Remote Management and Monitoring tool - DameWare - Network Connection

Hunt Hypothesis

DameWare Remote Management tools may be used by adversaries to establish covert network connections for command and control or persistence. SOC teams should proactively hunt for unusual network behavior associated with DameWare in Azure Sentinel to detect potential adversary exploitation of RMM tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
        "swi-rc.com",
        "swi-tc.com",
        "beanywhere.com",
        "licenseserver.solarwinds.com"
    )
    and InitiatingProcessVersionInfoCompanyName  has_any ('DameWare', 'SolarWinds')
    and 
    (
        InitiatingProcessVersionInfoProductName has 'DameWare'
        or 
        InitiatingProcessVersionInfoFileDescription has 'DameWare'
    )
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
    RemoteUrl

Analytic Rule Definition

id: 679e3086-4871-481f-92a6-5d3357d7f6bb
name: Remote Management and Monitoring tool - DameWare - Network Connection
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceNetworkEvents
  | where Timestamp between (Time_start..Time_end)
  | where RemoteUrl has_any (
          "swi-rc.com",
          "swi-tc.com",
          "beanywhere.com",
          "licenseserver.solarwinds.com"
      )
      and InitiatingProcessVersionInfoCompanyName  has_any ('DameWare', 'SolarWinds')
      and 
      (
          InitiatingProcessVersionInfoProductName has 'DameWare'
          or 
          InitiatingProcessVersionInfoFileDescription has 'DameWare'
      )
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
      RemoteUrl

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_DameWare_netconn.yaml)

False Positive Guidance

Scenario: Scheduled maintenance task using DameWare to reboot servers
Filter/Exclusion: dameware.exe -action reboot or process.name = "dameware.exe" and event_id = 1000 (reboot event)
Scenario: Admin uses DameWare to remotely install a legitimate software update
Filter/Exclusion: process.name = "dameware.exe" and file.hash = "known_update_hash" or process.name = "dameware.exe" and event_id = 1001 (software installation)
Scenario: IT team uses DameWare to monitor network traffic for troubleshooting
Filter/Exclusion: process.name = "dameware.exe" and event_id = 1002 (network monitoring activity) or process.name = "dameWare.exe" and user = "IT_Admin"
Scenario: Scheduled job to collect system logs via DameWare for compliance
Filter/Exclusion: process.name = "dameware.exe" and event_id = 1003 (log collection) or process.name = "dameware.exe" and event_id = 1004 (scheduled task execution)
Scenario: Admin uses DameWare to remotely configure firewall rules
Filter/Exclusion: process.name = "dameware.exe" and event_id = 1005 (firewall configuration) or process.name = "dameware.exe" and user = "Network_Admin"