft.com) and filter based on the presence of a scheduled update task in NinjaRMM.
Scenario: Remote desktop session initiated by an admin using NinjaRMM
Description: An IT admin may use NinjaRMM to remotely connect to a workstation via RDP, which can trigger network connection activity that resembles C2 traffic.
Filter/Exclusion: Filter connections originating from known admin accounts or IP ranges used for remote management, and check for RDP protocol (port 3389) or related traffic patterns.
Scenario: NinjaRMM performing endpoint inventory scan
Description: NinjaRMM regularly scans endpoints to collect inventory data, which may involve outbound network connections to the RMM server.
Filter/Exclusion: Filter based on the presence of inventory-related tasks in NinjaRMM, or check for known inventory endpoints (e.g., internal IP ranges or specific domain names used by the RMM platform).
Scenario: Remote PowerShell script execution via NinjaRMM
Description: IT admins may use NinjaRMM to execute PowerShell scripts on remote machines for configuration or maintenance tasks, which can result in outbound network connections.
Filter/Exclusion: Filter based on the presence of known PowerShell scripts used for legitimate administrative tasks, or check for script execution patterns associated with admin workflows.
Scenario: NinjaRMM syncing with a third-party monitoring tool
Description: NinjaRMM may communicate with third-party monitoring tools (e.g., Nagios, Zabbix) to share system metrics, which can be mistaken for C2 activity.
Filter/Exclusion: