diff --git a/yaml/ammyyadmin.yml b/yaml/ammyyadmin.yml new file mode 100644 index 00000000..a110911b --- /dev/null +++ b/yaml/ammyyadmin.yml @@ -0,0 +1,90 @@ +Name: Ammyy Admin +Description: Ammyy Admin is a remote monitoring and management (RMM) tool. More information + will be added as it becomes available. +Author: '@kostsatsale' +Created: '2024/05/08' +LastModified: +Details: + Website: 'https://www.ammyy.com' + PEMetadata: + Filename: 'AA_v3.exe' + OriginalFileName: '' + Description: 'Ammyy Admin' + Privileges: 'Curent User' + Free: 'Yes/1 active session at a time' + Verification: 'None' + SupportedOS: 'Windows' + Capabilities: + - 'Remote Management session' + - 'RDP Connection' + - 'File Transfer' + - 'Voice Chat' + Vulnerabilities: + - CVE-2013-5582 + InstallationPaths: + - C:\\ProgramData\\AMMYY\\* + - AMMYY_Admin.exe + - aa_v*.exe + - C:\Users\*\Downloads\AMMYY_Admin.exe + - '*\AMMYY_Admin.exe' +Artifacts: + Disk: + - File: '%programdata%\\AMMYY\\access.log' + Description: 'Ammyy Admin access log file. Contains information about the remote + IP address, the time of connection, bytes recv/send, and the ID of the remote machine.' + OS: Windows + Example: + - '20240805-22:20:45.962000 00000D98 - [0] PASSED authorization remoteId=XXXXXXXX; TCP by router 136.243.104.235:443' + - '20240805-22:22:34.139000 00000710 - [1] FAILED authorization remoteId=XXXXXXXX; TCP by router 136.243.104.235:443' + - '20240805-22:23:10.648000 00000D98 - [0] ENDED authorized session, bytes recv/send = 1164 / 115378' + - File: '%Binary_path%\\AA_v3.log' + Description: 'Ammyy Admin log file. Contains application related logs.' + OS: Windows + Example: + - '20240805-22:19:52.455000 00001318 - ERROR: ERROR: 2 RLEvent::TryToOpen(Global\AANS_FvwjZ_CHI)' + - '20240805-22:23:10.648000 00000D98 - ERROR: ERROR SetThreadDesktop(200) 170' + + EventLog: + - EventID: 4688 + ProviderName: Microsoft-Security-Auditing + LogFile: Security.evtx + CommandLine: 'rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run' + Description: Execution of Ammyy Admin + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: Ammyy Admin + ImagePath: "C:\\*\\AA_v3.exe" - service + Description: Ammyy Admin service installation event + Registry: + - Path: HKU\.DEFAULT\Software\Ammyy\Admin + Key: 'hr3' + Type: 'Reg_Binary' + Description: 'Writing the hr3 binary in the registry. The hr3 is likely used to store admin-related information.' + - Path: HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\AmmyyAdmin + Description: 'Ammyy Admin service allows AMMYY admin to run in safe mode.' + Network: + - Description: Known remote domains + Domain: + - ammyy.com + - '*ammyy.com' + - Description: Ammyy Routers + IP: + - '136.243.104.235' + - '136.243.104.242' + - '136.243.18.122' + Port: + - Incoming: 5931 + - Outgoing: + - 80 + - 443 + - 8080 +Detections: + - Sigma: https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/ammyy_admin.yml + Name: Detecting Ammy Admin RMM Agent Execution + Description: Detects the execution of the Ammy Admin RMM agent for remote management. +References: +- https://www.ammyy.com/en/admin_security.html +Acknowledgement: + - Person: "Kostas" + Handle: "@kostastsale"