The detection identifies potential adversary use of DattoRMM to establish persistence or command and control channels by leveraging its file signature. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats exploiting legitimate remote management tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Datto Inc'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 9e6779c4-b2c2-42c7-837d-72cf637510af
name: Remote Management and Monitoring tool - DattoRMM - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Datto Inc'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled System Maintenance Task via DattoRMM
Description: A legitimate scheduled task is created via DattoRMM to perform routine system maintenance, such as disk cleanup or log rotation.
Filter/Exclusion: Check for CommandLine containing known maintenance scripts or paths like C:\Windows\System32\cleanmgr.exe or C:\Windows\System32\LogFiles\.
Scenario: Admin User Performing Remote System Monitoring
Description: An admin user is using DattoRMM to monitor system performance, such as checking CPU usage or disk space across endpoints.
Filter/Exclusion: Filter by User field to exclude non-admin users or include only known admin accounts (e.g., Domain\Administrator).
Scenario: DattoRMM Agent Update via Scheduled Job
Description: The DattoRMM agent is being updated via a scheduled job, which may involve downloading and executing an update package.
Filter/Exclusion: Check for File paths containing DattoRMM and update in the filename, or filter by ProcessName like DattoRMM.exe.
Scenario: Remote PowerShell Script Execution for Configuration
Description: An admin is using DattoRMM to execute a PowerShell script to configure remote endpoints, such as setting up firewall rules or user permissions.
Filter/Exclusion: Filter by CommandLine containing powershell.exe and include known admin scripts or paths like C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
Scenario: DattoRMM Integration with Endpoint Protection Tools
Description: DattoRMM is integrated with an endpoint protection tool (e.g., CrowdStrike, Microsoft Defender) to push configuration or signature updates.
Filter/Exclusion: Check for `