The detection identifies potential adversary use of the ShowMyPC tool, a Remote Management and Monitoring tool, to establish persistence or command and control channels by leveraging file signature anomalies. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adversary activity leveraging legitimate RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'ShowMyPC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: e2ab0ee7-a94f-44fb-bee8-8633801acae1
name: Remote Management and Monitoring tool - ShowMyPC - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'ShowMyPC'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: IT Admin Uses ShowMyPC for Remote Support
Description: A system administrator uses ShowMyPC to provide remote support to an end-user, which is a legitimate use case.
Filter/Exclusion: process.parent_process_name == "Remote Desktop Services" or process.name == "mstsc.exe"
Scenario: Scheduled Job for System Monitoring
Description: A scheduled job runs ShowMyPC to monitor system health or collect logs as part of routine IT operations.
Filter/Exclusion: process.command_line contains "scheduled_task" or process.parent_process_name == "Task Scheduler"
Scenario: ShowMyPC Used for Patch Management
Description: ShowMyPC is used to deploy patches or updates to endpoints, which is a common IT task.
Filter/Exclusion: process.command_line contains "patch" or "update" or process.parent_process_name == "Windows Update"
Scenario: ShowMyPC Integrated with SIEM for Log Collection
Description: ShowMyPC is configured to send logs to a Security Information and Event Management (SIEM) system for centralized monitoring.
Filter/Exclusion: process.command_line contains "log" or "siem" or process.parent_process_name == "Splunk" or "ELK"
Scenario: ShowMyPC Used for Remote Desktop Access
Description: ShowMyPC is used as an alternative to traditional Remote Desktop Protocol (RDP) for accessing remote systems.
Filter/Exclusion: process.parent_process_name == "mstsc.exe" or process.name == "rdpclip.exe"