Remote Management and Monitoring tool - parsec.app - Network Connection

Hunt Hypothesis

A SOC team should proactively hunt for network connections to parsec.app as it may indicate the use of a Remote Management and Monitoring tool for adversary persistence or command and control. This behavior aligns with MITRE T1219 and is often leveraged by attackers to maintain long-term access and exfiltrate data in Azure environments.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
        'kessel-ws.parsec.app',
        'kessel-api.parsec.app',
        'builds.parsec.app',
        'builds.parsecgaming.com',
        'public.parsec.app',
        'parsecusercontent.com',
        'stun.parsec.app',
        'stun6.parsec.app'
    )
    and InitiatingProcessVersionInfoCompanyName has 'parsec'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
    RemoteUrl

Analytic Rule Definition

id: 070b55d3-eb84-4312-a116-1af9965cd6e4
name: Remote Management and Monitoring tool - parsec.app - Network Connection
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceNetworkEvents
  | where Timestamp between (Time_start..Time_end)
  | where RemoteUrl has_any (
          'kessel-ws.parsec.app',
          'kessel-api.parsec.app',
          'builds.parsec.app',
          'builds.parsecgaming.com',
          'public.parsec.app',
          'parsecusercontent.com',
          'stun.parsec.app',
          'stun6.parsec.app'
      )
      and InitiatingProcessVersionInfoCompanyName has 'parsec'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
      RemoteUrl

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_parsec.app_netconn.yaml)

False Positive Guidance

Scenario: A system administrator is using Parsec to remotely access a server for troubleshooting.
Filter/Exclusion: process.name != "parsec.app" or process.parent.name == "System" or process.parent.name == "task scheduler"
Scenario: A scheduled job is running Parsec to perform automated system checks or updates.
Filter/Exclusion: process.name == "parsec.app" and event_id == "ScheduledTask"
Scenario: An IT team is using Parsec to monitor network traffic on a firewall or endpoint for security analysis.
Filter/Exclusion: process.name == "parsec.app" and user.name == "ITSecurity" or user.name == "NetworkOps"
Scenario: A legitimate remote management tool like Microsoft Endpoint Manager (Intune) is configured to use Parsec for device management.
Filter/Exclusion: process.name == "parsec.app" and process.parent.name == "msiexec.exe" or process.parent.name == "setup.exe"
Scenario: A user is using Parsec to access a virtual private network (VPN) or remote desktop session for daily work.
Filter/Exclusion: process.name == "parsec.app" and destination_ip in (known_vpn_subnet) or destination_ip in (known_rdp_subnet)