The hypothesis is that an adversary is using XMReality, a Remote Management and Monitoring tool, to establish persistence or command and control channels by leveraging file signature techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential abuse of legitimate RMM tools by threat actors seeking to maintain long-term access and exfiltrate data.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'XMReality'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: bb6761ee-4cca-4010-95d0-48cad74816b7
name: Remote Management and Monitoring tool - XMReality - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'XMReality'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: Scheduled System Maintenance via XMReality
Description: A system administrator schedules a routine maintenance task using XMReality to update system files or perform disk cleanup.
Filter/Exclusion: process.name != "xmreality.exe" OR process.parent.name != "task scheduler" OR file.hash == "known legitimate hash of xmreality.exe"
Scenario: Remote Desktop Session with XMReality
Description: An IT admin uses XMReality to remotely connect to a workstation and perform administrative tasks like user account management or software installation.
Filter/Exclusion: process.name != "xmreality.exe" OR process.parent.name != "mstsc.exe" OR user.account != "admin_account"
Scenario: Automated Patching Job via XMReality
Description: A scheduled job in XMReality is configured to apply security patches to multiple endpoints during off-peak hours.
Filter/Exclusion: process.name != "xmreality.exe" OR process.parent.name != "schtasks.exe" OR file.hash == "known legitimate hash of xmreality.exe"
Scenario: User-Initiated Remote Support Session
Description: A support technician uses XMReality to assist a user with troubleshooting, which involves remote access and file transfer.
Filter/Exclusion: process.name != "xmreality.exe" OR process.parent.name != "remote support tool" OR user.role != "support technician"
Scenario: File Integrity Monitoring via XMReality
Description: XMReality is used to monitor file integrity and detect unauthorized changes on endpoints, which is a common security practice.
Filter/Exclusion: process.name != "xmreality.exe" OR process.parent.name != "file integrity monitoring service" OR file.hash == "known legitimate hash of xmreality.exe"