The hypothesis is that an adversary is using LogMeIn as a remote management tool to establish a covert network connection for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential C2 channels and mitigate advanced persistent threats leveraging legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'update-cdn.logmein.com',
'secure.logmein.com',
'update.logmein.com',
'logmeinrescue.com',
'logmeinrescue.eu',
'logmeinrescue-enterprise.com',
'logmeinrescue-enterprise.eu',
'remotelyanywhere.com',
'gotoassist.com',
'logmeininc.com',
'logme.in',
'getgo.com',
'goto.com',
'goto-rtc.com',
'gotomypc.com'
)
and InitiatingProcessVersionInfoCompanyName has_any ('LogMeIn', 'GoTo')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: e1f849f9-1218-4990-964d-dd8c69897107
name: Remote Management and Monitoring tool - LogMeIn - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'update-cdn.logmein.com',
'secure.logmein.com',
'update.logmein.com',
'logmeinrescue.com',
'logmeinrescue.eu',
'logmeinrescue-enterprise.com',
'logmeinrescue-enterprise.eu',
'remotelyanywhere.com',
'gotoassist.com',
'logmeininc.com',
'logme.in',
'getgo.com',
'goto.com',
'goto-rtc.com',
'gotomypc.com'
)
and InitiatingProcessVersionInfoCompanyName has_any ('LogMeIn', 'GoTo')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using LogMeIn to remotely manage a server during a scheduled maintenance window.
Filter/Exclusion: Exclude connections initiated from known admin IP ranges or during scheduled maintenance windows using src_ip IN (admin_ip_list).
Scenario: A LogMeIn session is initiated by a user to access a remote workstation for troubleshooting, which involves establishing a network connection.
Filter/Exclusion: Exclude connections where the destination port is standard for LogMeIn (e.g., port 80, 443, or 8443) and the source IP is a known internal user IP.
Scenario: A LogMe-In service is used to run a scheduled job that periodically checks system health and sends logs to a central server.
Filter/Exclusion: Exclude connections where the destination host is a known internal log aggregation server and the process is associated with a known system monitoring job.
Scenario: An IT team uses LogMeIn to perform a remote backup of a user’s machine, which requires establishing a network connection to the backup server.
Filter/Exclusion: Exclude connections where the destination host is a known internal backup server and the process is associated with a backup task.
Scenario: A LogMeIn session is used to deploy a software update to a remote endpoint, which involves a temporary network connection to the update server.
Filter/Exclusion: Exclude connections where the destination host is a known internal update server and the process is associated with a software deployment task.