AweSun is a remote management tool that attackers may use to establish persistence and command and control channels by leveraging its file signature for covert communication. SOC teams should proactively hunt for AweSun-related activity in Azure Sentinel to detect potential adversary use of RMM tools for long-term access and exfiltration.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any ('aweray limited', 'aweray pte. ltd.')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: b702180d-9a11-412d-b18f-74b72520bb47
name: Remote Management and Monitoring tool - AweSun - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any ('aweray limited', 'aweray pte. ltd.')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled System Maintenance via AweSun
Description: An admin schedules a routine system maintenance task using AweSun to update system files or perform disk cleanup.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks.exe"
Scenario: Legitimate File Signature Update via AweSun
Description: A system administrator uses AweSun to update file signatures or integrity checks as part of endpoint security maintenance.
Filter/Exclusion: process.command_line contains "update_signature" or "integrity_check"
Scenario: Remote Desktop Services (RDS) Session Management via AweSun
Description: AweSun is used to monitor and manage RDS sessions, which is a common administrative task in enterprise environments.
Filter/Exclusion: process.parent_process_name == "mstsc.exe" or process.command_line contains "Remote Desktop Session"
Scenario: Automated Patch Deployment via AweSun
Description: AweSun is configured to deploy patches or updates across endpoints, which is a standard IT operation.
Filter/Exclusion: process.command_line contains "patch" or "update" or "deployment"
Scenario: User-Initiated File Monitoring via AweSun
Description: A user or admin uses AweSun to monitor specific directories or files for integrity or change tracking.
Filter/Exclusion: process.user == "IT Admin" or "Domain Admin" or process.command_line contains "monitor" or "watch"