The hypothesis is that an adversary is using a Remote Management and Monitoring tool like Panorama9 to establish a covert network connection for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential C2 channels and mitigate advanced persistent threats leveraging legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'panorama9.com'
and InitiatingProcessVersionInfoCompanyName has 'panorama9'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 937867d4-9b3b-4030-bde0-0f7d2f4605ec
name: Remote Management and Monitoring tool - Panorama9 - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'panorama9.com'
and InitiatingProcessVersionInfoCompanyName has 'panorama9'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance via Panorama9
Description: An administrator uses Panorama9 to schedule routine system maintenance tasks across endpoints, which may involve network connections to check system status or apply updates.
Filter/Exclusion: panorama9_scheduled_task or process_name = "Panorama9 Agent" with event_type = "scheduled_task"
Scenario: Remote Desktop Protocol (RDP) Session Monitoring
Description: The IT team uses Panorama9 to monitor RDP sessions for security purposes, which may result in network connections to endpoints where RDP is active.
Filter/Exclusion: destination_port = 3389 or process_name = "mstsc.exe" with user = "IT_Admin"
Scenario: Endpoint Inventory Scan via Panorama9
Description: Panorama9 is used to perform an inventory scan of all endpoints on the network, which involves connecting to each device to collect system information.
Filter/Exclusion: event_type = "inventory_scan" or process_name = "Panorama9 Inventory Tool"
Scenario: Patch Management Job Execution
Description: An admin runs a patch management job using Panorama9, which connects to multiple endpoints to deploy updates, causing network traffic.
Filter/Exclusion: job_name = "Patch Management Job" or process_name = "Panorama9 Patch Manager"
Scenario: User-Initiated Remote Support Session
Description: A support technician uses Panorama9 to initiate a remote support session with a user’s endpoint, which involves establishing a network connection for remote assistance.
Filter/Exclusion: user = "Support_Team" or process_name = "Panorama9 Remote Support" with session_type = "user_initiated"