The detection identifies potential use of RemoteUtilities, a Remote Monitoring and Management tool, by adversaries to establish persistence or command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats leveraging legitimate RMM tools for covert operations.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Remote Utilities'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: ae49b070-4477-4660-a0a6-2377b08b76b4
name: Remote Management and Monitoring tool - RemoteUtilities - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Remote Utilities'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: A system administrator is using Remote Utilities to remotely manage a server and transfer a legitimate diagnostic file with a .log extension that matches the file signature of a malicious file.
Filter/Exclusion: Exclude files with the .log extension or files originating from known admin tools like Remote Utilities or TeamViewer.
Scenario: A scheduled job runs via Remote Utilities to perform regular system health checks and generates a temporary file with a suspicious signature due to a known false positive in the file signature detection.
Filter/Exclusion: Exclude files generated by scheduled tasks with known names or paths, such as C:\Windows\Temp\health_check_*.tmp.
Scenario: An IT team uses Remote Utilities to deploy a patch or update to multiple endpoints, and the update package has a file signature that matches the malicious signature due to a shared hash.
Filter/Exclusion: Exclude files signed by known enterprise signing certificates or files with hashes matching legitimate update packages.
Scenario: A user receives a file from a trusted internal source (e.g., a shared drive or internal repository) that has a file signature matching the malicious one, but is actually a legitimate configuration file.
Filter/Exclusion: Exclude files from internal IP ranges or files with known internal file names or paths, such as \\fileserver\shared\config_*.cfg.
Scenario: A system administrator uses Remote Utilities to remotely access a workstation and inadvertently transfers a file with a malicious signature from a local drive that was previously used for testing.
Filter/Exclusion: Exclude files with known test file names or from user directories like C:\Users\ITAdmin\Downloads\test_*.exe.