Atera, a remote management tool, is being used by adversaries to establish persistence and command and control channels through file signature-based detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term adversary presence and exfiltration capabilities.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Atera Networks'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: b3e3ea20-7e51-495b-894b-1d050af605c3
name: Remote Management and Monitoring tool - Atera - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Atera Networks'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: A system administrator is using Atera to remotely install a legitimate software update on multiple endpoints.
Filter/Exclusion: Exclude processes initiated by the Atera agent with the update or patch command in the command line arguments.
Scenario: A scheduled job in Atera is configured to collect system logs from remote endpoints for compliance purposes.
Filter/Exclusion: Exclude processes associated with the Atera log collection task, identified by a specific process name or command line argument like log_collect.
Scenario: An IT admin is using Atera to remotely configure firewall rules on a group of servers.
Filter/Exclusion: Exclude processes that modify firewall rules and are initiated by the Atera agent with a known configuration task identifier.
Scenario: A user is using Atera to remotely monitor system performance and generate reports.
Filter/Exclusion: Exclude processes that are part of Atera’s performance monitoring module, identified by a specific process name or service tag.
Scenario: A system administrator is using Atera to deploy a custom script across multiple endpoints for patch management.
Filter/Exclusion: Exclude processes that execute scripts with a known Atera deployment script signature or that are initiated by the Atera deployment service.