The hypothesis is that an adversary is using PDQ, a Remote Management and Monitoring tool, to establish persistence or command and control by manipulating file signatures. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential abuse of legitimate RMM tools by threat actors leveraging T1219 techniques.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'PDQ.com'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 2aaaffbb-1277-482f-bce4-b3baecb2fccb
name: Remote Management and Monitoring tool - PDQ - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'PDQ.com'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: A system administrator is using PDQ Deploy to push a legitimate software update to multiple endpoints.
Filter/Exclusion: Exclude processes initiated by the PDQ Deploy service account or those associated with known update tasks (e.g., PDQDeploy.exe with a known update script name).
Scenario: A scheduled job runs PDQ Inventory to collect endpoint information for asset management purposes.
Filter/Exclusion: Exclude processes that match the PDQ Inventory service or those running under a known inventory collection task name (e.g., PDQInventory.exe with a known job ID).
Scenario: An IT admin is using PDQ Deploy to deploy a custom script that modifies file signatures for compliance or security testing.
Filter/Exclusion: Exclude processes that are part of a known compliance or testing script, identified by the script name or execution context (e.g., PDQDeploy.exe with a script named signature_test.ps1).
Scenario: A user is manually running a PDQ-related tool to troubleshoot a remote endpoint, which temporarily alters file signatures during diagnostics.
Filter/Exclusion: Exclude processes initiated by a specific user or from a known troubleshooting tool (e.g., PDQCmd.exe run by the IT support team from a known IP or user account).
Scenario: A security tool is configured to scan files using PDQ Inventory to check for known malicious signatures, as part of a regular security audit.
Filter/Exclusion: Exclude processes that are part of a known security audit or scanning task, identified by the tool name or audit schedule (e.g., PDQInventory.exe with a known audit task name).