The detection identifies the use of the PcVisit tool, a Remote Monitoring and Management (RMM) tool, to create processes that may indicate adversary persistence or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of managed endpoints and mitigate lateral movement risks.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'pcvisit software ag'
and ProcessVersionInfoProductName has 'pcvisit'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 5472e953-c247-4e89-b849-3b16b839aeb5
name: Remote Management and Monitoring tool - PcVisit - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'pcvisit software ag'
and ProcessVersionInfoProductName has 'pcvisit'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT Admin Creates Process via PcVisit for Scheduled Job
Description: An IT administrator uses PcVisit to execute a legitimate scheduled job that requires creating a process on a remote endpoint.
Filter/Exclusion: process.parent_process_name:"Task Scheduler" or process.parent_process_path:"C:\Windows\System32\svchost.exe"
Scenario: PcVisit Used to Deploy Patch Management Tool
Description: The RMM tool PcVisit is used to deploy a patch management application, which involves creating a process on multiple endpoints.
Filter/Exclusion: process.name:"patchmgr.exe" or process.command_line:"-install"
Scenario: PcVisit Used to Install Endpoint Protection Software
Description: IT uses PcVisit to push endpoint protection software (e.g., Microsoft Defender, CrowdStrike) to endpoints, which involves creating processes during installation.
Filter/Exclusion: process.name:"mpcmdrun.exe" or process.name:"frs.exe"
Scenario: PcVisit Used for System Maintenance Task (e.g., Disk Cleanup)
Description: An IT admin uses PcVisit to run a system maintenance task like disk cleanup, which creates processes on remote machines.
Filter/Exclusion: process.name:"cleanmgr.exe" or process.command_line:"/sagerun:1"
Scenario: PcVisit Used to Deploy Configuration Management Tool (e.g., Ansible, Chef)
Description: The RMM tool PcVisit is used to deploy a configuration management tool, which involves creating processes on remote endpoints during setup.
Filter/Exclusion: process.name:"ansible.exe" or process.name:"chef-client.exe"