Query Details
Detecting Rmm Tools Using Processversioninfocompanymame Table
Query
# Detect inbound email domains from text list
## Description
Recent rise of Remote Monitoring and Management (RMM) tools used by prominent Threat Actors for lateral movement and command and control (C2) has led to significantly getting worried about the use of legitimate software such as Teamviewer, NetSupport Manager etc. The following query has been crafted to utilize the processversioninfocompanymame table with a hunting list created by installing and testing corresponding tools.
### References
- https://www.michalos.net/2023/11/27/detecting-rmm-tools-using-microsoft-defender-for-endpoint/
### Microsoft 365 Defender & Microsoft Sentinel
```
let RMMSoftware = externaldata(RMMSoftware: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/rmm-software.csv"] with (format="csv", ignoreFirstRecord=True);
let ExclDevices = datatable(excludeddev :string) // Add as many devices you would like to exclude
["DeviceName1",
"DeviceName2",
"DeviceName3"];
let Timeframe = 7d; // Choose the best timeframe for your investigation
DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where ProcessVersionInfoCompanyName has_any (RMMSoftware)
| where not(DeviceName in (['ExclDevices']))
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessCommandLine, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 27/11/2023 | Initial publish |
Explanation
The query is designed to detect inbound email domains from a list of text. It focuses on identifying the use of Remote Monitoring and Management (RMM) tools by Threat Actors for lateral movement and command and control (C2) activities. The query utilizes the processversioninfocompanymame table and a hunting list created by installing and testing corresponding tools. It excludes specified devices and filters the results based on a chosen timeframe. The output includes information such as timestamp, device name, action type, file name, folder path, process version info, account name, initiating process account name, initiating process file name, and initiating process command line. The results are sorted by timestamp in descending order.
Details
Michalis Michalos
Released: November 27, 2023
Tables
Keywords
Operators