diff --git a/bin/jinja2_templates/rmm.md.j2 b/bin/jinja2_templates/rmm.md.j2 index 2d492315..6c9f05e1 100644 --- a/bin/jinja2_templates/rmm.md.j2 +++ b/bin/jinja2_templates/rmm.md.j2 @@ -42,32 +42,14 @@ displayTitle = "{{ rmm.Name }}" {% if rmm.Details.PEMetadata %} #### PE Metadata {% if rmm.Details.PEMetadata is mapping %} -{% if rmm.Details.PEMetadata.Filename %} -- **Filename**: {{ rmm.Details.PEMetadata.Filename }} -{% endif %} -{% if rmm.Details.PEMetadata.OriginalFileName %} -- **Original File Name**: {{ rmm.Details.PEMetadata.OriginalFileName }} -{% endif %} -{% if rmm.Details.PEMetadata.Description %} -- **Description**: {{ rmm.Details.PEMetadata.Description }} -{% endif %} -{% if rmm.Details.PEMetadata.Product %} -- **Product**: {{ rmm.Details.PEMetadata.Product }} -{% endif %} +{% for key, value in rmm.Details.PEMetadata.items() %} +- **{{ key }}**: {{ value }} +{% endfor %} {% else %} {% for item in rmm.Details.PEMetadata %} -{% if item.Filename %} -- **Filename**: {{ item.Filename }} -{% endif %} -{% if item.OriginalFileName %} -- **Original File Name**: {{ item.OriginalFileName }} -{% endif %} -{% if item.Description %} -- **Description**: {{ item.Description }} -{% endif %} -{% if item.Product %} -- **Product**: {{ item.Product }} -{% endif %} +{% for key, value in item.items() %} +- **{{ key }}**: {{ value }} +{% endfor %} {% endfor %} {% endif %} {% endif %} @@ -118,25 +100,20 @@ displayTitle = "{{ rmm.Name }}" {% if rmm.Artifacts.Disk %} #### Disk Artifacts - {% for artifact in rmm.Artifacts.Disk %} - **File**: `{{ artifact.File }}` - - {% if artifact.Description %} +{% if artifact.Description %} **Description**: {{ artifact.Description }} - {% endif %} - - {% if artifact.Example %} +{% endif %} +{% if artifact.Example %} **Example**: ``` {{ artifact.Example }} ``` - {% endif %} - - {% if artifact.OS %} +{% endif %} +{% if artifact.OS %} **OS**: {{ artifact.OS }} - {% endif %} - +{% endif %} {% endfor %} {% endif %} @@ -144,27 +121,9 @@ displayTitle = "{{ rmm.Name }}" #### Event Log Artifacts {% for artifact in rmm.Artifacts.EventLog %} - Event Details: - {% if artifact.EventID %} - - **Event ID**: {{ artifact.EventID }} - {% endif %} - {% if artifact.ProviderName %} - - **Provider Name**: {{ artifact.ProviderName }} - {% endif %} - {% if artifact.LogFile %} - - **Log File**: {{ artifact.LogFile }} - {% endif %} - {% if artifact.ServiceName %} - - **Service Name**: {{ artifact.ServiceName }} - {% endif %} - {% if artifact.ImagePath %} - - **Image Path**: {{ artifact.ImagePath }} - {% endif %} - {% if artifact.Description %} - - **Description**: {{ artifact.Description }} - {% endif %} - {% if artifact.CommandLine %} - - **Command Line**: {{ artifact.CommandLine }} - {% endif %} +{% for key, value in artifact.items() %} + - **{{ key }}**: {{ value }} +{% endfor %} {% endfor %} {% endif %} @@ -172,34 +131,28 @@ displayTitle = "{{ rmm.Name }}" #### Registry Artifacts {% for artifact in rmm.Artifacts.Registry %} - **Path**: `{{ artifact.Path }}` - {% if artifact.Description %} +{% if artifact.Description %} **Description**: {{ artifact.Description }} - {% endif %} - +{% endif %} {% endfor %} {% endif %} {% if rmm.Artifacts.Network %} #### Network Artifacts - {% for artifact in rmm.Artifacts.Network %} - {% if artifact.Description %}**Description**: {{ artifact.Description }}{% endif %} - - {% if artifact.Domains %} - +{% if artifact.Domains %} **Domains**: - {% for domain in artifact.Domains %} +{% for domain in artifact.Domains %} - `{{ domain }}` - {% endfor %} - {% endif %} - - {% if artifact.Ports %} +{% endfor %} +{% endif %} +{% if artifact.Ports %} **Ports**: - {% for port in artifact.Ports %} +{% for port in artifact.Ports %} - `{{ port }}` - {% endfor %} - {% endif %} - +{% endfor %} +{% endif %} {% endfor %} {% endif %} @@ -207,11 +160,9 @@ displayTitle = "{{ rmm.Name }}" #### Other Artifacts {% for artifact in rmm.Artifacts.Other %} - {% if artifact.Type %}**Type**: {{ artifact.Type }}{% endif %} - - {% if artifact.Value %} - +{% if artifact.Value %} **Value**: {{ artifact.Value }} - {% endif %} +{% endif %} {% endfor %} {% endif %} {% endif %} @@ -219,24 +170,19 @@ displayTitle = "{{ rmm.Name }}" {% if rmm.Detections %} ### Detections {% for detection in rmm.Detections %} -- {% if detection.Sigma %} - [Sigma rule]({{ detection.Sigma }}) - {% elif detection.Name %} - **{{ detection.Name }}** - {% endif %} - - {% if detection.Description %} - {{ detection.Description }} - {% endif %} - - {% if detection.author %} - (Author: {{ detection.author }}) - {% endif %} - - {% if detection.Link %} - [Link]({{ detection.Link }}) - {% endif %} - +- {{ detection.Description }} +{% if detection.Sigma %} + - [Sigma Rule]({{ detection.Sigma }}) +{% endif %} +{% if detection.Name %} + - **{{ detection.Name }}** +{% endif %} +{% if detection.author %} + - Author: {{ detection.author }} +{% endif %} +{% if detection.Link %} + - [Additional Information]({{ detection.Link }}) +{% endif %} {% endfor %} {% endif %} diff --git a/bin/sigma-gen.py b/bin/sigma-gen.py index 2acc0619..c31818eb 100644 --- a/bin/sigma-gen.py +++ b/bin/sigma-gen.py @@ -37,7 +37,7 @@ def extract_artifacts(yaml_data: Dict[str, Any]) -> Dict[str, List[str]]: return artifacts -def generate_sigma_rules(yaml_file: str, output_dir: str) -> None: +def generate_sigma_rules(yaml_file: str, output_dir: str) -> List[Dict[str, Any]]: with open(yaml_file, 'r') as f: data = yaml.safe_load(f) @@ -88,20 +88,38 @@ def generate_sigma_rules(yaml_file: str, output_dir: str) -> None: } } - # Ensure no extra nesting for any artifact type detection_key = list(rule_template["detection"]["selection"].keys())[0] rule["detection"]["selection"][detection_key] = artifacts[artifact_type] safe_name = name.lower().replace(' ', '_').replace('(', '_').replace(')', '_') - output_file = os.path.join(output_dir, f"{safe_name}_{artifact_type}_sigma.yml") - with open(output_file, 'w') as f: + output_file = f"{safe_name}_{artifact_type}_sigma.yml" + full_output_path = os.path.join(output_dir, output_file) + with