The detection identifies potential adversary use of SyncroMSP, a Remote Management and Monitoring tool, to establish persistence or command and control channels by leveraging file signature anomalies. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that exploit RMM tools for covert operations.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Servably, Inc.'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 3510a677-6a63-45f5-a0cd-509c5b865e0e
name: Remote Management and Monitoring tool - SyncroMSP - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Servably, Inc.'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: System update via SyncroMSP
Description: A legitimate system update is initiated through SyncroMSP, which may involve downloading and executing a file that matches the file signature being monitored.
Filter/Exclusion: process.name != "setup.exe" OR process.name != "msiexec.exe" OR file.hash != "known_update_hash"
Scenario: Scheduled job for asset inventory
Description: A scheduled job runs via SyncroMSP to collect asset information, which may involve reading or writing files that trigger the file signature detection.
Filter/Exclusion: process.name == "syncromsp_agent.exe" AND event_id == "scheduled_job_inventory"
Scenario: Admin task to deploy configuration profiles
Description: An administrator uses SyncroMSP to push configuration profiles to endpoints, which may involve deploying files that match the signature.
Filter/Exclusion: process.name == "syncromsp_agent.exe" AND user.name == "admin" AND event_id == "profile_deployment"
Scenario: File integrity monitoring (FIM) check
Description: SyncroMSP is used to monitor file integrity, which may involve scanning files that match the signature and triggering the rule.
Filter/Exclusion: process.name == "syncromsp_fim.exe" AND event_id == "file_integrity_check"
Scenario: Remote PowerShell script execution
Description: A remote PowerShell script is executed via SyncroMSP to perform routine maintenance, which may involve executing scripts that trigger the file signature detection.
Filter/Exclusion: process.name == "powershell.exe" AND parent_process.name == "syncromsp_agent.exe" AND script_path != "known_safe_script_path"