The detection identifies potential adversary use of LiteManager, a Remote Management and Monitoring tool, to establish persistence or command and control channels by leveraging file signature anomalies. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that exploit legitimate RMM tools for persistent access and C2 operations.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Yakhnovets Denis Aleksandrovich IP'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: aa26efd1-303c-412d-8dad-a082b546871d
name: Remote Management and Monitoring tool - LiteManager - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Yakhnovets Denis Aleksandrovich IP'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled system maintenance using LiteManager
Description: An admin schedules a routine system cleanup or patching task via LiteManager, which triggers the file signature detection.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "schtasks.exe"
Scenario: Legitimate remote desktop session using LiteManager
Description: An IT admin uses LiteManager to remotely access a workstation for troubleshooting, which may be flagged due to the tool’s file signature.
Filter/Exclusion: process.parent_process_name == "mstsc.exe" or process.command_line contains "mstsc"
Scenario: Automated backup job via LiteManager
Description: A scheduled backup job is initiated through LiteManager, which may trigger the file signature rule due to the tool’s presence.
Filter/Exclusion: process.command_line contains "backup.exe" or process.parent_process_name == "schtasks.exe"
Scenario: Admin uses LiteManager to deploy software updates
Description: An admin uses LiteManager to push out software updates to endpoints, which may be flagged by the file signature detection.
Filter/Exclusion: process.command_line contains "softwareupdate.exe" or process.parent_process_name == "LiteManager.exe"
Scenario: LiteManager used for inventory collection
Description: The IT team uses LiteManager to gather system inventory data, which may trigger the rule due to the tool’s file signature.
Filter/Exclusion: process.command_line contains "inventory.exe" or process.parent_process_name == "LiteManager.exe"