Query Details

Detecting Rmm Tools Using Processversioninfocompanymame Table

Query

let RMMSoftware = externaldata(RMMSoftware: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/rmm-software.csv"] with (format="csv", ignoreFirstRecord=True);
let ExclDevices = datatable(excludeddev :string)  // Add as many devices you would like to exclude
 ["DeviceName1",
  "DeviceName2",
  "DeviceName3"];
let Timeframe = 7d; // Choose the best timeframe for your investigation
DeviceProcessEvents
    | where Timestamp > ago(Timeframe)
    | where ProcessVersionInfoCompanyName has_any (RMMSoftware)
    | where not(DeviceName in (['ExclDevices']))
    | project Timestamp, DeviceName, ActionType, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessCommandLine, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
    | sort by Timestamp desc

About this query

Detecting Rmm Tools Using Processversioninfocompanymame Table

Description

Recent rise of Remote Monitoring and Management (RMM) tools used by prominent Threat Actors for lateral movement and command and control (C2) has led to significantly getting worried about the use of legitimate software such as Teamviewer, NetSupport Manager etc. The following query has been crafted to utilize the ProcessVersionInfoCompanyName table with a hunting list created by installing and testing corresponding tools.

References

Microsoft 365 Defender & Microsoft Sentinel

Versioning

VersionDateComments
1.027/11/2023Initial publish

Explanation

This KQL query is designed to detect the use of Remote Monitoring and Management (RMM) tools, which are often used by threat actors for unauthorized activities like lateral movement and command and control (C2) operations. The query leverages the ProcessVersionInfoCompanyName table to identify instances where these tools are being used on devices within a network.

Here's a simplified breakdown of the query:

  1. RMM Software List: The query starts by importing a list of known RMM software from an external CSV file. This list includes software like TeamViewer and NetSupport Manager, which are legitimate tools but can be misused by attackers.

  2. Excluded Devices: It defines a list of devices to exclude from the analysis. This is useful for ignoring known safe devices where RMM tools are expected to be used.

  3. Timeframe: The query looks at data from the past 7 days, but this timeframe can be adjusted based on the needs of the investigation.

  4. Data Filtering:

    • It searches through DeviceProcessEvents to find events where the ProcessVersionInfoCompanyName matches any of the RMM software names from the list.
    • It excludes any events from devices listed in the ExclDevices.
  5. Data Projection: The query selects specific fields to display, such as the timestamp, device name, action type, file name, and other relevant process information.

  6. Sorting: Finally, it sorts the results by timestamp in descending order, so the most recent events appear first.

Overall, this query helps security analysts identify potential misuse of RMM tools in their environment, allowing them to take appropriate action to secure their network.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: September 29, 2024

Tables

DeviceProcessEvents

Keywords

Devices

Operators

letexternaldatawithdatatablewherehas_anynotinprojectsort bydesc

Actions

GitHub