The detection identifies potential adversary use of the TacticalRMM tool for remote management and persistence, leveraging its legitimate capabilities to establish covert communication channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced threats that exploit RMM tools for command and control activities.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any (
'AmidaWare',
'Tactical Techs'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: aedd5298-f624-45c9-a8e5-abc78d2cd3ca
name: Remote Management and Monitoring tool - TacticalRMM - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any (
'AmidaWare',
'Tactical Techs'
)
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: A system administrator is using TacticalRMM to deploy a legitimate software update via a scheduled job.
Filter/Exclusion: Exclude processes initiated by the TacticalRMM agent or tasks scheduled through the TacticalRMM dashboard. Use a filter like: process.parent_process_name == "TacticalRMM.exe" or process.name == "TacticalRMM.exe".
Scenario: An IT team is performing a remote system inventory scan using TacticalRMM to gather endpoint information for compliance.
Filter/Exclusion: Exclude processes associated with TacticalRMM inventory tasks. Use a filter like: process.command_line contains "inventory" or process.name == "TacticalRMM.exe" with a custom tag for inventory tasks.
Scenario: A user is accessing TacticalRMM to monitor system performance and view logs, which may include file signature checks as part of the monitoring process.
Filter/Exclusion: Exclude processes initiated from the TacticalRMM web interface or those running under the TacticalRMM service account. Use a filter like: process.user == "TacticalRMMServiceAccount" or process.parent_process_name == "IIS_W3SVC_APP".
Scenario: A scheduled backup job is running through TacticalRMM, which may involve copying or moving files that match the file signature criteria.
Filter/Exclusion: Exclude processes associated with backup tasks. Use a filter like: process.command_line contains "backup" or process.name == "TacticalRMM.exe" with a tag for backup operations.
Scenario: An endpoint protection tool (e.g., Microsoft Defender or CrowdStrike) is being managed through TacticalRMM, and its file signature checks are