Remote Management and Montioring tool - Action1 - Network Connection

Hunt Hypothesis

An adversary is using a Remote Management and Monitoring tool to establish a network connection for potential C2 communication or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromise attempts leveraging RMM tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'server.action1.com'
    and InitiatingProcessVersionInfoCompanyName has 'Action1'
    and InitiatingProcessVersionInfoProductName has 'Action1'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
    RemoteUrl

Analytic Rule Definition

id: 7da76b41-8c1d-4602-91c6-5d99738d38f4
name: Remote Management and Montioring tool - Action1 - Network Connection
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceNetworkEvents
  | where Timestamp between (Time_start..Time_end)
  | where RemoteUrl has 'server.action1.com'
      and InitiatingProcessVersionInfoCompanyName has 'Action1'
      and InitiatingProcessVersionInfoProductName has 'Action1'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
      RemoteUrl

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Action1_netconn.yaml)

False Positive Guidance

Scenario: A system administrator is using Microsoft SCCM to push out a software update via a scheduled task that initiates a network connection to a remote server.
Filter/Exclusion: process.name != "setup.exe" && process.name != "microsoft-windows-servicemodel-http-activation" && process.name != "sccmclient" && destination_ip != "10.10.10.10"
Scenario: A SolarWinds Network Configuration Manager agent is synchronizing configuration data with the central server, causing outbound network connections.
Filter/Exclusion: process.name != "ncc.exe" && process.name != "solarwinds" && destination_ip != "10.10.10.20"
Scenario: An Altiris (now part of Symantec) agent is performing a routine inventory check and establishing a connection to the management server.
Filter/Exclusion: process.name != "altirisagent.exe" && process.name != "inventory.exe" && destination_ip != "10.10.10.30"
Scenario: A Microsoft Intune client is syncing device compliance policies and connecting to the Microsoft Endpoint Manager (MEM) service.
Filter/Exclusion: process.name != "intunewin32.exe" && process.name != "MicrosoftIntune" && destination_ip != "10.10.10.40"
Scenario: A Kaseya VSA agent is performing a scheduled backup task that requires a network connection to the VSA server.
Filter/Exclusion: process.name != "vsaagent.exe" && process.name != "kaseya" && destination_ip != "10.10.10.50"