The hypothesis is that the detected network connection may indicate an adversary leveraging DattoRMM for remote command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of managed endpoints and mitigate lateral movement risks.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'rmm.datto.com',
'agent.centrastage.net',
'audit.centrastage.net',
'monitoring.centrastage.net',
'agent-notifications.centrastage.net',
'agent-comms.centrastage.net',
'update.centrastage.net',
'realtime.centrastage.net',
'ts.centrastage.net'
)
and (
InitiatingProcessVersionInfoCompanyName has_any ('CentraStage', 'Datto', 'Kaseya' )
or isempty(InitiatingProcessVersionInfoCompanyName)
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 41a9931d-8cb4-44dc-9c8d-f915dd15dfd8
name: Remote Management and Monitoring tool - DattoRMM - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'rmm.datto.com',
'agent.centrastage.net',
'audit.centrastage.net',
'monitoring.centrastage.net',
'agent-notifications.centrastage.net',
'agent-comms.centrastage.net',
'update.centrastage.net',
'realtime.centrastage.net',
'ts.centrastage.net'
)
and (
InitiatingProcessVersionInfoCompanyName has_any ('CentraStage', 'Datto', 'Kaseya' )
or isempty(InitiatingProcessVersionInfoCompanyName)
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Updates via Datto RMM
Description: Datto RMM is used to schedule and deploy system updates across endpoints, which can result in outbound network connections to Microsoft Update servers.
Filter/Exclusion: process.name != "wusa.exe" OR destination != "update.microsoft.com"
Scenario: Remote PowerShell Script Execution
Description: IT administrators use Datto RMM to execute PowerShell scripts on remote endpoints for configuration management, which may involve outbound network connections to internal or external endpoints.
Filter/Exclusion: process.name != "powershell.exe" OR destination NOT IN ("internal.corp.domain", "10.0.0.0/8")
Scenario: Endpoint Backup Job via Datto RMM
Description: Datto RMM is configured to run backup jobs that transfer data to a central backup server, which may involve outbound network traffic to the backup server.
Filter/Exclusion: process.name != "backup.exe" OR destination != "backupserver.corp.domain"
Scenario: Remote Monitoring Agent Communication
Description: The Datto RMM agent communicates with the RMM server to report system status, which can result in periodic outbound network connections.
Filter/Exclusion: process.name != "rmmagent.exe" OR destination != "rmmserver.corp.domain"
Scenario: Remote Desktop Protocol (RDP) Session Monitoring
Description: Datto RMM may monitor RDP sessions for troubleshooting or auditing purposes, which can involve outbound connections to RDP servers.
Filter/Exclusion: process.name != "mstsc.exe" OR destination NOT IN ("rdpserver.corp.domain", "192.168.1.0/24")