Remote Management and Monitoring tool - Ammyy - File Signature

Hunt Hypothesis

The detection identifies potential abuse of the Ammyy remote management tool through file signature analysis, indicating possible adversary use for persistence or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of compromise leveraging commonly used RMM tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Ammyy'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 7c20af02-4bce-4d6d-b609-3ddf5ca4fb59
name: Remote Management and Monitoring tool - Ammyy - File Signature
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceFileCertificateInfo
  | where Timestamp between (Time_start..Time_end)
  | where Signer has 'Ammyy'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

MITRE ATT&CK Context

• Tactic: CommandAndControl
• Technique: T1219 — T1219

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Ammyy_filesig.yaml)

False Positive Guidance

• Scenario: Legitimate use of Ammyy for remote desktop support by IT staff
  Filter/Exclusion: process.name != "ammyy.exe" or process.parent.name != "ammyy.exe"

• Scenario: Scheduled maintenance tasks using Ammyy for system updates
  Filter/Exclusion: process.name == "schtasks.exe" or process.parent.name == "schtasks.exe"

• Scenario: Admins using Ammyy to monitor and manage endpoint devices during routine audits
  Filter/Exclusion: user.name == "Domain\Administrator" or user.group == "Domain Admins"

• Scenario: Ammyy used for remote file transfers between servers in a secure internal network
  Filter/Exclusion: destination.ip in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")

• Scenario: Ammyy being used by a third-party service provider for managed services
  Filter/Exclusion: process.name == "ammyy.exe" and process.parent.name == "msiexec.exe" (if the tool is deployed via MSI)