The hypothesis is that an adversary is using LiteManager as a remote management tool to establish covert network connections for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential compromise of endpoints through abused RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'litemanager.ru',
'litemanager.com'
)
and InitiatingProcessVersionInfoProductName has_any (
'ROMViewer',
'ROMServer',
'LiteManager'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: ee0c85ad-8286-4946-b3d0-12a754b67166
name: Remote Management and Monitoring tool - LiteManager - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'litemanager.ru',
'litemanager.com'
)
and InitiatingProcessVersionInfoProductName has_any (
'ROMViewer',
'ROMServer',
'LiteManager'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance via LiteManager
Description: An admin uses LiteManager to schedule routine system maintenance tasks, such as disk cleanup or software updates, which may involve network connections to remote servers.
Filter/Exclusion: process.name != "LiteManager.exe" OR event_id == 41 (for scheduled task execution)
Scenario: Remote Server Monitoring with LiteManager
Description: The IT team uses LiteManager to monitor the health and performance of remote servers, which may involve periodic network connections to check system metrics.
Filter/Exclusion: destination_ip IN (known_internal_server_ips) OR process.name == "LiteManagerMonitor.exe"
Scenario: Patch Management via LiteManager
Description: LiteManager is used to deploy patches to endpoints, which may involve establishing network connections to download and apply updates.
Filter/Exclusion: process.name == "LiteManagerPatch.exe" OR destination_port == 80 OR destination_port == 443
Scenario: Admin Access to Remote Workstations
Description: An administrator uses LiteManager to access and troubleshoot a remote workstation, which may involve a network connection to the target machine.
Filter/Exclusion: user.name == "IT_Admin" OR event_id == 4624 (for successful login events)
Scenario: Integration with Third-Party Monitoring Tools
Description: LiteManager is configured to integrate with a third-party monitoring tool, which may result in network connections between LiteManager and the external monitoring service.
Filter/Exclusion: destination_ip IN (known_monitoring_service_ips) OR process.name == "LiteManagerIntegration.exe"