A threat hunter should investigate processes created by remote management tools as they may indicate adversary persistence or command and control activity. Proactively hunting for such behavior in Azure Sentinel helps identify potential compromise of endpoints managed by RMM tools, which are increasingly exploited by attackers.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Action1'
and ProcessVersionInfoProductName has 'Action1'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceNameid: cab70ba2-e9e7-4f38-8b3c-0808fd4756a0
name: Remote Management and Montioring tool - Action1 - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Action1'
and ProcessVersionInfoProductName has 'Action1'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Microsoft Endpoint Manager (MEM) to deploy a scheduled task via Intune to update endpoint software.
Filter/Exclusion: Check for the presence of Microsoft Intune or Microsoft Endpoint Manager in the process tree or user context. Exclude processes initiated by the Intune service account or with a user in the Enterprise Admins group.
Scenario: A SolarWinds scheduled job is running to collect performance metrics from remote servers.
Filter/Exclusion: Filter out processes with the SolarWinds executable name or those initiated by the SolarWinds Service. Exclude processes where the parent process is a known SolarWinds service or agent.
Scenario: A Microsoft System Center Configuration Manager (SCCM) task sequence is deploying a software update across the network.
Filter/Exclusion: Exclude processes with the SCCM executable or those initiated by the SMS Executive service. Filter by user context to exclude Domain Admins or SCCM Admins.
Scenario: An Ansible playbook is being executed to configure remote servers, including process creation as part of a standard configuration task.
Filter/Exclusion: Check for the presence of Ansible in the process tree or command line. Exclude processes initiated by the Ansible service or with a user in the IT Operators group.
Scenario: A Powershell script is run by a System Center Orchestrator (SCOM) job to monitor and manage remote endpoints.
Filter/Exclusion: Filter out processes with the System Center Orchestrator or SCOM service context. Exclude processes where the parent process is a known SCOM or Orchestrator service.