FleetDeck is being used by adversaries to establish remote management and monitoring capabilities, potentially enabling persistent access and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term adversary presence and exfiltration activities.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'FleetDeck'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 9552bd8b-636c-4541-85d8-733eb564cac2
name: Remote Management and Monitoring tool - FleetDeck - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'FleetDeck'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled System Maintenance via FleetDeck
Description: An admin schedules a system maintenance task using FleetDeck to update software or apply patches across endpoints.
Filter/Exclusion: process.parent_process.name != "FleetDeck.exe" or file.hash == "known-good-signature-for-maintenance-tool"
Scenario: User-Initiated Remote Support Session
Description: A support technician uses FleetDeck to remotely assist an end-user, which involves file transfers or remote execution.
Filter/Exclusion: process.user.name == "support_user" or process.command_line contains "support-mode"
Scenario: Automated Log Collection via FleetDeck Agent
Description: The FleetDeck agent is configured to collect system logs from multiple endpoints as part of routine monitoring.
Filter/Exclusion: file.path contains "logs" or process.name == "log_collector.exe"
Scenario: Deployment of Configuration Management Scripts
Description: An admin deploys configuration management scripts (e.g., using PowerShell or Bash) via FleetDeck to standardize settings across endpoints.
Filter/Exclusion: process.name == "powershell.exe" and process.command_line contains "Configure-System.ps1"
Scenario: Backup Job Execution via FleetDeck
Description: A backup job is initiated through FleetDeck to copy data from endpoints to a central backup server.
Filter/Exclusion: file.path contains "backup" or process.name == "backup_service.exe"