open(full_output_path, 'w') as f: yaml.dump(rule, f, sort_keys=False) - generated_rules.append(artifact_type) + + github_url = f"https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/{output_file}" + generated_rules.append({ + "Sigma": github_url, + "Description": f"Detects potential {artifact_type} activity of {name} RMM tool" + }) + + return generated_rules + +def update_yaml_with_sigma_rules(yaml_file: str, sigma_rules: List[Dict[str, Any]]) -> None: + with open(yaml_file, 'r') as f: + data = yaml.safe_load(f) + + if 'Detections' not in data: + data['Detections'] = [] + + # Remove existing generated rules + data['Detections'] = [rule for rule in data['Detections'] if not rule.get('Sigma', '').startswith('https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/')] + + # Add new generated rules + data['Detections'].extend(sigma_rules) - if generated_rules: - print(f"Generated {', '.join(generated_rules)} rules for {name}") - else: - print(f"No artifacts found for {name}") + with open(yaml_file, 'w') as f: + yaml.dump(data, f, sort_keys=False) def main() -> None: yaml_dir = 'yaml/' @@ -111,9 +129,10 @@ def main() -> None: for filename in os.listdir(yaml_dir): if filename.endswith('.yaml'): yaml_file = os.path.join(yaml_dir, filename) - generate_sigma_rules(yaml_file, output_dir) + sigma_rules = generate_sigma_rules(yaml_file, output_dir) + update_yaml_with_sigma_rules(yaml_file, sigma_rules) - print(f"[+] Sigma rule generation complete. Files saved in {output_dir}") + print(f"[+] Sigma rule generation and YAML update complete. Files saved in {output_dir}") if __name__ == "__main__": main() \ No newline at end of file diff --git a/detections/sigma/247ithelp.com__connectwise__network_sigma.yml b/detections/sigma/247ithelp.com__connectwise__network_sigma.yml index 83067072..390b5636 100644 --- a/detections/sigma/247ithelp.com__connectwise__network_sigma.yml +++ b/detections/sigma/247ithelp.com__connectwise__network_sigma.yml @@ -7,12 +7,12 @@ detection: DestinationHostname|endswith: - '*.247ithelp.com' condition: selection -id: 57990b21-dfbc-4656-a748-8b4aa4571715 +id: 8248627a-264d-423c-b684-f96a5792a332 status: experimental description: Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml b/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml index 497e4e98..036ab9d6 100644 --- a/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml +++ b/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml @@ -7,12 +7,12 @@ detection: ParentImage|endswith: - Remote Workforce Client.exe condition: selection -id: 9d28ac14-bd59-4b6c-b9e6-0b9f99b1c67a +id: a2f54c3b-da16-46a2-b437-201b65a53500 status: experimental description: Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/absolute__computrace__network_sigma.yml b/detections/sigma/absolute__computrace__network_sigma.yml index 0265b955..35ff2bbc 100644 --- a/detections/sigma/absolute__computrace__network_sigma.yml +++ b/detections/sigma/absolute__computrace__network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*search.namequery.com' - '*server.absolute.com' condition: selection -id: bedff294-81de-4490-af18-aa114edbe484 +id: 4b510fc9-5a6e-4cdd-955a-6398c8710ee4 status: experimental description: Detects potential network activity of Absolute (Computrace) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/absolute__computrace__processes_sigma.yml b/detections/sigma/absolute__computrace__processes_sigma.yml index 79fa7cb9..866404bb 100644 --- a/detections/sigma/absolute__computrace__processes_sigma.yml +++ b/detections/sigma/absolute__computrace__processes_sigma.yml @@ -11,11 +11,11 @@ detection: - cteshostsvc.exe - rpcld.exe condition: selection -id: e94edb5c-0b99-449a-be7a-d92c8a39f723 +id: f263b53c-1907-43ec-b69a-d81d3abeeb7e status: experimental description: Detects potential processes activity of Absolute (Computrace) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/access_remote_pc_processes_sigma.yml b/detections/sigma/access_remote_pc_processes_sigma.yml index 9f3c0a77..935194e8 100644 --- a/detections/sigma/access_remote_pc_processes_sigma.yml +++ b/detections/sigma/access_remote_pc_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - rpcgrab.exe - rpcsetup.exe condition: selection -id: 5154923f-ee36-46a8-b2e8-2b6ccfcf1fb2 +id: cc09bf82-5dfe-464a-b6e5-14375fe84de5 status: experimental description: Detects potential processes activity of Access Remote PC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml b/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml index 1011077f..428f8726 100644 --- a/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml +++ b/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml @@ -10,12 +10,12 @@ detection: - gw.remotix.com - connect.acronis.com condition: selection -id: 0762ba65-8a6c-4986-8b73-fab8e6262f30 +id: a7ed0eb9-3d99-47ee-a335-3162430f519c status: experimental description: Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml b/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml index eafa86e1..8be4e4b0 100644 --- a/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml +++ b/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml @@ -8,12 +8,12 @@ detection: - AcronisCyberProtectConnectQuickAssist*.exe - AcronisCyberProtectConnectAgent.exe condition: selection -id: 1ccea099-1537-4dce-b40f-255383c63f49 +id: 9b9647ab-97cc-4c7c-8540-5c1c1c8000c4 status: experimental description: Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/action1_files_sigma.yml b/detections/sigma/action1_files_sigma.yml index 3def3fdd..e814361e 100644 --- a/detections/sigma/action1_files_sigma.yml +++ b/detections/sigma/action1_files_sigma.yml @@ -11,11 +11,11 @@ detection: - C:\Windows\Action1\rule_data\* - C:\Windows\Action1\action1_log_*.log condition: selection -id: 7f4622a9-403e-4155-8b29-d7cc1eb8e34e +id: 9a267345-afb8-48be-b718-575be9603f4c status: experimental description: Detects potential files activity of Action1 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/action1_network_sigma.yml b/detections/sigma/action1_network_sigma.yml index bdcfd38f..6624ee67 