The detection identifies the use of the ShowMyPC tool to create remote processes, which is indicative of adversaries leveraging RMM tools for persistence or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential adversary exploitation of legitimate remote management capabilities.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'ShowMyPC'
and ProcessVersionInfoProductName has 'ShowMyPC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 014b6036-6475-48f3-b859-0c47e48fb469
name: Remote Management and Monitoring tool - ShowMyPC - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'ShowMyPC'
and ProcessVersionInfoProductName has 'ShowMyPC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT Admin Uses ShowMyPC to Remotely Manage a System
Description: A legitimate IT administrator uses ShowMyPC to remotely access and manage a workstation or server.
Filter/Exclusion: process.parent_process_name == "ShowMyPC.exe" or process.user == "IT_Administrator_Account"
Scenario: Scheduled Job Runs ShowMyPC for System Maintenance
Description: A scheduled task is configured to run ShowMyPC to perform routine system checks or updates.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "scheduled maintenance"
Scenario: ShowMyPC is Used for Remote Support by Help Desk
Description: The help desk uses ShowMyPC to provide remote support to end-users, which involves creating processes on remote systems.
Filter/Exclusion: process.user contains "HelpDeskUser" or process.command_line contains "remote support"
Scenario: ShowMyPC is Integrated with Endpoint Protection Tools
Description: ShowMyPC is used in conjunction with an endpoint protection tool, which may trigger process creation as part of integration or policy enforcement.
Filter/Exclusion: process.parent_process_name == "endpoint_protection_tool.exe" or process.command_line contains "integration"
Scenario: ShowMyPC is Used for Software Deployment via Group Policy
Description: ShowMyPC is leveraged to deploy software updates or configurations via Group Policy, which may result in process creation on target systems.
Filter/Exclusion: process.parent_process_name == "gpupdate.exe" or process.command_line contains "software deployment"