The hypothesis is that an adversary is using RemoteDesktopPlus as a remote management tool to establish covert network connections for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential C2 channels and mitigate advanced persistent threats leveraging RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where InitiatingProcessVersionInfoCompanyName has 'www.donkz.nl'
and InitiatingProcessVersionInfoProductName has 'Remote Desktop Plus'
and InitiatingProcessVersionInfoOriginalFileName has 'rdp.exe'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 933cd845-059b-46e6-8f2b-261fad9ff998
name: Remote Management and Monitoring tool - RemoteDesktopPlus - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where InitiatingProcessVersionInfoCompanyName has 'www.donkz.nl'
and InitiatingProcessVersionInfoProductName has 'Remote Desktop Plus'
and InitiatingProcessVersionInfoOriginalFileName has 'rdp.exe'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Maintenance Task Using Remote Desktop Plus
Description: A system administrator schedules a maintenance task using Remote Desktop Plus to remotely reboot a server during off-peak hours.
Filter/Exclusion: process.name != "RemoteDesktopPlus.exe" OR event_id == 41 (for system reboots) OR process.parent.name == "TaskScheduler.exe"
Scenario: Remote Desktop Plus Used for Remote PowerShell Session
Description: An IT admin uses Remote Desktop Plus to establish a remote session and then runs a PowerShell script to update software on a remote machine.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "RemoteDesktopPlus.exe" OR process.command_line contains "Update-Software"
Scenario: Remote Monitoring Tool Configuration via Remote Desktop Plus
Description: An admin uses Remote Desktop Plus to access a remote machine and configure the RMM tool (e.g., ConnectWise, Kaseya) to monitor endpoint health.
Filter/Exclusion: process.name != "RemoteDesktopPlus.exe" OR process.command_line contains "configure RMM tool"
Scenario: Remote Desktop Plus Used for File Transfer Between Servers
Description: A sysadmin uses Remote Desktop Plus to transfer configuration files between two internal servers as part of a deployment process.
Filter/Exclusion: process.name != "RemoteDesktopPlus.exe" OR file.hash == "known-internal-file-hash"
Scenario: Remote Desktop Plus Used for Patch Deployment
Description: A patch management task is executed via Remote Desktop Plus to apply updates to multiple endpoints in a lab environment.
Filter/Exclusion: process.name != "RemoteDesktopPlus.exe" OR event_id == 1006 (for patching events) OR process.command_line contains "apply patches"