The hypothesis is that an adversary is using RemotePC, a Remote Monitoring and Management tool, to establish persistence or command and control by leveraging file signature techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential abuse of legitimate RMM tools by adversaries seeking to maintain long-term access and exfiltrate data.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'idrive'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 889cdb9b-ae6a-4bf5-9808-23e85367c6d0
name: Remote Management and Monitoring tool - RemotePC - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'idrive'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Legitimate RemotePC File Signature Check via Scheduled Job
Description: A system administrator schedules a daily job to scan for file signature updates using the RemotePC tool, which is part of the regular maintenance process.
Filter/Exclusion: process.name != "RemotePC.exe" OR event_id != 1234 (replace with actual event ID used for file signature checks)
Scenario: RemotePC Used for Patch Management
Description: The IT team uses RemotePC to deploy security patches to endpoints. This involves executing scripts or installing updates that may trigger file signature checks.
Filter/Exclusion: process.name != "RemotePC.exe" OR event_id != 5678 (replace with actual event ID for patching activities)
Scenario: RemotePC Integration with SIEM for Log Collection
Description: The organization uses RemotePC to collect logs from remote endpoints and send them to a SIEM system for centralized monitoring. This may involve file signature checks during log transfer.
Filter/Exclusion: process.name != "RemotePC.exe" OR event_id != 9101 (replace with actual event ID for log collection)
Scenario: RemotePC Used for Remote Desktop Support
Description: IT support staff use RemotePC to access remote endpoints for troubleshooting, which may involve file system access or signature checks during session setup.
Filter/Exclusion: process.name != "RemotePC.exe" OR user.name != "IT_Support" OR event_id != 1122 (replace with actual event ID and user context)
Scenario: RemotePC Used for Software Deployment
Description: The IT department uses RemotePC to deploy software to endpoints, which may involve checking file signatures as part of the deployment process.
Filter/Exclusion: `process.name != ”