100644 --- a/detections/sigma/action1_network_sigma.yml +++ b/detections/sigma/action1_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.action1.com' - a1-backend-packages.s3.amazonaws.com condition: selection -id: 7c145727-9616-4cce-bb6a-465c287b93d1 +id: 5a513b93-4825-4b09-b50a-e073e390bc96 status: experimental description: Detects potential network activity of Action1 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/action1_registry_sigma.yml b/detections/sigma/action1_registry_sigma.yml index 98781ae3..5a9df040 100644 --- a/detections/sigma/action1_registry_sigma.yml +++ b/detections/sigma/action1_registry_sigma.yml @@ -9,11 +9,11 @@ detection: - HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe - HKLM\SOFTWARE\WOW6432Node\Action1 condition: selection -id: 80c27704-debd-4f21-a1b5-5bce294e86cd +id: 178e38f0-33b9-4ff3-a3a5-62cbb073bc45 status: experimental description: Detects potential registry activity of Action1 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/addigy_network_sigma.yml b/detections/sigma/addigy_network_sigma.yml index 05a5f29c..4ad31bfd 100644 --- a/detections/sigma/addigy_network_sigma.yml +++ b/detections/sigma/addigy_network_sigma.yml @@ -9,11 +9,11 @@ detection: - grtmprod.addigy.com - agents.addigy.com condition: selection -id: b39c54d4-3f43-4d4b-ba03-fbed9889bf91 +id: a2f984b5-66c3-4d80-bd47-08394e0c3939 status: experimental description: Detects potential network activity of Addigy RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/adobe_connect_network_sigma.yml b/detections/sigma/adobe_connect_network_sigma.yml index fdd1db50..84dfcb6d 100644 --- a/detections/sigma/adobe_connect_network_sigma.yml +++ b/detections/sigma/adobe_connect_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.adobeconnect.com' condition: selection -id: d1876275-98e9-4737-8640-5d1f0b40e6cc +id: dac102d1-aa4b-43ca-b6e4-872deb21629f status: experimental description: Detects potential network activity of Adobe Connect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/adobe_connect_processes_sigma.yml b/detections/sigma/adobe_connect_processes_sigma.yml index ab0a76b5..7a07ab23 100644 --- a/detections/sigma/adobe_connect_processes_sigma.yml +++ b/detections/sigma/adobe_connect_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - Connect.exe - ConnectDetector.exe condition: selection -id: f9bdaaec-db0e-4e06-ae3e-c06726d86a4d +id: 4c9bea1b-36b4-40f8-b112-7a1db2dbf9ed status: experimental description: Detects potential processes activity of Adobe Connect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aeroadmin_network_sigma.yml b/detections/sigma/aeroadmin_network_sigma.yml index 8e61079d..3f44991d 100644 --- a/detections/sigma/aeroadmin_network_sigma.yml +++ b/detections/sigma/aeroadmin_network_sigma.yml @@ -8,11 +8,11 @@ detection: - auth*.aeroadmin.com - aeroadmin.com condition: selection -id: 4b3f3c88-3441-4185-80c3-6c2bc5395e0a +id: bc4aa1a5-b066-4d36-baa1-fce0df698f6b status: experimental description: Detects potential network activity of AeroAdmin RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aeroadmin_processes_sigma.yml b/detections/sigma/aeroadmin_processes_sigma.yml index 02add132..0ab51966 100644 --- a/detections/sigma/aeroadmin_processes_sigma.yml +++ b/detections/sigma/aeroadmin_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - aeroadmin.exe - AeroAdmin.exe condition: selection -id: fe8a24ef-0c43-4310-bf6c-a57531759392 +id: bc9952c3-2d21-418e-9eed-a1d0450ee0c1 status: experimental description: Detects potential processes activity of AeroAdmin RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/air_explorer_processes_sigma.yml b/detections/sigma/air_explorer_processes_sigma.yml index 676a6850..bdefac7d 100644 --- a/detections/sigma/air_explorer_processes_sigma.yml +++ b/detections/sigma/air_explorer_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\airexplorer.exe' condition: selection -id: 11506d38-e49f-4f4f-8ba4-4254b051fe06 +id: 24bbfdf2-d188-4297-9d25-d1cc73dd2a38 status: experimental description: Detects potential processes activity of Air Explorer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/air_live_drive_processes_sigma.yml b/detections/sigma/air_live_drive_processes_sigma.yml index fe8a35c0..fce21f80 100644 --- a/detections/sigma/air_live_drive_processes_sigma.yml +++ b/detections/sigma/air_live_drive_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\AirLiveDrive.exe' condition: selection -id: 7dcb62ad-49e2-4133-abc7-d9b5da88b9d0 +id: a77cc3b0-d89a-4f23-aea9-e960e3f56515 status: experimental description: Detects potential processes activity of Air Live Drive RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aliwangwang-remote-control_network_sigma.yml b/detections/sigma/aliwangwang-remote-control_network_sigma.yml index b44a2397..7956aeb4 100644 --- a/detections/sigma/aliwangwang-remote-control_network_sigma.yml +++ b/detections/sigma/aliwangwang-remote-control_network_sigma.yml @@ -7,12 +7,12 @@ detection: DestinationHostname|endswith: - wangwang.taobao.com condition: selection -id: e3bce37d-bf78-414d-8a57-aff0725f1c24 +id: b1ee1673-0951-4e30-b8a8-8843d5dcd9bc status: experimental description: Detects potential network activity of AliWangWang-remote-control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aliwangwang-remote-control_processes_sigma.yml b/detections/sigma/aliwangwang-remote-control_processes_sigma.yml index 035bb3e0..8bf09727 100644 --- a/detections/sigma/aliwangwang-remote-control_processes_sigma.yml +++ b/detections/sigma/aliwangwang-remote-control_processes_sigma.yml @@ -7,12 +7,12 @@ detection: ParentImage|endswith: - alitask.exe condition: selection -id: bcf0c5a7-d413-4b01-b54a-9df9f4f42e14 +id: bda23e7b-9c5e-441b-b9bf-e30906c7cc3d status: experimental description: Detects potential processes activity of AliWangWang-remote-control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/alpemix_files_sigma.yml b/detections/sigma/alpemix_files_sigma.yml index ee410408..61bd4216 100644 --- a/detections/sigma/alpemix_files_sigma.yml +++ b/detections/sigma/alpemix_files_sigma.yml @@ -7,11 +7,11 @@ detection: TargetFilename|endswith: - '%localappdata%\Alpemix\Alpemix.ini' condition: selection -id: 12145296-1bca-4c10-bb86-667c78108a50 +id: 6737b828-5c7c-4341-b016-0f6b56c24dd5 status: experimental description: Detects potential files activity of Alpemix RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/alpemix_network_sigma.yml b/detections/sigma/alpemix_network_sigma.yml index d272ef45..fc977602 100644 --- a/detections/sigma/alpemix_network_sigma.yml +++ b/detections/sigma/alpemix_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.alpemix.com' - '*.teknopars.com' condition: selection -id: 205f5861-65df-4f9f-b51d-81f499b6b934 +id: 3de99ba1-bfc3-4569-a352-0f1b1b455a78 status: experimental description: Detects potential network activity of Alpemix RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/alpemix_processes_sigma.yml b/detections/sigma/alpemix_processes_sigma.yml index 09682aec..91fc22d8 100644 --- a/detections/sigma/alpemix_processes_sigma.yml +++ b/detections/sigma/alpemix_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - C:\AlpemixService.exe condition: selection -id: 7aa2d498-c192-48d2-942a-fddaebf2e1a6 +id: 36f4abfb-41ad-41eb-a463-d928daef3de3 status: experimental description: Detects potential processes activity of Alpemix RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/alpemix_registry_sigma.yml b/detections/sigma/alpemix_registry_sigma.yml index 3ca73168..4b298a6c 100644 --- a/detections/sigma/alpemix_registry_sigma.yml +++ b/detections/sigma/alpemix_registry_sigma.yml @@ -7,11 +7,11 @@ detection: TargetObject|contains: - HKLM\SYSTEM\CurrentControlSet\Services\AlpemixSrvcx condition: selection -id: a39d804f-6af1-463a-8a16-403e8245c8bb +id: 69e8d2cb-44e6-478e-9fc5-73daa1bb78c2 status: experimental description: Detects potential registry activity of Alpemix RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/amazon__cloud__drive_processes_sigma.yml b/detections/sigma/amazon__cloud__drive_processes_sigma.yml index ed708c4d..65081dd8 100644 --- a/detections/sigma/amazon__cloud__drive_processes_sigma.yml +++ b/detections/sigma/amazon__cloud__drive_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\AmazonCloudDrive.exe' condition: selection -id: 41013154-16de-4a75-8b41-1aa4a350b15a +id: 786546bb-4108-481e-9309-a498b49009bf status: experimental description: Detects potential processes activity of Amazon (Cloud) Drive RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/any_support_network_sigma.yml b/detections/sigma/any_support_network_sigma.yml index 6b66f057..1aa367cf 100644 --- a/detections/sigma/any_support_network_sigma.yml +++ b/detections/sigma/any_support_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.anysupport.net' condition: selection -id: 4d5213bc-ab32-4b51-9d17-596bc51b3ef4 +id: 734b4e22-2195-4355-8a09-d6a2ef3ea908 status: experimental description: Detects potential network activity of Any Support RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/any_support_processes_sigma.yml b/detections/sigma/any_support_processes_sigma.yml index 08d22956..51a363e5 100644 --- a/detections/sigma/any_support_processes_sigma.yml +++ b/detections/sigma/any_support_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - ManualLauncher.exe condition: selection -id: d3801f7a-fe49-4374-8618-318f347e61a0 +id: 9a46a911-07de-4a3e-9bd9-4a47a0e015c4 status: experimental description: Detects potential processes activity of Any Support RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/anydesk_files_sigma.yml b/detections/sigma/anydesk_files_sigma.yml index 11c0e66e..af2c7101 100644 --- a/detections/sigma/anydesk_files_sigma.yml +++ b/detections/sigma/anydesk_files_sigma.yml @@ -22,11 +22,11 @@ detection: - ~/Library/Application Support/AnyDesk/Logs/ - ~/.config/AnyDesk/Logs/ condition: selection -id: 62f2cf67-0469-4f9c-be66-10401ed65dfa +id: 20ebd46b-44ea-4679-9563-ca9b6b4d75e0 status: experimental description: Detects potential files activity of AnyDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/anydesk_network_sigma.yml b/detections/sigma/anydesk_network_sigma.yml index 7820ac89..b1b320df 100644 --- a/detections/sigma/anydesk_network_sigma.yml +++ b/detections/sigma/anydesk_network_sigma.yml @@ -9,11 +9,11 @@ detection: - relay-[a-f0-9]{8}.net.anydesk.com:443 - '*.anydesk.com' condition: selection -id: d11aa4a1-e631-41bd-99a8-3d3aae7d100a +id: bf3b1c02-8383-40df-8f5b-14e4a1e4fafe status: experimental description: Detects potential network activity of AnyDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/anydesk_registry_sigma.yml b/detections/sigma/anydesk_registry_sigma.yml index fa51f574..51c578ef 100644 --- a/detections/sigma/anydesk_registry_sigma.yml +++ b/detections/sigma/anydesk_registry_sigma.yml @@ -14,11 +14,11 @@ detection: - HKLM\DRIVERS\DriverDatabase\DeviceIds\WSDPRINT\AnyDesk - HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk condition: selection -id: 7a8349c5-b95d-4933-afb1-d744570bbb52 +id: cd914a84-51f3-4342-be98-4e5bc1b7a55e status: experimental description: Detects potential registry activity of AnyDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/anyplace_control_network_sigma.yml b/detections/sigma/anyplace_control_network_sigma.yml index 92ffd676..6dcbcc53 100644 --- a/detections/sigma/anyplace_control_network_sigma.yml +++ b/detections/sigma/anyplace_control_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - anyplace-control.com condition: selection -id: 0f582c3c-bb0e-4b5b-955a-fdb0126872df +id: 655792d3-42e6-41e1-a39a-0c6966b8750b status: experimental description: Detects potential network activity of Anyplace Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/anyplace_control_processes_sigma.yml b/detections/sigma/anyplace_control_processes_sigma.yml index 88e499f0..0694699c 100644 --- a/detections/sigma/anyplace_control_processes_sigma.yml +++ b/detections/sigma/anyplace_control_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - apc_host.exe condition: selection -id: ab5b1ddc-b614-4b5d-aa32-e84cc9e42891 +id: b8b70d3d-58df-4a20-b4c0-e225f291f230 status: experimental description: Detects potential processes activity of Anyplace Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/anyviewer_network_sigma.yml b/detections/sigma/anyviewer_network_sigma.yml index 3d1f23fb..b20a5e60 100644 --- a/detections/sigma/anyviewer_network_sigma.yml +++ b/detections/sigma/anyviewer_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.anyviewer.com' - '*.aomeisoftware.com' condition: selection -id: 12fbe9c8-21af-4a18-b63d-47fbd91e2424 +id: 856c0541-662b-4403-b712-a787b7ff6ebb status: experimental description: Detects potential network activity of AnyViewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/apple_remote_desktop_network_sigma.yml b/detections/sigma/apple_remote_desktop_network_sigma.yml index 1e3e87e5..676cdc57 100644 --- a/detections/sigma/apple_remote_desktop_network_sigma.yml +++ b/detections/sigma/apple_remote_desktop_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - user_managed condition: selection -id: 6551d5ac-5ed1-4d24-8247-6ea4a27f6194 +id: 3354bc61-36e7-463d-a0cd-8de668b2d0b8 status: experimental description: Detects potential network activity of Apple Remote Desktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aria2_processes_sigma.yml b/detections/sigma/aria2_processes_sigma.yml index d20f2ac6..fba428e9 100644 --- a/detections/sigma/aria2_processes_sigma.yml +++ b/detections/sigma/aria2_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\aria2c.exe' condition: selection -id: 0bbb7df2-faf4-4551-b701-0a1d10e7f1a6 +id: 6c235ccb-9731-4e38-9fe2-b16ae844528b status: experimental description: Detects potential processes activity of aria2 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/atera_files_sigma.yml b/detections/sigma/atera_files_sigma.yml index 1b433cb2..9d109694 100644 --- a/detections/sigma/atera_files_sigma.yml +++ b/detections/sigma/atera_files_sigma.yml @@ -15,11 +15,11 @@ detection: - C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageFileExplorer\AgentPackageFileExplorer.exe - C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\AgentPackageRunCommandInteractive.exe condition: selection -id: d7060c72-493c-4760-866f-90f7f96623a6 +id: a08c1267-edce-4af3-8f48-bf74bb4f52c6 status: experimental description: Detects potential files activity of Atera RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/atera_network_sigma.yml b/detections/sigma/atera_network_sigma.yml index efd3618d..9a057c17 100644 --- a/detections/sigma/atera_network_sigma.yml +++ b/detections/sigma/atera_network_sigma.yml @@ -21,11 +21,11 @@ detection: - atera.pubnubapi.com - appcdn.atera.com condition: selection -id: a7f7a42e-6d8e-428d-9879-adcf716e401b +id: ea23aeb1-701b-4cd9-9951-5d00ce194c2b status: experimental description: Detects potential network activity of Atera RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/atera_processes_sigma.yml b/detections/sigma/atera_processes_sigma.yml index 8d5a2983..247e45b2 100644 --- a/detections/sigma/atera_processes_sigma.yml +++ b/detections/sigma/atera_processes_sigma.yml @@ -13,11 +13,11 @@ detection: - ateraagent.exe - syncrosetup.exe condition: selection -id: f729c0f2-6a23-4004-8f87-16e1aa48ad52 +id: fd34376e-c4cf-4886-8561-57f2a968c8ba status: experimental description: Detects potential processes activity of Atera RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/atera_registry_sigma.yml b/detections/sigma/atera_registry_sigma.yml index 618fe856..a20c678a 100644 --- a/detections/sigma/atera_registry_sigma.yml +++ b/detections/sigma/atera_registry_sigma.yml @@ -16,11 +16,11 @@ detection: - HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASMANCS - HKLM\SOFTWARE\ATERA Networks\* condition: selection -id: 2de6bfd0-9ff2-439c-9886-207f1ab5cc35 +id: 3d7e3f5a-f6da-4a6d-a65d-11ed0f292c67 status: experimental description: Detects potential registry activity of Atera RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/auvik_network_sigma.yml b/detections/sigma/auvik_network_sigma.yml index d52ebb3a..8c5c1394 100644 --- a/detections/sigma/auvik_network_sigma.yml +++ b/detections/sigma/auvik_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.auvik.com' - auvik.com condition: selection -id: 3985be0f-3646-4210-9ace-9c49cc5d4918 +id: f94ee7e0-7d77-4710-814a-1660d2bad2da status: experimental description: Detects potential network activity of Auvik RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/auvik_processes_sigma.yml b/detections/sigma/auvik_processes_sigma.yml index b5642d1e..1bdc5035 100644 --- a/detections/sigma/auvik_processes_sigma.yml +++ b/detections/sigma/auvik_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - auvik.engine.exe - auvik.agent.exe condition: selection -id: 378d0184-2765-4408-a6c7-131b7f9575fe +id: 0ab4238c-6f77-4b2f-bf04-413ebf61dae1 status: experimental description: Detects potential processes activity of Auvik RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aweray__awesun__network_sigma.yml b/detections/sigma/aweray__awesun__network_sigma.yml index 5643bf40..c7e1ec3b 100644 --- a/detections/sigma/aweray__awesun__network_sigma.yml +++ b/detections/sigma/aweray__awesun__network_sigma.yml @@ -8,11 +8,11 @@ detection: - asapi-us.aweray.net - asapi.aweray.net condition: selection -id: 568bb069-9031-4b20-a781-b0885b7aaa15 +id: 03183418-50dd-4d3e-af59-54c1e138a577 status: experimental description: Detects potential network activity of AweRay (AweSun) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aweray__awesun__processes_sigma.yml b/detections/sigma/aweray__awesun__processes_sigma.yml index 636a2dcf..870fcae2 100644 --- a/detections/sigma/aweray__awesun__processes_sigma.yml +++ b/detections/sigma/aweray__awesun__processes_sigma.yml @@ -8,11 +8,11 @@ detection: - aweray_remote*.exe - AweSun.exe condition: selection -id: 84ce2b65-cac6-4f4f-a0b2-b195660f93c6 +id: e32b8f65-ab9d-4668-a811-d99d471b085d status: experimental description: Detects potential processes activity of AweRay (AweSun) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aweray_network_sigma.yml