The detection identifies potential adversary use of the NAble tool for remote management and monitoring, leveraging its capabilities for persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adversary activity exploiting RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any (
'N-Able Technologies',
'LogicNow'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 23acfb75-0f42-4385-a02c-6f18957f943f
name: Remote Management and Monitoring tool - NAble - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any (
'N-Able Technologies',
'LogicNow'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled System Maintenance via Nable
Description: An admin schedules a routine system maintenance task using Nable, which involves downloading a legitimate system update file.
Filter/Exclusion: file.name != "system_update.exe" or process.name != "Nable.exe"
Scenario: Remote System Monitoring via Nable
Description: A system administrator uses Nable to monitor remote endpoints and collects logs or performance data.
Filter/Exclusion: process.name != "Nable.exe" or destination.ip != "internal_network_range"
Scenario: File Integrity Check Using Nable
Description: An IT team runs a file integrity check using Nable to verify the authenticity of system files.
Filter/Exclusion: file.hash != "known_good_hash" or process.name != "Nable.exe"
Scenario: Automated Patch Deployment via Nable
Description: A patch management system uses Nable to deploy patches across the network, which may involve downloading and executing files.
Filter/Exclusion: file.name != "patch_update.exe" or process.parent.name != "PatchManager.exe"
Scenario: User-Initiated Remote Support Session
Description: A user initiates a remote support session using Nable to troubleshoot an issue on their endpoint.
Filter/Exclusion: user.name != "admin_user" or process.name != "Nable.exe"