The detection identifies potential abuse of Kaseya RMM tools by adversaries using file signature techniques to establish persistence or command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise of IT infrastructure managed by RMM platforms.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Kaseya'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 732033dd-039b-426e-844f-1de2a67362fa
name: Remote Management and Monitoring tool - Kaseya - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Kaseya'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: A system administrator is using Kaseya VSA to deploy a legitimate endpoint protection update via a scheduled job.
Filter/Exclusion: Exclude files signed by Microsoft or known enterprise security vendors (e.g., Symantec, McAfee, etc.) using the file.signer field.
Scenario: An IT team is using Kaseya to remotely configure firewall rules on multiple endpoints as part of a routine security hardening task.
Filter/Exclusion: Exclude events where the process is initiated from a known IT management workstation or IP address range used for internal administration.
Scenario: A scheduled task in Kaseya is used to collect system logs from remote endpoints for compliance reporting purposes.
Filter/Exclusion: Exclude tasks that are associated with known log collection tools (e.g., Splunk, ELK stack) or have a specific task name pattern like “Log Collection” or “Compliance Check”.
Scenario: An admin is using Kaseya to push a custom script to endpoints for patch management, which includes a legitimate file with a suspicious signature.
Filter/Exclusion: Exclude files that are part of a known patching or configuration management process, using the file.name or file.path fields to match known script locations.
Scenario: A user is using Kaseya to remotely monitor system performance and resource usage across the network.
Filter/Exclusion: Exclude processes that are initiated from a known monitoring workstation or are associated with performance monitoring tools (e.g., PerfMon, PRTG).