The hypothesis is that an adversary is using the ISLOnline tool for remote management and monitoring to establish persistence or command and control channels within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential long-term adversary presence and exfiltration capabilities.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any (
'ISL Online',
'XLAB D.O.O.'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: fa6c25f8-cf14-499a-bdf3-28d78c8ef44f
name: Remote Management and Monitoring tool - ISLOnline - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any (
'ISL Online',
'XLAB D.O.O.'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled System Maintenance via ISLOnline
Description: An admin schedules a routine system maintenance task using ISLOnline, which involves downloading and executing a script for patching.
Filter/Exclusion: process.parent_process_name != "ISLOnline" or file.name != "patch_script.ps1"
Scenario: Admin Task to Monitor System Logs
Description: A system administrator uses ISLOnline to monitor system logs and generates a log file for analysis.
Filter/Exclusion: process.name != "ISLOnline.exe" or file.hash != "known_admin_tool_hash"
Scenario: Remote Desktop Session with ISLOnline Integration
Description: A user connects via Remote Desktop and ISLOnline is used to monitor the session, leading to file signature alerts.
Filter/Exclusion: process.parent_process_name != "mstsc.exe" or process.user != "admin_user"
Scenario: Automated Patch Deployment via ISLOnline
Description: ISLOnline is configured to automatically deploy patches during off-peak hours, triggering file signature alerts.
Filter/Exclusion: process.command_line contains "patch deploy" or file.name contains "patch"
Scenario: ISLOnline Used for Inventory Scanning
Description: ISLOnline is used to scan endpoints for inventory purposes, which includes scanning and reporting on installed software.
Filter/Exclusion: process.command_line contains "inventory scan" or file.name contains "inventory"