The hypothesis is that the detection rule identifies the presence of a potentially malicious file associated with the Pulseway remote management tool, which could be used by adversaries to maintain remote access and monitor systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential long-term persistence and monitoring activities by threat actors leveraging legitimate tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'MMSoft Design'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 6192b741-4540-4416-8dbb-ce0405166d0a
name: Remote Management and Monitoring tool - Pulseway - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'MMSoft Design'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: System update via Pulseway scheduled job
Description: A legitimate system update is deployed using Pulseway, which may trigger the file signature detection due to the presence of a known signature in the update package.
Filter/Exclusion: process.parent_process_name == "Pulseway.exe" && file.name contains "update"
Scenario: Admin task using Pulseway to monitor server health
Description: An administrator uses Pulseway to monitor server health and logs, which may include files with similar signatures to malicious payloads.
Filter/Exclusion: process.user == "Administrator" && process.name == "Pulseway.exe"
Scenario: Pulseway agent installation on a remote endpoint
Description: The Pulseway agent is being installed on a remote endpoint, which may trigger the file signature rule due to the installation package containing a known signature.
Filter/Exclusion: process.name == "msiexec.exe" && file.name contains "Pulseway.msi"
Scenario: File integrity monitoring tool using Pulseway
Description: A file integrity monitoring tool (e.g., Tripwire) is configured to use Pulseway for remote monitoring, which may result in file signatures matching the detection rule.
Filter/Exclusion: process.name == "Tripwire.exe" && process.parent_process_name == "Pulseway.exe"
Scenario: Scheduled backup job using Pulseway
Description: A scheduled backup job is initiated via Pulseway, which may include files with similar signatures to malicious files, triggering the detection.
Filter/Exclusion: process.name == "Pulseway.exe" && event_id == "BackupJobTriggered"