Attackers may be using Remote Management and Monitoring tools to establish covert network connections for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential adversary use of RMM tools for C2 or persistence.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where InitiatingProcessVersionInfoCompanyName has 'RealVNC'
and InitiatingProcessVersionInfoProductName has 'rport'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: a464ea00-ed87-465f-8269-4b6927d9edfa
name: Remote Management and Monitoring tool - RPort - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where InitiatingProcessVersionInfoCompanyName has 'RealVNC'
and InitiatingProcessVersionInfoProductName has 'rport'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Maintenance Task Using RMM Tool
Description: A legitimate scheduled task is initiated via an RMM tool (e.g., Kaseya, ConnectWise, or ManageEngine) to perform routine system updates or patching.
Filter/Exclusion: process.name IN ("msiexec.exe", "setup.exe", "patch.exe") OR process.parent_process.name IN ("RMM_TOOL_NAME.exe")
Scenario: Remote System Reboot via RMM Tool
Description: An IT admin uses an RMM tool to remotely reboot a server or endpoint as part of maintenance or troubleshooting.
Filter/Exclusion: process.name == "taskhostw.exe" OR process.command_line CONTAINS "shutdown /r"
Scenario: Remote File Transfer for Software Deployment
Description: A file transfer occurs via an RMM tool (e.g., using a built-in file transfer feature) to deploy software or configuration changes across endpoints.
Filter/Exclusion: process.name == "RMM_TOOL_NAME.exe" OR file.hash IN ("known_deployment_hashes")
Scenario: Remote PowerShell Script Execution for System Monitoring
Description: An admin uses an RMM tool to execute a PowerShell script for system monitoring or log collection on a remote endpoint.
Filter/Exclusion: process.name == "powershell.exe" AND process.parent_process.name == "RMM_TOOL_NAME.exe" AND process.command_line CONTAINS "monitoring" OR "log" OR "audit"
Scenario: Remote Database Backup via RMM Tool
Description: A database backup is initiated remotely using an RMM tool (e.g., via a scheduled job in SQL Server Management Studio or similar tool).
Filter/Exclusion: process.name == "sqlservr.exe" OR