Remote Management and Monitoring tool - XMReality - Create Process

Hunt Hypothesis

A threat hunter should investigate processes created by XMReality, as this tool is commonly used by adversaries to establish persistence and command and control channels. Proactively hunting for XMReality-related process creation in Azure Sentinel can help identify potential compromise of remote endpoints by malicious actors leveraging legitimate RMM tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'XMReality'
    and ProcessVersionInfoProductName has 'XMReality'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: bbb3a927-18e6-471a-a8cc-5d080dd2b108
name: Remote Management and Monitoring tool - XMReality - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoCompanyName has 'XMReality'
      and ProcessVersionInfoProductName has 'XMReality'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_XMReality_createproc.yaml)

False Positive Guidance

Scenario: A system administrator is using XMReality to remotely create a process for a legitimate endpoint management tool (e.g., Microsoft Intune or SCCM).
Filter/Exclusion: process.name == "setup.exe" || process.name == "msiexec.exe" || process.name == "setupmgr.exe"
Scenario: A scheduled job runs via XMReality to deploy software updates across the network.
Filter/Exclusion: process.parent_process_name == "taskeng.exe" || process.parent_process_name == "schtasks.exe"
Scenario: An IT admin is using XMReality to remotely execute a PowerShell script for system maintenance (e.g., disk cleanup or registry updates).
Filter/Exclusion: process.name == "powershell.exe" && process.command_line contains "diskcleanup" || "reg" || "clean"
Scenario: A user is using XMReality to remotely create a process for a legitimate monitoring tool (e.g., Nagios or Zabbix agent).
Filter/Exclusion: process.name == "nagios.exe" || process.name == "zabbix_agentd.exe" || process.name == "check_mk.exe"
Scenario: A system administrator is using XMReality to remotely configure a service (e.g., configuring a firewall rule or setting up a scheduled task).
Filter/Exclusion: process.name == "services.exe" || process.name == "taskhost.exe" || process.name == "schtasks.exe"