updated site generated files

.github/workflows/deploy.yml

@@ -36,10 +36,21 @@ jobs:
         npm install
         npm run build
       working-directory: website
-    - name: Upload artifact
-      uses: actions/upload-pages-artifact@v1
+
+    - name: Upload site artifact
+      uses: actions/upload-artifact@v3
       with:
-        path: ./website/out
+        name: site
+        path: website/build
+
+    - name: Commit and push changes
+      run: |
+        git config --global user.name 'github-actions[bot]'
+        git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+        git add .
+        git commit -m "Update generated site files"
+        git push
+      working-directory: website
 
 # Deployment job
   deploy:

.gitignore

@@ -161,4 +161,3 @@ cython_debug/
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 .vercel
-website/pages/tools

bin/site.py

@@ -145,7 +145,7 @@ def clean_multiline(text):
 if __name__ == "__main__":
     parser = argparse.ArgumentParser(description="Generates LOLRMM site", epilog="This tool converts all LOLRMM YAMLs and builds the site with all the supporting components.")
     parser.add_argument("-p", "--path", required=False, default="yaml", help="path to LOLRMM yaml folder. Defaults to `yaml`")
-    parser.add_argument("-o", "--output", required=False, default="website", help="path to the output directory for the site, defaults to `lolrmm.io`")
+    parser.add_argument("-o", "--output", required=False, default="website", help="path to the output directory for the site, defaults to `website`")
     parser.add_argument("-v", "--verbose", required=False, default=False, action='store_true', help="prints verbose output")
 
     args = parser.parse_args()

website/pages/about.mdx

@@ -26,3 +26,14 @@ Currently, Jose Enrique Hernandez is the Director of Threat Research at Splunk.
 
 Currently, Nasreddine Bencherchali is a Threat Researcher at Nextron Systems, with a focus in Detection Engineering and Threat Hunting. Nasreddine is also currently one of the maintainers of the SIGMA project and the co-founder of the [EVTX-ETW-Resources project](https://github.com/nasbench/EVTX-ETW-Resources/), he also write a blog about [Detection and other security topics](https://nasbench.medium.com)
 
+# [Kostas](https://twitter.com/kostas)
+![kostas-headshot](/images/kostas-headshot.png)
+
+Kostas is a security researcher who tweets and follows topics related to Threat Intelligence, malware, Incident Response, and Threat Hunting. He is known for his contributions to various open-source security projects and is an active member of the cybersecurity community. Opinions are his own.
+
+# [Hare Sudhan](https://twitter.com/haresudhan)
+![hare-headshot](/images/hare-headshot.jpg)
+
+Hare Sudhan is a Senior Software/Security Engineer specializing in developing applications for Security Operations, Cyber Deception, and Adversary Emulation. He is passionate about contributing to open-source projects and is also one of the maintainers for the [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) project.
+
+

website/pages/tools/247ithelp.com__connectwise_.mdx

@@ -0,0 +1,52 @@
+---
+description = "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available."
+title = "247ithelp.com (ConnectWise)"
+---
+
+
+import {Card, Badges, Details, PEMetadata, DiskArtifacts, EventLogTable, RegistryTable, OtherArtifactsTable, NetworkArtifactsTable} from "../../components/card";
+import {EuiSpacer} from "@elastic/eui"
+
+# 247ithelp.com (ConnectWise)
+
+247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.
+
+### Details
+<Details author={""}
+         category={""}
+         created={""}
+         website={""}
+         lastModified={"2/8/2024"}
+         privileges={""}
+         free={ "" }
+         verification={""}
+/>
+
+#### Installation Paths
+<Card code={ ["Remote Workforce Client.exe"] }/>
+
+
+
+
+
+### Forensic Artifacts
+
+
+
+
+#### Network Artifacts
+<EuiSpacer size="xl"/>
+<NetworkArtifactsTable data={ [{"Description": "Known remote domains", "Domains": ["*.247ithelp.com"], "Ports": []}] }/>
+
+
+
+
+### Detections
+- Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml)
+- Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml)
+
+### References
+- [Similar / replaced by ScreenConnect](Similar / replaced by ScreenConnect)
+