b/detections/sigma/aweray_network_sigma.yml index a6d46c42..e32a7c60 100644 --- a/detections/sigma/aweray_network_sigma.yml +++ b/detections/sigma/aweray_network_sigma.yml @@ -8,11 +8,11 @@ detection: - asapi*.aweray.net - client-api.aweray.com condition: selection -id: 7e4c074e-31d4-4142-be81-016d02a0fddd +id: f20a6812-5634-43bd-9d1e-1ecb60c11430 status: experimental description: Detects potential network activity of AweRay RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aweray_processes_sigma.yml b/detections/sigma/aweray_processes_sigma.yml index ba2deb2d..1fcb220c 100644 --- a/detections/sigma/aweray_processes_sigma.yml +++ b/detections/sigma/aweray_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - aweray_remote*.exe - AweSun.exe condition: selection -id: 73599e0d-0582-4b48-9618-43242fe8c77b +id: 33f501f4-fe8e-49bb-a659-5d9a5c852fe5 status: experimental description: Detects potential processes activity of AweRay RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/aws-cli_processes_sigma.yml b/detections/sigma/aws-cli_processes_sigma.yml index f8e7c348..c99f210e 100644 --- a/detections/sigma/aws-cli_processes_sigma.yml +++ b/detections/sigma/aws-cli_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\AWSCLISetup.exe' condition: selection -id: 03c7e91a-7195-4419-81a9-7acb6437a61f +id: 4e09548c-79e4-487e-9d0a-03cd67827b7d status: experimental description: Detects potential processes activity of aws-cli RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/azure_storage_explorer_processes_sigma.yml b/detections/sigma/azure_storage_explorer_processes_sigma.yml index ea5a6e91..e4b80418 100644 --- a/detections/sigma/azure_storage_explorer_processes_sigma.yml +++ b/detections/sigma/azure_storage_explorer_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\StorageExplorer.exe' condition: selection -id: 00bc3746-457b-4b47-a246-f23f1155d9c0 +id: 5a756379-897d-47ec-b00a-5fa73eaf4988 status: experimental description: Detects potential processes activity of Azure Storage Explorer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/barracuda_network_sigma.yml b/detections/sigma/barracuda_network_sigma.yml index 948160cb..1ff6eae6 100644 --- a/detections/sigma/barracuda_network_sigma.yml +++ b/detections/sigma/barracuda_network_sigma.yml @@ -9,11 +9,11 @@ detection: - rmm.barracudamsp.com - barracudamsp.com condition: selection -id: 911bfc08-ca86-4766-9607-5e6cce2bf0c2 +id: e2a52094-af0e-4011-9d65-a0cb49c69ecf status: experimental description: Detects potential network activity of Barracuda RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/basecamp_network_sigma.yml b/detections/sigma/basecamp_network_sigma.yml index 6313879b..344d0d9e 100644 --- a/detections/sigma/basecamp_network_sigma.yml +++ b/detections/sigma/basecamp_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - basecamp.com condition: selection -id: a2cb399b-b27d-4a2b-a013-aae505f0311c +id: 2287e3d4-9243-4812-9aa9-0db84f6a1ff6 status: experimental description: Detects potential network activity of Basecamp RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/beamyourscreen_network_sigma.yml b/detections/sigma/beamyourscreen_network_sigma.yml index afc24720..4eacaa67 100644 --- a/detections/sigma/beamyourscreen_network_sigma.yml +++ b/detections/sigma/beamyourscreen_network_sigma.yml @@ -8,11 +8,11 @@ detection: - beamyourscreen.com - '*.beamyourscreen.com' condition: selection -id: c9cb8626-9037-423e-8548-8b4b6eb338b8 +id: ad4210bf-66b5-4c7e-b20b-f71d609dc5a7 status: experimental description: Detects potential network activity of BeamYourScreen RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/beamyourscreen_processes_sigma.yml b/detections/sigma/beamyourscreen_processes_sigma.yml index a8f0dc48..209fc36e 100644 --- a/detections/sigma/beamyourscreen_processes_sigma.yml +++ b/detections/sigma/beamyourscreen_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - beamyourscreen.exe - beamyourscreen-host.exe condition: selection -id: a7d7b7d3-1f22-4213-8b42-b31d5bec4b5f +id: 90ef4fa3-63a2-49b6-a9df-3b6bc4d53114 status: experimental description: Detects potential processes activity of BeamYourScreen RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/beanywhere_network_sigma.yml b/detections/sigma/beanywhere_network_sigma.yml index 4bf9cc68..c25a6e86 100644 --- a/detections/sigma/beanywhere_network_sigma.yml +++ b/detections/sigma/beanywhere_network_sigma.yml @@ -8,11 +8,11 @@ detection: - beanywhere.en.uptodown.com/windows - beanywhere.com condition: selection -id: dd150b92-9eee-4d16-9b3d-f03a6c40bf73 +id: cea354d4-bf38-4623-b978-3aef587e5566 status: experimental description: Detects potential network activity of BeAnyWhere RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/beanywhere_processes_sigma.yml b/detections/sigma/beanywhere_processes_sigma.yml index 6dd7afab..636f43ff 100644 --- a/detections/sigma/beanywhere_processes_sigma.yml +++ b/detections/sigma/beanywhere_processes_sigma.yml @@ -14,11 +14,11 @@ detection: - BASupAppElev.exe - basupsrvc.exe condition: selection -id: 08213ecc-b7bc-46bd-8c66-782e512adf82 +id: 80c4b81e-e606-4715-9834-456c18e5009e status: experimental description: Detects potential processes activity of BeAnyWhere RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/beinsync_network_sigma.yml b/detections/sigma/beinsync_network_sigma.yml index 4ac5b887..8df468ee 100644 --- a/detections/sigma/beinsync_network_sigma.yml +++ b/detections/sigma/beinsync_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.beinsync.net' - '*.beinsync.com' condition: selection -id: 5848af8d-5e0d-4470-9d4b-348c262e0f21 +id: 50cf7c20-63d2-4739-8c9e-4e0028962b49 status: experimental description: Detects potential network activity of BeInSync RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/beinsync_processes_sigma.yml b/detections/sigma/beinsync_processes_sigma.yml index 7c04e7f3..5947dddb 100644 --- a/detections/sigma/beinsync_processes_sigma.yml +++ b/detections/sigma/beinsync_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - Beinsync*.exe