The detection identifies potential use of RealVNC, a Remote Management and Monitoring tool, by adversaries to establish persistence or command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adversary activity leveraging legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'realvnc'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 52151b01-3c56-4864-8e12-c8d3b808a81e
name: Remote Management and Monitoring tool - RealVNC - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'realvnc'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled System Maintenance via RealVNC
Description: An administrator schedules a maintenance task using RealVNC to remotely reboot or update a server.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks"
Scenario: Remote Desktop Session via RealVNC
Description: A legitimate remote desktop session is established using RealVNC for troubleshooting or support.
Filter/Exclusion: process.parent_process_name == "mstsc.exe" or process.command_line contains "mstsc"
Scenario: File Integrity Monitoring via RealVNC
Description: An admin uses RealVNC to monitor and verify file integrity on a remote endpoint as part of a security audit.
Filter/Exclusion: process.command_line contains "audit" or "integrity" or "filecheck"
Scenario: Patch Management via RealVNC
Description: A system administrator uses RealVNC to push and apply patches to multiple endpoints in the network.
Filter/Exclusion: process.command_line contains "patch" or "update" or "wsus"
Scenario: Remote File Copy for Backup via RealVNC
Description: A backup process uses RealVNC to transfer files between servers for offsite storage or replication.
Filter/Exclusion: process.command_line contains "backup" or "copy" or "rsync" or "robocopy"