Attackers may be using remote management tools to create persistence or establish command and control channels by executing malicious processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential adversary use of RMM tools for long-term access and exfiltration.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'RealVNC'
and ProcessVersionInfoProductName has 'rport'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: c9f414d3-beeb-4837-a5a1-cb5da313e37f
name: Remote Management and Monitoring tool - RPort - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'RealVNC'
and ProcessVersionInfoProductName has 'rport'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Microsoft Intune to deploy a scheduled task via remote management to patch a critical vulnerability.
Filter/Exclusion: Exclude processes initiated by Microsoft Intune or tasks scheduled via Task Scheduler with a known patching or compliance policy.
Scenario: A SolarWinds agent is being updated via a legitimate remote management tool as part of routine maintenance.
Filter/Exclusion: Exclude processes initiated by SolarWinds or related to its update mechanisms, using the process name or command line arguments.
Scenario: An Ansible playbook is executed remotely to configure a group of servers, which includes creating a process for a service like nginx or apache.
Filter/Exclusion: Exclude processes initiated by ansible or related to configuration management tasks, using the command line or parent process information.
Scenario: A Microsoft Endpoint Manager (MEM) task is run to install a security update, which creates a temporary process to deploy the update.
Filter/Exclusion: Exclude processes associated with Microsoft Endpoint Manager or known update deployment tasks, using the process name or parent process context.
Scenario: A Kaseya VSA agent is being managed remotely, and a process is created as part of a routine system health check or log collection.
Filter/Exclusion: Exclude processes initiated by Kaseya VSA or related to system monitoring and health checks, using the process name or command line arguments.