Remote Management and Monitoring tool - Splashtop - File Signature

Hunt Hypothesis

The detection identifies potential use of Splashtop, a Remote Management and Monitoring tool, by adversaries leveraging its file signature to establish persistence or command and control channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that abuse legitimate RMM tools for malicious purposes.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Splashtop'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 3cb42e27-b8bf-4c4a-8df7-8c30f8dc9d94
name: Remote Management and Monitoring tool - Splashtop - File Signature
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceFileCertificateInfo
  | where Timestamp between (Time_start..Time_end)
  | where Signer has 'Splashtop'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

MITRE ATT&CK Context

• Tactic: CommandAndControl
• Technique: T1219 — T1219

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Splashtop_filesig.yaml)

False Positive Guidance

• Scenario: Scheduled System Maintenance via Splashtop
  Description: An admin uses Splashtop to remotely perform scheduled system maintenance tasks, such as updating software or applying patches.
  Filter/Exclusion: process.name != "splashtop.exe" OR process.parent.name == "task scheduler" OR file.path contains "System Maintenance"

• Scenario: Remote Desktop Administration with Splashtop
  Description: IT administrators use Splashtop to remotely access endpoints for troubleshooting or configuration changes, similar to using Remote Desktop Protocol (RDP).
  Filter/Exclusion: process.name != "splashtop.exe" OR process.parent.name == "mstsc.exe" OR process.parent.name == "rdp.exe"

• Scenario: File Integrity Monitoring via Splashtop
  Description: A security team uses Splashtop to monitor file changes on endpoints as part of a file integrity monitoring (FIM) strategy.
  Filter/Exclusion: process.name != "splashtop.exe" OR file.hash matches known good hashes OR file.path contains "IntegrityMonitor"

• Scenario: Remote Backup Job Execution via Splashtop
  Description: A backup job is configured to run remotely via Splashtop to ensure data is backed up from multiple endpoints.
  Filter/Exclusion: process.name != "splasht,op.exe" OR process.parent.name == "backup.exe" OR file.path contains "BackupJob"

• Scenario: Admin Access for Patch Deployment via Splashtop
  Description: IT admins use Splashtop to deploy patches or updates across a fleet of endpoints, which is a common enterprise operation.
  Filter/Exclusion: process.name != "splashtop.exe" OR `process.parent.name ==