Remote Management and Monitoring tool - OptiTune - Create Process

Hunt Hypothesis

The hypothesis is that an adversary is using OptiTune, a Remote Management and Monitoring tool, to create persistence by establishing a process for command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary use of legitimate RMM tools for long-term access and exfiltration.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents 
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'Bravura Software LLC'
    and ProcessVersionInfoProductName has 'OptiTune'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: cd635304-7a01-40a1-8d95-d530cd3f51fe
name: Remote Management and Monitoring tool - OptiTune - Create Process
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceProcessEvents 
  | where Timestamp between (Time_start..Time_end)
  | where ProcessVersionInfoCompanyName has 'Bravura Software LLC'
      and ProcessVersionInfoProductName has 'OptiTune'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_OptiTune_createproc.yaml)

False Positive Guidance

Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled job runs the OptiTune process as part of routine system optimization or maintenance tasks.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "scheduled"
Scenario: OptiTune Agent Installation by IT Admin
Description: An IT administrator manually installs the OptiTune agent on a system as part of endpoint management.
Filter/Exclusion: process.user == "IT_Administrator" or process.command_line contains "install"
Scenario: OptiTune Process Launched by a Trusted Service
Description: The OptiTune process is initiated by a trusted system service (e.g., Windows Update or SCOM) during a legitimate system update.
Filter/Exclusion: process.parent_process_name == "svchost.exe" or process.parent_process_name == "wuauserv"
Scenario: OptiTune Used for Performance Monitoring
Description: The OptiTune tool is used by the IT team to monitor system performance and resource usage on endpoints.
Filter/Exclusion: process.command_line contains "monitor" or process.command_line contains "performance"
Scenario: OptiTune Process Started via Group Policy
Description: The OptiTune process is triggered via a Group Policy Object (GPO) that pushes the tool to endpoints for centralized management.
Filter/Exclusion: process.parent_process_name == "gpupdate.exe" or process.command_line contains "gpresult"