The detection identifies potential adversary use of Panorama9, a Remote Monitoring and Management tool, to establish persistence or command and control channels by leveraging file signature anomalies. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that exploit legitimate RMM tools for covert operations.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Panorama9'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 7a706363-95d0-4c85-9a65-f4a4463d09cf
name: Remote Management and Monitoring tool - Panorama9 - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Panorama9'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled system cleanup using Panorama9
Description: An admin schedules a routine system cleanup task through Panorama9, which involves scanning and removing temporary files.
Filter/Exclusion: process.name != "CleanupTask.exe" or process.parent.name != "Panorama9.exe"
Scenario: Software update deployment via Panorama9
Description: IT administrators deploy software updates to endpoints using Panorama9, which may involve downloading and executing update packages.
Filter/Exclusion: process.name != "UpdateManager.exe" or process.parent.name != "Panorama9.exe"
Scenario: Remote desktop session initiated by an admin
Description: A system administrator uses Panorama9 to initiate a remote desktop session to troubleshoot an endpoint.
Filter/Exclusion: process.name != "mstsc.exe" or process.parent.name != "Panorama9.exe"
Scenario: Log file analysis using Panorama9
Description: An admin uses Panorama9 to analyze system logs for troubleshooting purposes, which may involve parsing and exporting log files.
Filter/Exclusion: process.name != "LogParser.exe" or process.parent.name != "Panorama3.exe"
Scenario: Configuration backup via Panorama9
Description: An admin initiates a configuration backup of a remote endpoint using Panorama9, which may involve file transfers and system queries.
Filter/Exclusion: process.name != "BackupTool.exe" or process.parent.name != "Panorama9.exe"