The hypothesis is that an adversary is using ZohoAssist as a remote management tool to establish covert network connections for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of endpoints managed by RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'assist.zoho.com',
'assist.zoho.eu',
'assist.zoho.com.au',
'assist.zoho.in',
'assist.zoho.jp',
'assist.zoho.uk',
'assistlab.zoho.com',
'downloads.zohocdn.com',
'download-accl.zoho.in',
'zohoassist.com',
'zohopublic.com',
'zohopublic.eu',
'meeting.zoho.com',
'meeting.zoho.eu',
'static.zohocdn.com',
'zohodl.com.cn',
'zohowebstatic.com',
'zohostatic.in'
)
and InitiatingProcessVersionInfoCompanyName has 'Zoho'
and InitiatingProcessVersionInfoProductName has 'Zoho Assist'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: b915897c-1fe7-47f4-9e06-2ae74da8203e
name: Remote Management and Monitoring tool - ZohoAssist - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'assist.zoho.com',
'assist.zoho.eu',
'assist.zoho.com.au',
'assist.zoho.in',
'assist.zoho.jp',
'assist.zoho.uk',
'assistlab.zoho.com',
'downloads.zohocdn.com',
'download-accl.zoho.in',
'zohoassist.com',
'zohopublic.com',
'zohopublic.eu',
'meeting.zoho.com',
'meeting.zoho.eu',
'static.zohocdn.com',
'zohodl.com.cn',
'zohowebstatic.com',
'zohostatic.in'
)
and InitiatingProcessVersionInfoCompanyName has 'Zoho'
and InitiatingProcessVersionInfoProductName has 'Zoho Assist'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled Maintenance Task Using ZohoAssist
Description: A system administrator schedules a routine maintenance task using ZohoAssist to update remote endpoints.
Filter/Exclusion: process.name != "ZohoAssist.exe" OR event_id != 1234 (replace with actual event ID related to scheduled tasks)
Scenario: ZohoAssist Used for Remote Desktop Support
Description: An IT support technician uses ZohoAssist to provide remote desktop assistance to an end-user.
Filter/Exclusion: process.name != "ZohoAssist.exe" OR user.name != "IT_Support_Team"
Scenario: Automated Patching Job via ZohoAssist
Description: A patching job is initiated via ZohoAssist to update software on multiple endpoints during off-peak hours.
Filter/Exclusion: process.name != "ZohoAssist.exe" OR event_id != 5678 (replace with actual event ID related to patching jobs)
Scenario: ZohoAssist Used for Inventory Collection
Description: The IT department uses ZohoAssist to collect hardware and software inventory from endpoints.
Filter/Exclusion: process.name != "ZohoAssist.exe" OR user.name != "IT_Inventory_Team"
Scenario: ZohoAssist Integration with SIEM for Log Collection
Description: ZohoAssist is configured to send logs to a SIEM system for centralized monitoring and analysis.
Filter/Exclusion: process.name != "ZohoAssist.exe" OR destination_ip != "SIEM_SERVER_IP"