The hypothesis is that an adversary is using the XMReality tool to establish unauthorized network connections for remote management and potential C2 communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential persistent threats leveraging RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'xmreality.com'
and InitiatingProcessVersionInfoCompanyName has 'XMReality'
and InitiatingProcessVersionInfoProductName has 'XMReality'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 41405f6b-85bf-48e4-8e87-a544a0f59a9b
name: Remote Management and Monitoring tool - XMReality - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'xmreality.com'
and InitiatingProcessVersionInfoCompanyName has 'XMReality'
and InitiatingProcessVersionInfoProductName has 'XMReality'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance via XMReality
Description: An admin schedules a routine system maintenance task using XMReality to update endpoint configurations across the network.
Filter/Exclusion: process.name != "xmreality.exe" OR event_id != 1234 (replace with actual event ID or process name used for legitimate tasks)
Scenario: Remote Desktop Protocol (RDP) Session Established via XMReality
Description: A system administrator uses XMReality to initiate a remote session to troubleshoot a user’s machine, which triggers network connection alerts.
Filter/Exclusion: destination_ip IN (list_of_internal_networks) OR process.name != "xmreality.exe"
Scenario: Automated Patch Deployment via XMReality
Description: The enterprise uses XMReality to deploy security patches to all endpoints during off-peak hours, which may trigger network connection alerts.
Filter/Exclusion: process.name == "patchdeploy.exe" OR event_id == 5678 (use actual process names or event IDs associated with patching)
Scenario: User-Initiated Remote Support Session
Description: A user initiates a remote support session using XMReality to assist another user, which may be flagged as suspicious network activity.
Filter/Exclusion: user_account IN (list_of_admin_users) OR process.name == "supporttool.exe"
Scenario: XMReality Agent Communication with Central Server
Description: The XMReality agent regularly communicates with the central management server to report status and receive updates, which may be flagged as C2 activity.
Filter/Exclusion: source_ip IN (list_of_allowed_management_servers) OR destination_port == 443 (use actual allowed IPs and ports)