The hypothesis is that an adversary is using PDQ, a Remote Management and Monitoring tool, to establish unauthorized network connections for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential C2 channels and persistent threats leveraging legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'app.pdq.com',
'connect-package-library.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com',
'connect.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com',
'cfcdn.pdq.com'
)
and InitiatingProcessVersionInfoProductName has 'PDQConnectAgent'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 58cbbe97-f835-4677-9bee-203b1df29600
name: Remote Management and Monitoring tool - PDQ - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
'app.pdq.com',
'connect-package-library.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com',
'connect.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com',
'cfcdn.pdq.com'
)
and InitiatingProcessVersionInfoProductName has 'PDQConnectAgent'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PDQ Deploy to push a software update to multiple endpoints across the network.
Filter/Exclusion: Check for the presence of known PDQ Deploy update scripts or job names in the event log, and exclude connections initiated from the PDQ server IP address.
Scenario: An IT team is using PDQ Inventory to collect system information from remote machines as part of routine asset management.
Filter/Exclusion: Filter out connections to known PDQ Inventory server IPs and exclude events where the source is a trusted PDQ Inventory server.
Scenario: A scheduled job is configured to run PDQ Deploy to install a security patch on all endpoints during off-peak hours.
Filter/Exclusion: Exclude connections made during scheduled maintenance windows and filter by known patching job names or IDs.
Scenario: An admin is using PDQ Deploy to deploy a custom script that configures firewall rules on remote endpoints.
Filter/Exclusion: Exclude connections where the destination is a known internal management server and filter by script names associated with legitimate configuration tasks.
Scenario: A user is using PDQ Inventory to generate a report on system inventory, which includes network connection details.
Filter/Exclusion: Exclude events where the action is related to inventory reporting and filter by known inventory-related processes or user accounts.