The hypothesis is that an adversary is using DameWare Remote Management Tool to establish persistence or command and control by leveraging its file signature for covert communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential abuse of legitimate RMM tools by threat actors.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'DameWare Development'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 7cc1d855-f9a4-4011-a91d-490f5b042939
name: Remote Management and Monitoring tool - DameWare - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'DameWare Development'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled DameWare File Signature Scan by IT Admin
Description: An IT administrator schedules a routine file signature scan using DameWare to ensure compliance with internal security policies.
Filter/Exclusion: dameware.file_signature_scan or dameware.scheduled_task_name = "File Signature Scan"
Scenario: DameWare Remote Control Session for Troubleshooting
Description: A system administrator uses DameWare Remote Control to troubleshoot a user’s workstation, which involves accessing and modifying files.
Filter/Exclusion: dameware.remote_control_session or dameWare.user = "IT_Admin_Account"
Scenario: DameWare Agent Update via Scheduled Job
Description: The DameWare agent is updated via a scheduled job that deploys new versions to all endpoints. This may involve file signature changes.
Filter/Exclusion: dameware.update_job or dameWare.job_name = "Agent_Update_Job"
Scenario: File Integrity Monitoring (FIM) Tool Integration with DameWare
Description: A third-party FIM tool integrates with DameWare to monitor file changes, which may trigger file signature checks.
Filter/Exclusion: dameware.fim_integration or dameWare.tool = "ThirdParty_FIM_Tool"
Scenario: DameWare File Signature Check During Patch Deployment
Description: During a patch deployment, DameWare is used to verify file integrity, which may involve checking file signatures.
Filter/Exclusion: dameware.patch_deployment or dameWare.task_type = "Patch_Validation"