Remote Management and Monitoring tool - Level - File Signature

Hunt Hypothesis

The detection identifies potential use of Remote Management and Monitoring tools by adversaries to establish persistence or command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adversary activity leveraging legitimate RMM tools.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
// 
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Level Software, Inc'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 3bd4f4fb-20a9-4491-8bc1-51e55da7fdcc
name: Remote Management and Monitoring tool - Level - File Signature
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  // 
  DeviceFileCertificateInfo
  | where Timestamp between (Time_start..Time_end)
  | where Signer has 'Level Software, Inc'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

MITRE ATT&CK Context

• Tactic: CommandAndControl
• Technique: T1219 — T1219

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Level_filesig.yaml)

False Positive Guidance

• Scenario: A system administrator is using Microsoft Endpoint Manager (MEM) to deploy a legitimate software update via a scheduled task.
  Filter/Exclusion: Exclude processes initiated by the Microsoft Endpoint Manager service or tasks scheduled by Task Scheduler with the MEM task name.

• Scenario: An IT team is using Kaseya VSA to remotely manage a group of endpoints and perform a system health check.
  Filter/Exclusion: Exclude processes initiated by the Kaseya VSA agent or tasks associated with Kaseya VSA service accounts.

• Scenario: A DBA is using SolarWinds Server & Application Monitor (SAM) to monitor database performance and generate reports.
  Filter/Exclusion: Exclude processes related to SolarWinds SAM or tasks initiated by the SolarWinds service account.

• Scenario: A DevOps engineer is using Ansible to automate configuration management and deploy patches across a fleet of servers.
  Filter/Exclusion: Exclude processes initiated by Ansible or tasks associated with Ansible controller or inventory hosts.

• Scenario: A helpdesk technician is using LogMeIn to remotely support an end-user and troubleshoot a software issue.
  Filter/Exclusion: Exclude processes initiated by the LogMeIn service or tasks associated with LogMeIn remote support sessions.