condition: selection -id: 5145c047-a8e1-41b4-9f02-f841d8839bc4 +id: 354d1441-64c5-4429-9e43-ae376256f426 status: experimental description: Detects potential processes activity of BeInSync RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/beyondtrust__bomgar__network_sigma.yml b/detections/sigma/beyondtrust__bomgar__network_sigma.yml index cfbcedcc..f670ea4e 100644 --- a/detections/sigma/beyondtrust__bomgar__network_sigma.yml +++ b/detections/sigma/beyondtrust__bomgar__network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.bomgarcloud.com' - bomgarcloud.com condition: selection -id: aee3906f-e99a-4a79-96f8-c4618b193d04 +id: 6238e5fb-4629-4c45-b828-c09d66b398d4 status: experimental description: Detects potential network activity of BeyondTrust (Bomgar) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/beyondtrust__bomgar__processes_sigma.yml b/detections/sigma/beyondtrust__bomgar__processes_sigma.yml index af747643..ca7205a8 100644 --- a/detections/sigma/beyondtrust__bomgar__processes_sigma.yml +++ b/detections/sigma/beyondtrust__bomgar__processes_sigma.yml @@ -11,11 +11,11 @@ detection: - bomgar-pac.exe - bomgar-rdp.exe condition: selection -id: ab7f89af-bdf6-45cf-a516-2582ea878bb0 +id: 142b6802-88d2-4dbe-bde2-129487b63509 status: experimental description: Detects potential processes activity of BeyondTrust (Bomgar) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/bitvise_ssh_client_processes_sigma.yml b/detections/sigma/bitvise_ssh_client_processes_sigma.yml index 879c61b8..58620f24 100644 --- a/detections/sigma/bitvise_ssh_client_processes_sigma.yml +++ b/detections/sigma/bitvise_ssh_client_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\BvSshClient-Inst.exe' condition: selection -id: d81910ba-90e5-46fb-a213-653888c4b423 +id: 32fcae3a-a465-4a26-95f6-b18f3018c631 status: experimental description: Detects potential processes activity of Bitvise SSH Client RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/bitvise_ssh_server_processes_sigma.yml b/detections/sigma/bitvise_ssh_server_processes_sigma.yml index d3575549..05f051fc 100644 --- a/detections/sigma/bitvise_ssh_server_processes_sigma.yml +++ b/detections/sigma/bitvise_ssh_server_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\BvSshServer-Inst.exe' condition: selection -id: bab80f0d-b756-40c4-a2a5-9438f2c4b1b2 +id: 3cae538e-c158-40e4-9ec0-9e49d92a63c4 status: experimental description: Detects potential processes activity of Bitvise SSH Server RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/bomgar_network_sigma.yml b/detections/sigma/bomgar_network_sigma.yml index 92f5d97e..77670f2c 100644 --- a/detections/sigma/bomgar_network_sigma.yml +++ b/detections/sigma/bomgar_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - beyondtrust.com/brand/bomgar condition: selection -id: ae1f3ed8-1b4b-4745-a32b-2ba9f657466e +id: f3308c30-40e3-4604-83d3-83d7e6b9583b status: experimental description: Detects potential network activity of Bomgar RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/bomgar_processes_sigma.yml b/detections/sigma/bomgar_processes_sigma.yml index 7fcf9929..2b02abbf 100644 --- a/detections/sigma/bomgar_processes_sigma.yml +++ b/detections/sigma/bomgar_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - bomgar-scc.exe condition: selection -id: 2854a115-3552-4cc7-bb64-cbbe9d457797 +id: 752f62db-1fee-42bd-b5a8-7b4dd3c6e788 status: experimental description: Detects potential processes activity of Bomgar RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/box_processes_sigma.yml b/detections/sigma/box_processes_sigma.yml index 3a5d4439..ea7982cd 100644 --- a/detections/sigma/box_processes_sigma.yml +++ b/detections/sigma/box_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\Box.exe' condition: selection -id: cd7b9007-1ee6-47cf-8d02-4393434ce85d +id: e7af44b5-c19f-460f-a717-35b07594b505 status: experimental description: Detects potential processes activity of Box RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/carotdav_processes_sigma.yml b/detections/sigma/carotdav_processes_sigma.yml index 8ae8db44..c79a3f9c 100644 --- a/detections/sigma/carotdav_processes_sigma.yml +++ b/detections/sigma/carotdav_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\CarotDAV.exe' condition: selection -id: 12350913-2cdd-4b98-880a-ca2940d21175 +id: 7dcb3a6d-9092-45ae-88be-f56ec4b5d932 status: experimental description: Detects potential processes activity of CarotDAV RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/centrastage__now_datto__network_sigma.yml b/detections/sigma/centrastage__now_datto__network_sigma.yml index ca747d3a..cbe3aad9 100644 --- a/detections/sigma/centrastage__now_datto__network_sigma.yml +++ b/detections/sigma/centrastage__now_datto__network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*cc.centrastage.net' - datto.com/au/products/rmm/ condition: selection -id: 15a3cb98-b88e-41d5-9f04-e5b4c1619948 +id: 3a88e2fc-5a18-462a-ae8d-4b397d11db5d status: experimental description: Detects potential network activity of CentraStage (Now Datto) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/centrastage__now_datto__processes_sigma.yml b/detections/sigma/centrastage__now_datto__processes_sigma.yml index 6b5c5b74..17f43e74 100644 --- a/detections/sigma/centrastage__now_datto__processes_sigma.yml +++ b/detections/sigma/centrastage__now_datto__processes_sigma.yml @@ -8,11 +8,11 @@ detection: - CagService.exe - AEMAgent.exe condition: selection -id: 33858b25-62d1-4d27-ab5f-f0dd04ba8c87 +id: a71f32fd-3e47-4d97-ac70-af5d7d9ded37 status: experimental description: Detects potential processes activity of CentraStage (Now Datto) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/centurion_network_sigma.yml b/detections/sigma/centurion_network_sigma.yml index aea944ab..fad7a4c9 100644 --- a/detections/sigma/centurion_network_sigma.yml +++ b/detections/sigma/centurion_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - centuriontech.com condition: selection -id: 85c2c61a-f845-474e-9513-ecd49517fef9 +id: fc93a409-f9df-4dab-abb0-ff489eb32a06 