Remote Management and Monitoring tool - Splashtop - Network Connection

Hunt Hypothesis

Unusual network connections to known Splashtop RMM services may indicate adversary use of remote management tools for persistence or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of endpoint systems through abused remote management infrastructure.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
        'splashtop.com',
        'splashtop.eu'
    )
    and InitiatingProcessVersionInfoCompanyName has 'Splashtop'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
    RemoteUrl

Analytic Rule Definition

id: 7253fc17-ed4b-4c54-9612-7ad48274c294
name: Remote Management and Monitoring tool - Splashtop - Network Connection
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceNetworkEvents
  | where Timestamp between (Time_start..Time_end)
  | where RemoteUrl has_any (
          'splashtop.com',
          'splashtop.eu'
      )
      and InitiatingProcessVersionInfoCompanyName has 'Splashtop'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
      RemoteUrl

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Splashtop_netconn.yaml)

False Positive Guidance

Scenario: Splashtop is used for legitimate remote desktop access by IT administrators to support end-users.
Filter/Exclusion: Exclude connections where the source IP is an internal IP range used by the IT helpdesk or known admin workstations.
Scenario: A scheduled job runs via Splashtop to perform system updates or patch management on remote endpoints.
Filter/Exclusion: Exclude connections initiated by known system update or patch management processes (e.g., Windows Update, SCCM, or Ansible tasks).
Scenario: An administrator uses Splashtop to remotely configure a firewall or router via a managed device.
Filter/Exclusion: Exclude connections where the destination port is a known management port (e.g., port 22 for SSH, port 443 for HTTPS) and the destination is a known network device.
Scenario: Splashtop is used to monitor and manage a virtual private server (VPS) or cloud instance.
Filter/Exclusion: Exclude connections where the destination is a cloud provider IP or known VPS IP range, and the user is a known cloud admin.
Scenario: A user connects to their own device using Splashtop for remote access during off-hours.
Filter/Exclusion: Exclude connections where the user is a known employee and the connection time falls within their scheduled remote work hours.