Remote Management and Monitoring tool - SimpleHelp - Create Process

Hunt Hypothesis

The hypothesis is that an adversary is using the SimpleHelp tool to create malicious processes as part of establishing persistence or a command and control channel. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of remote endpoints managed by RMM tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'SimpleHelp'
    and ProcessVersionInfoProductName has 'SimpleHelp'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 76d5ccb5-d3e0-4081-bced-74adadc26958
name: Remote Management and Monitoring tool - SimpleHelp - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoCompanyName has 'SimpleHelp'
      and ProcessVersionInfoProductName has 'SimpleHelp'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SimpleHelp_createproc.yaml)

False Positive Guidance

Scenario: System Administrator Creates a Process via SimpleHelp for Patch Management
Description: A system administrator uses SimpleHelp to deploy a patching process across endpoints.
Filter/Exclusion: process.parent_process_name:"SimpleHelp.exe" and process.name:"msiexec.exe" and process.args:"/i" and process.args:"patch.msi"
Scenario: Scheduled Job via SimpleHelp for System Maintenance
Description: A scheduled job is configured through SimpleHelp to run a system cleanup or log rotation task.
Filter/Exclusion: process.parent_process_name:"SimpleHelp.exe" and process.name:"schtasks.exe" and process.args:"/create"
Scenario: IT Team Uses SimpleHelp to Deploy a Custom Monitoring Agent
Description: The IT team deploys a custom monitoring agent using SimpleHelp to monitor endpoint health.
Filter/Exclusion: process.parent_process_name:"SimpleHelp.exe" and process.name:"setup.exe" and process.args:"/silent" and process.args:"/install"
Scenario: Admin Uses SimpleHelp to Install a Legitimate Third-Party Tool
Description: An admin uses SimpleHelp to install a legitimate third-party application like Microsoft Endpoint Manager or a security tool.
Filter/Exclusion: process.parent_process_name:"SimpleHelp.exe" and process.name:"msiexec.exe" and process.args:"/i" and process.args:"MicrosoftEndpointManager.msi"
Scenario: SimpleHelp is Used to Launch a Legitimate Remote Desktop Session
Description: An admin uses SimpleHelp to initiate a remote desktop session to troubleshoot an endpoint.
Filter/Exclusion: process.parent_process_name:"SimpleHelp.exe" and process.name:"mstsc.exe"