The hypothesis is that an adversary is using SyncroMSP, a Remote Management and Monitoring tool, to establish a network connection for potential C2 communication or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential adversary exploitation of legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'syncromsp.com',
'servably.com',
'syncroapi.com'
)
and InitiatingProcessVersionInfoCompanyName has 'Servably, Inc.'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 3abb45d6-8514-4444-a7e4-6ab1c71ae5ce
name: Remote Management and Monitoring tool - SyncroMSP - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'syncromsp.com',
'servably.com',
'syncroapi.com'
)
and InitiatingProcessVersionInfoCompanyName has 'Servably, Inc.'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled SyncroMSP agent updates
Description: The SyncroMSP agent may initiate periodic network connections to download updates or patches from the central management server.
Filter/Exclusion: Check for process.name containing “SyncroMSP Agent” and process.args containing “update” or “patch”. Exclude connections to internal IP ranges or known SyncroMSP update servers.
Scenario: Admin task to sync client inventory
Description: IT administrators may run scheduled tasks to synchronize client inventory data with the SyncroMSP server, which involves network connections.
Filter/Exclusion: Filter by process.name like “SyncroMSP Inventory Sync” or “SyncroMSP Client Sync” and ensure the destination IP is a known internal SyncroMSP server.
Scenario: Remote desktop session initiated by an admin
Description: An IT administrator may use Remote Desktop Protocol (RDP) to connect to a remote endpoint, which could trigger network connections associated with SyncroMSP.
Filter/Exclusion: Check for process.name like “mstsc.exe” or “rdp.exe” and ensure the connection is to a known admin workstation or internal network.
Scenario: SyncroMSP configuration backup to a secure server
Description: The SyncroMSP tool may periodically back up configuration data to a secure internal server, which involves outbound network connections.
Filter/Exclusion: Filter by process.name containing “SyncroMSP Backup” and ensure the destination IP is a known internal backup server or SyncroMSP management server.
Scenario: SyncroMSP reporting job execution
Description: Scheduled reporting jobs in SyncroMSP may connect to the central server to generate and send reports, which could be flagged as suspicious.
Filter/Exclusion: Use `process