Remote Management and Monitoring tool - RemoteUtilities - Create Process

Hunt Hypothesis

The hypothesis is that an adversary is using RemoteUtilities to create persistence or establish a command and control channel by executing malicious processes on remote endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential abuse of RMM tools by threat actors leveraging T1219 techniques for long-term access and exfiltration.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Remote Utilities'
    and ProcessVersionInfoProductName has 'Remote Utilities'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 3d1b2b49-432a-4592-bb9c-ef4b260736bc
name: Remote Management and Monitoring tool - RemoteUtilities - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoCompanyName has 'Remote Utilities'
      and ProcessVersionInfoProductName has 'Remote Utilities'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_RemoteUtilities_createproc.yaml)

False Positive Guidance

Scenario: Scheduled Job Execution by RemoteUtilities
Description: A legitimate scheduled job is run via RemoteUtilities to perform routine system maintenance or patching.
Filter/Exclusion: process.parent_process_name != "RemoteUtilities" or process.command_line contains "scheduled_task"
Scenario: Remote Desktop Services (RDS) Session Management
Description: An admin is using RemoteUtilities to manage a remote desktop session, which may involve creating processes on the remote machine.
Filter/Exclusion: process.parent_process_name contains "mstsc.exe" or process.command_line contains "mstsc"
Scenario: System Update Deployment via RemoteUtilities
Description: IT administrators use RemoteUtilities to deploy system updates across multiple endpoints, which may trigger process creation.
Filter/Exclusion: process.command_line contains "wuauclt.exe" or process.command_line contains "update"
Scenario: Admin Task Execution via RemoteUtilities
Description: An admin is using RemoteUtilities to execute a PowerShell script or command-line tool for system configuration or monitoring.
Filter/Exclusion: process.parent_process_name contains "powershell.exe" or process.command_line contains "powershell"
Scenario: Log Collection via RemoteUtilities
Description: A legitimate log collection task is initiated using RemoteUtilities to gather system logs from remote endpoints.
Filter/Exclusion: process.command_line contains "logcollect" or process.command_line contains "log"