The detection identifies potential adversary use of Pulseway, a Remote Monitoring and Management tool, to establish unauthorized network connections for command and control or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adversary activity leveraging legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'pulseway.com'
and InitiatingProcessVersionInfoCompanyName has 'MMSoft Design'
and InitiatingProcessVersionInfoProductName has 'Pulseway'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
id: 42fd7dc0-e3ba-47e2-a470-603e29fff986
name: Remote Management and Monitoring tool - Pulseway - Network Connection
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has 'pulseway.com'
and InitiatingProcessVersionInfoCompanyName has 'MMSoft Design'
and InitiatingProcessVersionInfoProductName has 'Pulseway'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
RemoteUrl
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Pulseway to remotely manage a server and establish a scheduled maintenance task via the Pulseway agent.
Filter/Exclusion: Check for process.name containing “Pulseway” and process.parent.name containing “PulsewayService” or “PulsewayAgent” to identify legitimate administrative activity.
Scenario: A scheduled job is configured to run Pulseway agent updates or configuration syncs across multiple endpoints during off-hours.
Filter/Exclusion: Filter by process.name containing “Pulseway” and process.command_line containing “update” or “sync” to distinguish from suspicious network activity.
Scenario: An IT team is using Pulseway to monitor network traffic and detect anomalies, which may result in periodic network connection attempts.
Filter/Exclusion: Use process.name containing “Pulseway” and destination.port in a known range used by Pulseway (e.g., 443, 80, or custom ports used by the tool) to validate legitimate monitoring activity.
Scenario: A user is using Pulseway to remotely reboot a virtual machine as part of a routine maintenance task.
Filter/Exclusion: Filter by process.name containing “Pulseway” and process.command_line containing “reboot” or “shutdown” to identify expected administrative actions.
Scenario: A system is being managed by Pulseway and the agent is periodically connecting to the Pulseway server to check for new tasks or updates.
Filter/Exclusion: Filter by process.name containing “Pulseway” and destination.ip matching the known Pulseway server IP addresses or domain to exclude normal operational behavior.