Sigma Rules to detect HopToDesk RMM (#12)

* Add files via upload * Update hoptodesk_network_sigma.yml
magicsword-io · Sep 20, 2024 · 792c990 · 792c990
1 parent b3f23d0
commit 792c990
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/detections/sigma/hoptodesk_network_sigma.yml b/detections/sigma/hoptodesk_network_sigma.yml
@@ -0,0 +1,22 @@
+title: Potential HopToDesk RMM Tool Network Activity
+logsource:
+  product: windows
+  category: network_connection
+detection:
+  selection:
+    DestinationHostname|endswith:
+    - signal.hoptodesk.com
+    - api.hoptodesk.com
+    - turn.hoptodesk.com
+    - hoptodesk.com
+  condition: selection
+status: experimental
+description: Detects potential network activity of HopToDesk RMM tool
+author: LOLRMM Project
+date: 2024/09/19
+tags:
+- attack.execution
+- attack.t1219
+falsepositives:
+- Legitimate use of HopToDesk
+level: medium
diff --git a/detections/sigma/hoptodesk_processes_sigma.yml b/detections/sigma/hoptodesk_processes_sigma.yml
@@ -0,0 +1,20 @@
+title: Potential HopToDesk RMM Tool Process Activity
+logsource:
+  product: windows
+  category: process_creation
+detection:
+  selection:
+    ParentImage|endswith:
+    - hoptodesk.exe
+    - HopToDesk.exe
+  condition: selection
+status: experimental
+description: Detects potential processes activity of HopToDesk RMM tool
+author: LOLRMM Project
+date: 2024/09/19
+tags:
+- attack.execution
+- attack.t1219
+falsepositives:
+- Legitimate use of HopToDesk
+level: medium