The hypothesis is that an adversary is using OptiTune, a Remote Management and Monitoring tool, to establish persistence or command and control by leveraging its file signature for covert communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary use of legitimate RMM tools for long-term access and exfiltration.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Bravura Software LLC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: c23b0994-b2ac-4cbb-8b37-9cf391f13ecb
name: Remote Management and Monitoring tool - OptiTune - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Bravura Software LLC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Legitimate scheduled job for OptiTune maintenance
Description: A scheduled task runs OptiTune’s maintenance script to clean up temporary files or update configurations.
Filter/Exclusion: process.parent_process_name == "Task Scheduler" or process.command_line contains "maintenance"
Scenario: OptiTune agent update via Group Policy
Description: The OptiTune agent is being updated through a Group Policy Object (GPO) deployment, which triggers file signature checks.
Filter/Exclusion: process.parent_process_name == "gpupdate" or process.command_line contains "GroupPolicy"
Scenario: OptiTune file integrity monitoring (FIM) check
Description: The tool is performing a file integrity check on its own configuration files to ensure they haven’t been tampered with.
Filter/Exclusion: process.command_line contains "integrity_check" or process.name == "OptiTune_FIM.exe"
Scenario: OptiTune log file rotation by a system service
Description: A system service or log management tool (e.g., Splunk, ELK) rotates OptiTune log files, which may trigger file signature detection.
Filter/Exclusion: process.parent_process_name == "Splunk" or "logrotate" or process.name contains "logrotate"
Scenario: OptiTune configuration backup by an admin user
Description: An administrator manually backs up OptiTune configuration files using a script or tool, which may be flagged as suspicious.
Filter/Exclusion: user_account == "Domain\Administrator" or process.command_line contains "backup"