The detection identifies potential adversary use of ServerEye, a Remote Monitoring and Management tool, to establish persistence or command and control channels through file signature analysis. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats leveraging legitimate RMM tools for covert operations.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Krämer IT Solutions GmbH'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 44a7b71e-ad89-49fd-b540-a73c83c6f8c5
name: Remote Management and Monitoring tool - ServerEye - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Krämer IT Solutions GmbH'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled System Maintenance Task Using ServerEye
Description: A system administrator schedules a routine maintenance task using ServerEye to update software or apply patches on multiple endpoints.
Filter/Exclusion: process.name != "ServerEye.exe" OR process.parent.name != "ServerEye.exe" OR file.path contains "SystemUpdate"
Scenario: ServerEye Used for Inventory Management
Description: The IT team uses ServerEye to collect inventory data (e.g., software installed, hardware details) across the network as part of regular compliance checks.
Filter/Exclusion: file.path contains "Inventory" OR process.name contains "Inventory" OR process.parent.name contains "Inventory"
Scenario: Admin Task to Monitor Server Performance via ServerEye
Description: An admin uses ServerEye to monitor CPU, memory, and disk usage on a server to ensure optimal performance.
Filter/Exclusion: process.name contains "Performance" OR file.path contains "Performance" OR process.parent.name contains "Performance"
Scenario: ServerEye Used for Log Collection and Analysis
Description: The security team configures ServerEye to collect and analyze logs from multiple endpoints for troubleshooting or compliance purposes.
Filter/Exclusion: file.path contains "LogCollect" OR process.name contains "LogCollect" OR process.parent.name contains "LogCollect"
Scenario: ServerEye Used for Remote Software Deployment
Description: The IT department uses ServerEye to deploy software updates or configurations to a group of endpoints during off-peak hours.
Filter/Exclusion: file.path contains "Deployment" OR process.name contains "Deployment" OR process.parent.name contains "Deployment"