Detecting Rmm Tools Using Processversioninfocompanymame Table
Query
let RMMSoftware = externaldata(RMMSoftware: string)[@"https://raw.githubusercontent.com/cyb3rmik3/Hunting-Lists/main/rmm-software.csv"] with (format="csv", ignoreFirstRecord=True);
let ExclDevices = datatable(excludeddev :string) // Add as many devices you would like to exclude
["DeviceName1",
"DeviceName2",
"DeviceName3"];
let Timeframe = 7d; // Choose the best timeframe for your investigation
DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where ProcessVersionInfoCompanyName has_any (RMMSoftware)
| where not(DeviceName in (['ExclDevices']))
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessCommandLine, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp descAbout this query
Detecting Rmm Tools Using Processversioninfocompanymame Table
Description
Recent rise of Remote Monitoring and Management (RMM) tools used by prominent Threat Actors for lateral movement and command and control (C2) has led to significantly getting worried about the use of legitimate software such as Teamviewer, NetSupport Manager etc. The following query has been crafted to utilize the ProcessVersionInfoCompanyName table with a hunting list created by installing and testing corresponding tools.
References
Microsoft 365 Defender & Microsoft Sentinel
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 27/11/2023 | Initial publish |
Explanation
This KQL query is designed to detect the use of Remote Monitoring and Management (RMM) tools, which are often used by threat actors for unauthorized activities like lateral movement and command and control (C2) operations. The query leverages the ProcessVersionInfoCompanyName table to identify instances where these tools are being used on devices within a network.
Here's a simplified breakdown of the query:
-
RMM Software List: The query starts by importing a list of known RMM software from an external CSV file. This list includes software like TeamViewer and NetSupport Manager, which are legitimate tools but can be misused by attackers.
-
Excluded Devices: It defines a list of devices to exclude from the analysis. This is useful for ignoring known safe devices where RMM tools are expected to be used.
-
Timeframe: The query looks at data from the past 7 days, but this timeframe can be adjusted based on the needs of the investigation.
-
Data Filtering:
- It searches through
DeviceProcessEventsto find events where theProcessVersionInfoCompanyNamematches any of the RMM software names from the list. - It excludes any events from devices listed in the
ExclDevices.
- It searches through
-
Data Projection: The query selects specific fields to display, such as the timestamp, device name, action type, file name, and other relevant process information.
-
Sorting: Finally, it sorts the results by timestamp in descending order, so the most recent events appear first.
Overall, this query helps security analysts identify potential misuse of RMM tools in their environment, allowing them to take appropriate action to secure their network.
Details

Michalis Michalos
Released: September 29, 2024
Tables
Keywords
Operators