The hypothesis is that an adversary is using ZohoAssist, a Remote Management and Monitoring tool, to create persistence by establishing a process that could be used for command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel because attackers are increasingly leveraging legitimate RMM tools to maintain long-term access and exfiltrate data undetected.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Zoho'
and ProcessVersionInfoProductName has 'Zoho Assist'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 4a4e44ca-5cfb-40f4-b1d9-03e00aa55f82
name: Remote Management and Monitoring tool - ZohoAssist - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Zoho'
and ProcessVersionInfoProductName has 'Zoho Assist'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: ZohoAssist is used for legitimate remote system monitoring
Filter/Exclusion: Check for the presence of known legitimate ZohoAssist processes or use a filter like process.name = "ZohoAssist.exe" and ensure the process is associated with a known admin task or scheduled job related to system monitoring.
Scenario: Admin creates a scheduled task using ZohoAssist for system maintenance
Filter/Exclusion: Use a filter like process.name = "ZohoAssist.exe" AND event_id = 400 to identify scheduled task creation events. Exclude tasks that are known to be part of regular maintenance routines (e.g., TaskName = "SystemUpdateTask").
Scenario: ZohoAssist is used to deploy patches or updates across endpoints
Filter/Exclusion: Filter events where process.name = "ZohoAssist.exe" and event_id = 1000 (or similar patch deployment event IDs). Exclude events that match known patching tools or update processes.
Scenario: ZohoAssist is used to remotely configure firewall rules or network settings
Filter/Exclusion: Use a filter like process.name = "ZohoAssist.exe" AND event_id = 1003 to identify network configuration changes. Exclude events that are associated with known network management tools or admin tasks.
Scenario: ZohoAssist is used to remotely reboot or restart services on endpoints
Filter/Exclusion: Filter for events where process.name = "ZohoAssist.exe" and event_id = 1005 (or similar reboot/service restart event IDs). Exclude events that are part of known service management or maintenance routines.