The hypothesis is that the detection identifies potential adversary use of IperiusRemote, a Remote Management and Monitoring tool, to establish persistence or command and control channels by leveraging file signature anomalies. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that abuse legitimate RMM tools for covert operations.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any ('Enter Srl', 'Enter S.R.L.')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: e5dff9a2-f345-4ebb-b6ca-f39fde3984d2
name: Remote Management and Monitoring tool - IperiusRemote - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any ('Enter Srl', 'Enter S.R.L.')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Legitimate IperiusRemote File Signature Scan
Description: A system administrator is performing a scheduled file integrity check using IperiusRemote to verify the integrity of system files.
Filter/Exclusion: process.name != "iperiusremote.exe" OR file.hash == "known_good_hash"
Scenario: Scheduled Backup Job Using IperiusRemote
Description: A backup job is configured to run daily using IperiusRemote to back up critical system files to a secure network location.
Filter/Exclusion: process.name != "iperiusremote.exe" OR destination.path contains "backup"
Scenario: Admin Task to Monitor System Files
Description: An IT admin is using IperiusRemote to monitor system files for unauthorized changes as part of a security audit.
Filter/Exclusion: process.name != "iperiusremote.exe" OR event.id == 4663 (Audit File System)
Scenario: IperiusRemote Used for Remote Support
Description: A support technician is using IperiusRemote to remotely access a user’s machine to troubleshoot an issue.
Filter/Exclusion: process.name != "iperiusremote.exe" OR user.name contains "support"
Scenario: IperiusRemote Scheduled for Patch Deployment
Description: A patch deployment task is scheduled using IperiusRemote to push updates to multiple endpoints across the network.
Filter/Exclusion: process.name != "iperiusremote.exe" OR event.action == "patch"