UltraViewer, a Remote Management and Monitoring tool, is being used by adversaries to establish persistence or command and control channels by leveraging its file signature for covert communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary use of RMM tools for long-term access and exfiltration.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Duc Fabulous'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 5afdf22a-dff2-4b9a-aa69-97383592afc9
name: Remote Management and Monitoring tool - UltraViewer - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Duc Fabulous'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Legitimate UltraViewer Remote Session
Description: An IT administrator is using UltraViewer to remotely manage a user’s workstation for troubleshooting.
Filter/Exclusion: process.parent_process_name == "UltraViewer.exe" or process.name == "UltraViewer.exe" and process.parent_process_name == "explorer.exe" or process.parent_process_name == "taskmgr.exe"
Scenario: Scheduled Maintenance Task via UltraViewer
Description: A scheduled task is configured to run a script or maintenance job using UltraViewer as the execution method.
Filter/Exclusion: process.name == "UltraViewer.exe" and process.command_line contains "scheduled_task_id" or process.command_line contains "taskname"
Scenario: Admin User Performing Remote Monitoring via UltraViewer
Description: A domain admin is using UltraViewer to monitor system performance or check logs on remote machines.
Filter/Exclusion: user.name == "Administrator" or user.name == "Domain Admins" and process.name == "UltraViewer.exe"
Scenario: UltraViewer Used for Software Deployment
Description: IT is deploying software updates or patches using UltraViewer as part of a deployment toolchain.
Filter/Exclusion: process.name == "UltraViewer.exe" and process.command_line contains "deploy" or "install"
Scenario: UltraViewer File Signature Check for Integrity
Description: A system scan or integrity check is performed using UltraViewer to verify file signatures or hashes.
Filter/Exclusion: process.name == "UltraViewer.exe" and process.command_line contains "verify" or "signature" or "hash"