Remote Management and Monitoring tool - SyncroMSP - Create Process

Hunt Hypothesis

The detection identifies the use of SyncroMSP, a Remote Management and Monitoring tool, to create processes that may indicate adversary persistence or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential compromise of endpoints managed by RMM tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Servably, Inc.'
    and ProcessVersionInfoProductName has 'Syncro'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: f9919f87-a7ba-4f47-a942-e30c46eb7a7d
name: Remote Management and Monitoring tool - SyncroMSP - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoCompanyName has 'Servably, Inc.'
      and ProcessVersionInfoProductName has 'Syncro'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_SyncroMSP_createproc.yaml)

False Positive Guidance

Scenario: Scheduled SyncroMSP Agent Sync Job
Description: The SyncroMSP agent runs a scheduled job to sync with the management server as part of normal operations.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.command_line contains "schtasks /run"
Scenario: Admin Task to Deploy SyncroMSP Agent on New Hosts
Description: IT administrators deploy the SyncroMSP agent to new endpoints using a script or deployment tool.
Filter/Exclusion: process.parent_process_name == "powershell.exe" and process.command_line contains "Invoke-Command -ScriptBlock"
Scenario: SyncroMSP Remote Execution via PowerShell
Description: The SyncroMSP tool uses PowerShell to execute remote commands on managed endpoints as part of its management capabilities.
Filter/Exclusion: process.parent_process_name == "powershell.exe" and process.command_line contains "SyncroMSP"
Scenario: SyncroMSP Configuration Update via Group Policy
Description: A Group Policy update is applied to configure SyncroMSP settings across multiple endpoints.
Filter/Exclusion: process.parent_process_name == "gpupdate.exe" or process.command_line contains "gpupdate /force"
Scenario: SyncroMSP Log Collection Process
Description: The SyncroMSP tool runs a log collection process to gather system logs for monitoring and troubleshooting.
Filter/Exclusion: process.command_line contains "SyncroMSP LogCollector" or process.parent_process_name == "task scheduler"