The detection identifies the use of ServerEye, a remote management tool, to create processes that may indicate adversary persistence or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential compromise of endpoints managed by RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Krämer IT Solutions GmbH'
and ProcessVersionInfoProductName has_any (
'ServerEye',
'Server-Eye'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 620a171b-e35d-43cd-8544-b725421e3364
name: Remote Management and Monitoring tool - ServerEye - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Krämer IT Solutions GmbH'
and ProcessVersionInfoProductName has_any (
'ServerEye',
'Server-Eye'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using ServerEye to remotely deploy a scheduled task via its built-in task scheduling feature.
Filter/Exclusion: Check for CommandLine containing known legitimate task scheduling commands (e.g., schtasks.exe /create) or filter by user (e.g., user == "admin") and process name (process.name == "ServerEye.exe").
Scenario: A ServerEye agent is being used to monitor and manage a remote server, which triggers the creation of a process on the monitored system as part of its normal operation.
Filter/Exclusion: Filter by process.parent.name == "ServerEye.exe" or include a whitelist of known legitimate child processes spawned by ServerEye.
Scenario: An IT team is using ServerEye to remotely install a patch or update on multiple endpoints, which results in the creation of a temporary process during the installation.
Filter/Exclusion: Include a whitelist of known patching or update-related processes (e.g., msiexec.exe, setup.exe) or check for process.name matching known legitimate installation tools.
Scenario: A ServerEye integration with a third-party monitoring tool (e.g., Nagios) is configured to trigger a process creation on the monitored system as part of a health check.
Filter/Exclusion: Filter by process.name matching the health check tool (e.g., nagios-check.exe) or include a rule that checks for process.parent.name == "ServerEye.exe" and process.name in a known whitelist.
Scenario: A ServerEye endpoint is used to run a legitimate administrative script (e.g., PowerShell.exe) as part of routine system maintenance.
Filter/Exclusion: Filter by process.name == "PowerShell.exe" and check for `CommandLine