The detection identifies potential adversary use of MeshCentral, a remote management tool, to establish persistent remote access or command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging RMM tools for long-term access and exfiltration.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'meshcentral'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 4837cef7-648e-42ab-96a5-3722910922a5
name: Remote Management and Monitoring tool - MeshCentral - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'meshcentral'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled System Maintenance via MeshCentral
Description: An admin uses MeshCentral to schedule routine system maintenance tasks, such as disk cleanup or patching, which may involve file operations that trigger the file signature detection.
Filter/Exclusion: process.name IN ("task scheduler", "schtasks.exe") or process.parent.name IN ("meshcentral.exe")
Scenario: Legitimate File Transfer via MeshCentral for Software Deployment
Description: IT administrators use MeshCentral to deploy software updates or configuration files to endpoints, which may include file signature checks that match the detection rule.
Filter/Exclusion: process.name IN ("meshcentral.exe") AND file.path IN ("C:\temp\updates", "C:\software\deploy")
Scenario: User-Initiated Remote Desktop Connection via MeshCentral
Description: A user connects to their own machine using MeshCentral for remote access, which may involve file operations or system monitoring that trigger the rule.
Filter/Exclusion: user.name == "admin" OR user.name == "ITUser" OR process.name IN ("mstsc.exe", "remote desktop")
Scenario: Log Collection and Analysis via MeshCentral
Description: The IT team uses MeshCentral to collect system logs or performance data from endpoints, which may involve file access or monitoring that matches the rule.
Filter/Exclusion: file.path IN ("C:\Windows\System32\logfiles", "C:\ProgramData\logcollector") or process.name IN ("logparser.exe", "eventvwr.exe")
Scenario: Configuration Management via MeshCentral for Compliance
Description: Admins use MeshCentral to push configuration changes or compliance policies to endpoints, which may involve file modifications or system monitoring that triggers the rule.
Filter/Exclusion: `