The detection identifies the use of RemoteDesktopPlus, a Remote Monitoring and Management tool, to create processes that may indicate adversary persistence or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential adversary exploitation of legitimate RMM tools for long-term access and covert communication.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'www.donkz.nl'
and ProcessVersionInfoProductName has 'Remote Desktop Plus'
and ProcessVersionInfoOriginalFileName has 'rdp.exe'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 6e98184a-6794-4c94-923b-d0ab052ca92e
name: Remote Management and Monitoring tool - RemoteDesktopPlus - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'www.donkz.nl'
and ProcessVersionInfoProductName has 'Remote Desktop Plus'
and ProcessVersionInfoOriginalFileName has 'rdp.exe'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Remote Desktop Plus (RDP Plus) to remotely manage a server and creates a process to run a script for system updates.
Filter/Exclusion: Check for the presence of known admin tasks or scheduled jobs associated with system maintenance, such as Update-Module or schtasks.exe with a known job name.
Scenario: A Microsoft Endpoint Manager (MEM) task is configured to deploy a software update, which triggers a process creation via Remote Desktop Plus as part of the deployment.
Filter/Exclusion: Include a filter for processes initiated by Microsoft Intune or Configuration Manager (e.g., msiexec.exe, setup.exe with known deployment identifiers).
Scenario: An IT support team uses Remote Desktop Plus to remotely connect to a workstation and creates a process to run a legitimate diagnostic tool like Process Monitor (ProcMon).
Filter/Exclusion: Filter based on the process name or command line arguments that match known diagnostic or support tools.
Scenario: A scheduled job is set up via Remote Desktop Plus to run a nightly backup script, which creates a process to execute a backup utility.
Filter/Exclusion: Use a filter for processes associated with backup tools (e.g., vssadmin.exe, wbadmin.exe) or scheduled jobs with known names or IDs.
Scenario: A system administrator uses Remote Desktop Plus to remotely access a virtual machine and creates a process to run a PowerShell script for log cleanup.
Filter/Exclusion: Filter for processes initiated from known virtualization platforms (e.g., vmtoolsd.exe, Hyper-V related processes) or scripts with known cleanup commands.