The hypothesis is that an adversary is using a Remote Management and Monitoring tool like Kaseya to establish a covert network connection for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential compromise of IT infrastructure through abused RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'kaseya.com',
'stun.kaseya.com',
'managedsupport.kaseya.net',
'kaseya.net'
)
and InitiatingProcessVersionInfoCompanyName has 'Kaseya'
and InitiatingProcessVersionInfoProductName has 'Kaseya'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: c75a64e3-2849-4342-a115-7cc6f009b520
name: Remote Management and Monitoring tool - Kaseya - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'kaseya.com',
'stun.kaseya.com',
'managedsupport.kaseya.net',
'kaseya.net'
)
and InitiatingProcessVersionInfoCompanyName has 'Kaseya'
and InitiatingProcessVersionInfoProductName has 'Kaseya'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance via Kaseya VSA
Description: A legitimate scheduled job in Kaseya VSA is configured to perform system maintenance tasks such as patching or log cleanup.
Filter/Exclusion: process.name != "vsaagent.exe" OR process.parent.name != "vsaagent.exe" OR event_id != 1234 (if applicable)
Scenario: Remote Desktop Protocol (RDP) Session Initiated via Kaseya
Description: An IT admin is remotely accessing a workstation using RDP through Kaseya’s remote management capabilities.
Filter/Exclusion: process.name != "mstsc.exe" OR process.parent.name != "vsaagent.exe" OR destination_ip != <known_internal_network>
Scenario: Kaseya Agent Performing Inventory Scan
Description: The Kaseya agent is running a scheduled inventory scan to collect system information for reporting purposes.
Filter/Exclusion: process.name != "vsaagent.exe" OR process.command_line contains "inventory" OR event_id != 1234
Scenario: Admin Task to Reconfigure Network Settings via Kaseya
Description: An administrator is using Kaseya to reconfigure network settings on a remote endpoint, such as updating DNS or IP configurations.
Filter/Exclusion: process.name != "vsaagent.exe" OR process.command_line contains "networkconfig" OR event_id != 1234
Scenario: Kaseya Agent Updating Itself via Internal Server
Description: The Kaseya agent is performing a scheduled update from an internal server, which is a common maintenance task.
Filter/Exclusion: process.name != "vsaagent.exe" OR `process.parent.name != ”