AweSun is being used by adversaries to establish covert network connections for command and control, leveraging its legitimate RMM capabilities to exfiltrate data and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential C2 channels and persistent threats hidden within legitimate RMM tooling.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
"aweray.com",
"aweray.net",
"awerayimg.com",
"awesun.app"
)
and InitiatingProcessVersionInfoCompanyName has 'AweRay'
and InitiatingProcessVersionInfoProductName has 'AweSun'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl id: 4e339200-6a5a-4e83-8ba4-87acee0bd518
name: Remote Management and Monitoring tool - AweSun - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
"aweray.com",
"aweray.net",
"awerayimg.com",
"awesun.app"
)
and InitiatingProcessVersionInfoCompanyName has 'AweRay'
and InitiatingProcessVersionInfoProductName has 'AweSun'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl | Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance via AweSun
Description: An administrator schedules a routine system maintenance task using AweSun to update endpoints. This may involve establishing a network connection to remote systems.
Filter/Exclusion: process.name != "AweSun.exe" OR event_id != 1234 (replace with actual event ID related to scheduled tasks)
Scenario: Remote Desktop Protocol (RDP) Session Established via AweSun
Description: An IT admin uses AweSun to initiate an RDP session to a remote endpoint for troubleshooting. This may trigger network connection alerts.
Filter/Exclusion: destination_port != 3389 OR process.name != "mstsc.exe"
Scenario: AweSun Agent Communication with Central Server
Description: The AweSun agent periodically communicates with the central management server to sync configurations or report status. This is a normal part of its operation.
Filter/Exclusion: source_ip IN (known AweSun management server IPs)
Scenario: Admin Task to Reconfigure Network Settings via AweSun
Description: An administrator uses AweSun to push new network settings to a group of endpoints, which may involve establishing outbound connections to update configurations.
Filter/Exclusion: process.name != "AweSunConfig.exe" OR event_id != 5678 (replace with actual event ID for configuration tasks)
Scenario: AweSun Job to Deploy Patch via Network
Description: AweSun is used to deploy a security patch to multiple endpoints, which involves network connections to download and install the patch.
Filter/Exclusion: process.name != "AweSunPatchDeployer.exe" OR event_id != 9101 (replace with actual event ID for