The hypothesis is that an adversary is using AnyViewer, a remote management tool, to establish persistence or command and control by leveraging its file signature for covert communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential abuse of legitimate RMM tools by threat actors seeking to maintain long-term access and exfiltrate data.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'AOMEI International Network Limited'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 43916f07-5a0c-4d8f-8239-ba9bc1692ec3
name: Remote Management and Monitoring tool - AnyViewer - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'AOMEI International Network Limited'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Legitimate scheduled job for system monitoring
Description: A system administrator schedules a daily job using AnyViewer to check system health and collect logs from remote endpoints.
Filter/Exclusion: Exclude events where the process is initiated by a known system account (e.g., SYSTEM, LocalService) and the file path matches the legitimate AnyViewer installation directory.
Scenario: Admin task to update AnyViewer on multiple endpoints
Description: An IT admin uses AnyViewer to push updates to remote machines as part of a routine maintenance task.
Filter/Exclusion: Exclude events where the process is initiated by an admin account (e.g., Administrator, Domain Admins) and the file path corresponds to a known AnyViewer update script or executable.
Scenario: Remote desktop session using AnyViewer for support
Description: A support technician uses AnyViewer to connect to a user’s machine to resolve an issue, such as a frozen application or login problem.
Filter/Exclusion: Exclude events where the connection is initiated from a known support IP range or the user is part of a support group (e.g., Helpdesk, IT Support).
Scenario: File integrity monitoring tool using AnyViewer
Description: A security tool uses AnyViewer to scan remote endpoints for file integrity and compliance checks.
Filter/Exclusion: Exclude events where the process is initiated by a known security tool account (e.g., SecurityAdmin, SIEMAdmin) and the file path is within a monitored directory.
Scenario: Backup process using AnyViewer to transfer data
Description: A backup solution uses AnyViewer to transfer backup files from remote endpoints to a central server.
Filter/Exclusion: Exclude events where the process is initiated by a backup service account (e.g., BackupService, BackupUser)