AeroAdmin is being used by adversaries to establish covert network connections for remote management and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential persistent threats and exfiltration channels leveraging RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'aeroadmin.com'
and InitiatingProcessVersionInfoCompanyName has_any ('AeroAdmin', 'Aero Admin')
and InitiatingProcessVersionInfoProductName has_any ('AeroAdmin', 'Aero Admin')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: b00595db-ba89-48d8-bdf2-77b18c6be7ac
name: Remote Management and Monitoring tool - AeroAdmin - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'aeroadmin.com'
and InitiatingProcessVersionInfoCompanyName has_any ('AeroAdmin', 'Aero Admin')
and InitiatingProcessVersionInfoProductName has_any ('AeroAdmin', 'Aero Admin')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system updates using AeroAdmin
Description: AeroAdmin is used by IT to schedule and deploy system updates across endpoints. These updates often involve network connections to download patches.
Filter/Exclusion: process.name != "aeromgr.exe" OR process.parent.name != "aeromgr.exe"
Scenario: Remote desktop session initiated via AeroAdmin
Description: IT administrators use AeroAdmin to connect to remote machines for troubleshooting or support, which may involve establishing a network connection.
Filter/Exclusion: process.name != "mstsc.exe" OR process.parent.name != "aeromgr.exe"
Scenario: Automated backup job using AeroAdmin
Description: IT runs automated backup jobs through AeroAdmin, which may involve network connections to transfer data to a backup server.
Filter/Exclusion: process.name != "backup.exe" OR process.parent.name != "aeromgr.exe"
Scenario: Remote PowerShell session initiated via AeroAdmin
Description: Administrators use AeroAdmin to initiate PowerShell sessions on remote machines for script execution or configuration changes.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "aeromgr.exe"
Scenario: Network discovery or inventory scan using AeroAdmin
Description: IT uses AeroAdmin to scan the network for inventory purposes, which may involve connecting to multiple endpoints.
Filter/Exclusion: process.name != "aeromgr.exe" AND process.name != "nmap.exe" OR process.parent.name != "aeromgr.exe"