Remote Management and Montioring tool - Action1 - File Signature

Hunt Hypothesis

Adversaries may use remote management and monitoring tools to establish persistence and exfiltrate data by signing malicious files to evade signature-based detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access and data theft activities.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has 'Action1 Corporation'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

Analytic Rule Definition

id: 1525a733-192f-41f2-96ba-d3f631ca00d0
name: Remote Management and Montioring tool - Action1 - File Signature
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceFileCertificateInfo
  | where Timestamp between (Time_start..Time_end)
  | where Signer has 'Action1 Corporation'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName

MITRE ATT&CK Context

• Tactic: CommandAndControl
• Technique: T1219 — T1219

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_Action1_filesig.yaml)

False Positive Guidance

• Scenario: System administrators use Microsoft Endpoint Configuration Manager (MECM) to deploy a signed driver via a scheduled task.
  Filter/Exclusion: process.parent_process_name != "msiexec.exe" or file.hash_sha256 == "known_signed_driver_hash"

• Scenario: IT staff use SolarWinds Server & Application Monitor (SAM) to collect performance data from remote servers.
  Filter/Exclusion: process.name != "SolarWinds.SAM.exe" or process.parent_process_name == "explorer.exe"

• Scenario: A Windows Update task runs to install a legitimate system update, which includes a file with a suspicious signature.
  Filter/Exclusion: file.path contains "WindowsUpdate" or process.name == "wusa.exe"

• Scenario: A PowerShell script is used by the DevOps team to automate configuration management, which temporarily creates a file with a non-standard signature.
  Filter/Exclusion: process.name == "powershell.exe" and file.path contains "DevOpsScripts"

• Scenario: A remote desktop session is initiated by an admin to troubleshoot a system, and a file is created during the session with an unexpected signature.
  Filter/Exclusion: process.parent_process_name == "mstsc.exe" or process.name == "rdpclip.exe"