website/pages/tools/absolute__computrace_.mdx

@@ -0,0 +1,52 @@
+---
+description = "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available."
+title = "Absolute (Computrace)"
+---
+
+
+import {Card, Badges, Details, PEMetadata, DiskArtifacts, EventLogTable, RegistryTable, OtherArtifactsTable, NetworkArtifactsTable} from "../../components/card";
+import {EuiSpacer} from "@elastic/eui"
+
+# Absolute (Computrace)
+
+Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.
+
+### Details
+<Details author={""}
+         category={""}
+         created={""}
+         website={""}
+         lastModified={"6/18/2024"}
+         privileges={""}
+         free={ "" }
+         verification={""}
+/>
+
+#### Installation Paths
+<Card code={ ["rpcnet.exe", "ctes.exe", "ctespersitence.exe", "cteshostsvc.exe", "rpcld.exe"] }/>
+
+
+
+
+
+### Forensic Artifacts
+
+
+
+
+#### Network Artifacts
+<EuiSpacer size="xl"/>
+<NetworkArtifactsTable data={ [{"Description": "Known remote domains", "Domains": ["*search.namequery.com", "*server.absolute.com"], "Ports": []}] }/>
+
+
+
+
+### Detections
+- Detects potential network activity of Absolute (Computrace) RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml)
+- Detects potential processes activity of Absolute (Computrace) RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml)
+
+### References
+- [https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com](https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com)
+

website/pages/tools/access_remote_pc.mdx

@@ -0,0 +1,45 @@
+---
+description = "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available."
+title = "Access Remote PC"
+---
+
+
+import {Card, Badges, Details, PEMetadata, DiskArtifacts, EventLogTable, RegistryTable, OtherArtifactsTable, NetworkArtifactsTable} from "../../components/card";
+import {EuiSpacer} from "@elastic/eui"
+
+# Access Remote PC
+
+Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.
+
+### Details
+<Details author={""}
+         category={""}
+         created={""}
+         website={""}
+         lastModified={"2/7/2024"}
+         privileges={""}
+         free={ "" }
+         verification={""}
+/>
+
+#### Installation Paths
+<Card code={ ["rpcgrab.exe", "rpcsetup.exe"] }/>
+
+
+
+
+
+### Forensic Artifacts
+
+
+
+
+
+
+
+
+### Detections
+- Detects potential processes activity of Access Remote PC RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml)
+
+

website/pages/tools/acronic_cyber_protect__remotix_.mdx

@@ -0,0 +1,52 @@
+---
+description = "Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available."
+title = "Acronic Cyber Protect (Remotix)"
+---
+
+
+import {Card, Badges, Details, PEMetadata, DiskArtifacts, EventLogTable, RegistryTable, OtherArtifactsTable, NetworkArtifactsTable} from "../../components/card";
+import {EuiSpacer} from "@elastic/eui"
+
+# Acronic Cyber Protect (Remotix)
+
+Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.
+
+### Details
+<Details author={""}
+         category={""}
+         created={""}
+         website={""}
+         lastModified={"2/26/2024"}
+         privileges={""}
+         free={ "" }
+         verification={""}
+/>
+
+#### Installation Paths
+<Card code={ ["AcronisCyberProtectConnectQuickAssist*.exe", "AcronisCyberProtectConnectAgent.exe"] }/>
+
+
+
+
+
+### Forensic Artifacts
+
+
+
+
+#### Network Artifacts
+<EuiSpacer size="xl"/>
+<NetworkArtifactsTable data={ [{"Description": "Known remote domains", "Domains": ["cloud.acronis.com", "agents*-cloud.acronis.com", "gw.remotix.com", "connect.acronis.com"], "Ports": []}] }/>
+
+
+
+
+### Detections
+- Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml)
+- Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml)
+
+### References
+- [https://kb.acronis.com/content/47189](https://kb.acronis.com/content/47189)
+

