FleetDeck is being used by adversaries to establish covert network connections for command and control activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistent threats leveraging RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any ('fleetdeck.io', 'fleetdm.com')
and InitiatingProcessFileName startswith 'fleetdeck'
and InitiatingProcessVersionInfoCompanyName has 'fleetdeck'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 1a733b20-58c3-40d0-a815-2ae93da0808e
name: Remote Management and Monitoring tool - FleetDeck - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any ('fleetdeck.io', 'fleetdm.com')
and InitiatingProcessFileName startswith 'fleetdeck'
and InitiatingProcessVersionInfoCompanyName has 'fleetdeck'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled system updates via FleetDeck
Description: FleetDeck is used to push scheduled system updates to endpoints, which may trigger network connection alerts due to outbound traffic.
Filter/Exclusion: process.name IN ("update.exe", "msiexec.exe", "wuauclt.exe") or check for known update payloads in the command line.
Scenario: Admin task to monitor network traffic using FleetDeck
Description: IT administrators use FleetDeck to monitor network traffic for troubleshooting, which can result in outbound connections to the FleetDeck server.
Filter/Exclusion: process.name IN ("fleetdeck.exe", "fleetdeck-monitor.exe") or check for presence of admin credentials in the connection context.
Scenario: Remote desktop session initiated through FleetDeck
Description: FleetDeck is used to initiate remote desktop sessions to manage endpoints, which may generate network connections to the remote machine.
Filter/Exclusion: process.name IN ("mstsc.exe", "rdp.exe") or check for presence of “Remote Desktop” in the command line or session context.
Scenario: FleetDeck agent communication with the server during normal operation
Description: The FleetDeck agent periodically communicates with the FleetDeck server to sync data, which may be flagged as suspicious network activity.
Filter/Exclusion: destination.ip IN (<FleetDeck Server IPs>) or check for presence of “agent” or “sync” in the connection description.
Scenario: Automated patching job executed via FleetDeck
Description: FleetDeck is used to run automated patching jobs, which may cause outbound connections to download patches or communicate with patch servers.
Filter/Exclusion: process.name IN ("patch.exe", "msiexec.exe") or check for presence of “patch” or “update” in the command line.