The hypothesis is that an adversary is leveraging the ScreenMeet tool to create persistence by establishing a remote management process, which could be used for command and control or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of endpoints managed by RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Projector Inc'
and ProcessVersionInfoProductName has 'ScreenMeet'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: ed216e3a-ff25-41da-821f-93be217af439
name: Remote Management and Monitoring tool - ScreenMeet - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Projector Inc'
and ProcessVersionInfoProductName has 'ScreenMeet'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT administrator is using ScreenMeet to remotely manage a user’s endpoint and creates a process as part of a scheduled maintenance task.
Filter/Exclusion: Check for process.name containing “ScreenMeet” and process.parent_process_name matching the IT admin’s remote management tool (e.g., “Microsoft Endpoint Manager” or “Microsoft Intune”).
Scenario: A scheduled job runs via ScreenMeet to perform system updates or patching on multiple endpoints.
Filter/Exclusion: Filter by process.command_line containing known update scripts or paths associated with legitimate patching tasks.
Scenario: A system administrator is using ScreenMeet to monitor and troubleshoot a user’s session, which temporarily creates a process on the endpoint.
Filter/Exclusion: Include user.name as a known admin or IT support user, and check for process.parent_process_name related to remote session management (e.g., “Remote Desktop Services”).
Scenario: ScreenMeet is used to deploy a legitimate software update or configuration change across endpoints, which triggers process creation.
Filter/Exclusion: Filter by process.name matching known deployment tools (e.g., “Microsoft Deployment Toolkit”) or check for process.command_line containing known update packages.
Scenario: An IT helpdesk technician uses ScreenMeet to assist a user with a remote desktop session, which results in temporary process creation on the endpoint.
Filter/Exclusion: Use user.name to identify known helpdesk users and check for process.parent_process_name related to remote desktop protocols (e.g., “mstsc.exe” or “RDP”).