Remote Management and Monitoring tool - DameWare - Create Process

Hunt Hypothesis

The hypothesis is that an adversary is using DameWare to create persistence by establishing a remote management process for command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential long-term access and exfiltration capabilities associated with RMM tool abuse.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has_any ('DameWare', 'SolarWinds')
    and 
    (
        ProcessVersionInfoProductName has 'DameWare'
        or
        ProcessVersionInfoFileDescription has 'DameWare'
    )    
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: b4b09d6f-bd13-489d-9ccb-2dbc772e7c56
name: Remote Management and Monitoring tool - DameWare - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoCompanyName has_any ('DameWare', 'SolarWinds')
      and 
      (
          ProcessVersionInfoProductName has 'DameWare'
          or
          ProcessVersionInfoFileDescription has 'DameWare'
      )    
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DameWare_createproc.yaml)

False Positive Guidance

Scenario: Scheduled Maintenance Task via DameWare
Description: An IT administrator schedules a routine maintenance task using DameWare to update software on remote endpoints.
Filter/Exclusion: process.parent_process_name == "DameWare" && process.name == "msiexec.exe" && process.command_line contains "patch" or "update"
Scenario: DameWare Agent Service Initialization
Description: The DameWare agent service starts as part of the system boot process on managed endpoints.
Filter/Exclusion: process.name == "damewareagent.exe" && process.parent_process_name == "services.exe" && process.command_line contains "start" or "service"
Scenario: Remote System Backup via DameWare
Description: An IT team uses DameWare to perform a scheduled backup of critical systems across the network.
Filter/Exclusion: process.name == "damewarebackup.exe" && process.parent_process_name == "task scheduler" && process.command_line contains "backup" or "restore"
Scenario: Admin Task to Deploy Configuration via DameWare
Description: An admin uses DameWare to push configuration changes to multiple endpoints during a routine system update.
Filter/Exclusion: process.name == "damewareconfig.exe" && process.parent_process_name == "damewareagent.exe" && process.command_line contains "configure" or "deploy"
Scenario: DameWare Integration with Endpoint Protection Tools
Description: DameWare is integrated with an endpoint protection platform to allow remote policy enforcement or log collection.
Filter/Exclusion: process.name == "damewarepolicy.exe" && process.parent_process_name == "endpoint_protection_service.exe" && process.command_line contains "policy" or "log"