website/pages/tools/action1.mdx

@@ -0,0 +1,78 @@
+---
+description = "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries.  Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed."
+title = "Action1"
+---
+
+
+import {Card, Badges, Details, PEMetadata, DiskArtifacts, EventLogTable, RegistryTable, OtherArtifactsTable, NetworkArtifactsTable} from "../../components/card";
+import {EuiSpacer} from "@elastic/eui"
+
+# Action1
+
+Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. 
+Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.
+
+
+### Details
+<Details author={"@kostastsale"}
+         category={""}
+         created={"2024-08-03"}
+         website={"https://www.action1.com/"}
+         lastModified={"2024-08-03"}
+         privileges={"SYSTEM"}
+         free={ "Yes" }
+         verification={"Corporate email required although temporary email services are accepted"}
+/>
+
+#### Installation Paths
+<Card code={ ["C:\\Windows\\Action1\\*"] }/>
+
+#### Supported OS
+<Badges color="warning" badges={ ["Windows"] }/>
+
+#### Capabilities
+<Badges color="#FFA500" badges={ ["Backup and disaster recovery", "Billing and invoicing", "Customer portal", "HelpDesk and ticketing", "Mobile app", "Network discovery", "Patch management", "Remote monitoring and management", "Reporting and analytics"] }/>
+
+
+
+### Forensic Artifacts
+
+#### Disk Artifacts
+<EuiSpacer size="xl"/>
+<DiskArtifacts data={ [{"File": "C:\\Windows\\Action1\\action1_agent.exe", "Description": "Action1 service binary", "OS": "Windows"}, {"File": "C:\\Windows\\Action1\\*", "Description": "Multiple files and binaries related to Action1 installation", "OS": "Windows"}, {"File": "C:\\Windows\\Action1\\scripts\\*", "Description": "Multiple scripts related to Action1 installation", "OS": "Windows"}, {"File": "C:\\Windows\\Action1\\rule_data\\*", "Description": "Files related to Action1 rules", "OS": "Windows"}, {"File": "C:\\Windows\\Action1\\action1_log_*.log", "Description": "Contains history, errors, system notifications. Incoming and outgoing connections.", "OS": "Windows"}] }/>
+
+#### Event Log Artifacts
+<EuiSpacer size="xl"/>
+<EventLogTable data={ [{"EventID": 7045, "ProviderName": "Service Control Manager", "LogFile": "System.evtx", "ServiceName": "Action1 Agent", "ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"", "Description": "Service installation event as result of Action1 installation."}, {"EventID": 4688, "ProviderName": "Microsoft-Security-Auditing", "LogFile": "Security.evtx", "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service", "Description": "Service installation event as result of Action1 installation."}, {"EventID": 4688, "ProviderName": "Microsoft-Security-Auditing", "LogFile": "Security.evtx", "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser", "Description": "Executing command to get logged on user."}] }/>
+
+#### Registry Artifacts
+<EuiSpacer size="xl"/>
+<RegistryTable data={ [{"Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent", "Description": "Service installation event as result of Action1 installation."}, {"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe", "Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software."}, {"Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1", "Description": "Storing its configuration settings and other relevant information"}] }/>
+
+#### Network Artifacts
+<EuiSpacer size="xl"/>
+<NetworkArtifactsTable data={ [{"Description": "N/A", "Domains": ["*.action1.com"], "Ports": [443]}, {"Description": "N/A", "Domains": ["a1-backend-packages.s3.amazonaws.com"], "Ports": [443]}] }/>
+
+
+
+
+### Detections
+- Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM
+  - **Arbitrary code execution and remote sessions via Action1 RMM**
+  - Author: @kostastsale
+  - [Additional Information](https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml)
+- Detects potential registry activity of Action1 RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml)
+- Detects potential network activity of Action1 RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml)
+- Detects potential files activity of Action1 RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml)
+
+### References
+- [https://www.action1.com/documentation/firewall-configuration/](https://www.action1.com/documentation/firewall-configuration/)
+- [https://www.action1.com/documentation/](https://www.action1.com/documentation/)
+- [https://twitter.com/Kostastsale/status/1646256901506605063?s=20](https://twitter.com/Kostastsale/status/1646256901506605063?s=20)
+- [https://ruler-project.github.io/ruler-project/RULER/remote/Action1/](https://ruler-project.github.io/ruler-project/RULER/remote/Action1/)
+
+### Acknowledgements
+- Kostas (@kostastsale)

website/pages/tools/addigy.mdx

@@ -0,0 +1,50 @@
+---
+description = "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available."
+title = "Addigy"
+---
+
+
+import {Card, Badges, Details, PEMetadata, DiskArtifacts, EventLogTable, RegistryTable, OtherArtifactsTable, NetworkArtifactsTable} from "../../components/card";
+import {EuiSpacer} from "@elastic/eui"
+
+# Addigy
+
+Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.
+
+### Details
+<Details author={""}
+         category={""}
+         created={""}
+         website={""}
+         lastModified={"2/27/2024"}
+         privileges={""}
+         free={ "" }
+         verification={""}
+/>
+
+#### Installation Paths
+<Card code={ ["addigy-*.pkg"] }/>
+
+
+
+
+
+### Forensic Artifacts
+
+
+
+
+#### Network Artifacts
+<EuiSpacer size="xl"/>
+<NetworkArtifactsTable data={ [{"Description": "Known remote domains", "Domains": ["prod.addigy.com", "grtmprod.addigy.com", "agents.addigy.com"], "Ports": []}] }/>
+
+
+
+
+### Detections
+- Detects potential network activity of Addigy RMM tool
+  - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml)
+
+### References
+- [https://addigy.com/](https://addigy.com/)
+