The detection identifies potential adversary use of a Remote Management and Monitoring tool to exfiltrate screen data, indicating possible covert monitoring or C2 activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of persistent remote surveillance or command and control operations.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Point B Ltd'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: a4c0ac7e-02d5-4caa-94b7-2184c48ba2c6
name: Remote Management and Monitoring tool - GetScreen - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Point B Ltd'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Legitimate Scheduled Job for System Monitoring
Description: A system administrator schedules a recurring task using SolarWinds Server & Application Monitor to collect screen captures for performance analysis.
Filter/Exclusion: Exclude tasks that are part of known monitoring tools (e.g., SolarWinds*) and have a scheduled job name containing keywords like “monitoring” or “reporting”.
Scenario: Admin Task to Capture Screens for Troubleshooting
Description: An IT admin uses Microsoft Intune to remotely capture a screen of a user’s endpoint to assist with troubleshooting a software issue.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges and associated with known remote management tools (e.g., Intune*, Microsoft Endpoint Manager*).
Scenario: File Signature Verification via RMM Tool
Description: A security team uses Kaseya VSA to verify the integrity of a file by capturing its screen signature as part of a routine security audit.
Filter/Exclusion: Exclude events where the file path matches known security tools or where the action is part of a file integrity monitoring process.
Scenario: Remote Support Session with Screen Capture
Description: A support technician uses LogMeIn to remotely assist a user and captures the screen as part of the support session.
Filter/Exclusion: Exclude events where the process is initiated by a known support tool (e.g., LogMeIn*) and the user is a known internal employee or support team member.
Scenario: Automated Compliance Check with Screen Capture
Description: A compliance team uses ManageEngine ServiceDesk to perform an automated compliance check and captures screen images to verify system configurations.
Filter/Exclusion: Exclude events where the process is initiated by a compliance tool and the action is