status: experimental description: Detects potential network activity of Centurion RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/centurion_processes_sigma.yml b/detections/sigma/centurion_processes_sigma.yml index b5980144..6625a4d3 100644 --- a/detections/sigma/centurion_processes_sigma.yml +++ b/detections/sigma/centurion_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - ctiserv.exe condition: selection -id: cb0aabc9-bd36-4fc0-94aa-f4946a583c4d +id: 34de100b-becb-4364-9a9d-a325dae08231 status: experimental description: Detects potential processes activity of Centurion RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/chrome_remote_desktop_network_sigma.yml b/detections/sigma/chrome_remote_desktop_network_sigma.yml index d578afcf..3710249f 100644 --- a/detections/sigma/chrome_remote_desktop_network_sigma.yml +++ b/detections/sigma/chrome_remote_desktop_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*remotedesktop.google.com' - remotedesktop.google.com condition: selection -id: a6479d3f-04d3-462a-ba87-b725df37f592 +id: 51447322-5c31-4d35-ac2d-31edbf479644 status: experimental description: Detects potential network activity of Chrome Remote Desktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/chrome_remote_desktop_processes_sigma.yml b/detections/sigma/chrome_remote_desktop_processes_sigma.yml index d7da13e0..e444179a 100644 --- a/detections/sigma/chrome_remote_desktop_processes_sigma.yml +++ b/detections/sigma/chrome_remote_desktop_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - remoting_host.exe - '*\remoting_host.exe' condition: selection -id: 7c19412f-e059-46f9-a92c-5fc8f8454287 +id: 9ba8e1a9-1a5f-4297-bc82-712f5427355a status: experimental description: Detects potential processes activity of Chrome Remote Desktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/cloudbuckit_processes_sigma.yml b/detections/sigma/cloudbuckit_processes_sigma.yml index 3a9de271..89eb0a04 100644 --- a/detections/sigma/cloudbuckit_processes_sigma.yml +++ b/detections/sigma/cloudbuckit_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\CloudBuckIt*.exe' condition: selection -id: 3b10e73f-ae63-46e1-a675-f85057e4851c +id: eaba647a-e577-414d-bdd5-16062dc9682c status: experimental description: Detects potential processes activity of CloudBuckIt RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/cloudflare_tunnel_network_sigma.yml b/detections/sigma/cloudflare_tunnel_network_sigma.yml index 7c038f11..63aa050a 100644 --- a/detections/sigma/cloudflare_tunnel_network_sigma.yml +++ b/detections/sigma/cloudflare_tunnel_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - cloudflare.com/products/tunnel/ condition: selection -id: ba784c59-8d23-4e44-b59a-18a9280b045f +id: f64ebd79-45b1-4ed4-8dad-571d0bca51b6 status: experimental description: Detects potential network activity of CloudFlare Tunnel RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/cloudflare_tunnel_processes_sigma.yml b/detections/sigma/cloudflare_tunnel_processes_sigma.yml index bcb643ff..8e1c11cc 100644 --- a/detections/sigma/cloudflare_tunnel_processes_sigma.yml +++ b/detections/sigma/cloudflare_tunnel_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - cloudflared.exe condition: selection -id: 4d840c3f-cf3e-42d7-818f-dd397e7e600c +id: 2f96065e-f2f6-4f4a-8567-4a79e03eeb5f status: experimental description: Detects potential processes activity of CloudFlare Tunnel RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/cloudmounter_processes_sigma.yml b/detections/sigma/cloudmounter_processes_sigma.yml index c988f41e..9a129b71 100644 --- a/detections/sigma/cloudmounter_processes_sigma.yml +++ b/detections/sigma/cloudmounter_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\cloudmounter.exe' condition: selection -id: 42b54b7d-638c-4fc8-8d68-76a7635f4d96 +id: 75a0db57-84e2-481d-852a-c181fe747964 status: experimental description: Detects potential processes activity of CloudMounter RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/cloudxplorer_processes_sigma.yml b/detections/sigma/cloudxplorer_processes_sigma.yml index cd585f38..8bdb24eb 100644 --- a/detections/sigma/cloudxplorer_processes_sigma.yml +++ b/detections/sigma/cloudxplorer_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\clumsyleaf.cloudxplorer*.exe' condition: selection -id: 19ce5d34-ecdd-464a-b621-68f2db6086b8 +id: ac3686dd-66b2-4b2a-94e0-c26a2487bd9a status: experimental description: Detects potential processes activity of CloudXplorer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/comodo_rmm_network_sigma.yml b/detections/sigma/comodo_rmm_network_sigma.yml index e72fe9a3..2a98a661 100644 --- a/detections/sigma/comodo_rmm_network_sigma.yml +++ b/detections/sigma/comodo_rmm_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*mdmsupport.comodo.com' - one.comodo.com condition: selection -id: 95e408b6-051b-4912-9076-91d3b9596774 +id: 6f6593a9-b2fa-4a29-9fdf-67972e2af588 status: experimental description: Detects potential network activity of Comodo RMM RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/comodo_rmm_processes_sigma.yml b/detections/sigma/comodo_rmm_processes_sigma.yml index 75b7e281..6fa8a71d 100644 --- a/detections/sigma/comodo_rmm_processes_sigma.yml +++ b/detections/sigma/comodo_rmm_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - itsmagent.exe - rviewer.exe condition: selection -id: 3aacd78c-ad2e-4d51-be20-31f482295998 +id: 1f2d2541-f3b7-488a-b553-aebd29c01eaa status: experimental description: Detects potential processes activity of Comodo RMM RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/connectwise_automate__labtech__network_sigma.yml b/detections/sigma/connectwise_automate__labtech__network_sigma.yml index de5c1288..a32f1a46 100644 --- a/detections/sigma/connectwise_automate__labtech__network_sigma.yml +++ b/detections/sigma/connectwise_automate__labtech__network_sigma.yml @@ -7,12 +7,12 @@ detection: DestinationHostname|endswith: - '*.hostedrmm.com' condition: selection -id: 48cd2e53-f8b7-4150-b62c-768f7e64c5bc +id: 24aea3f1-7d41-4736-b083-bafb6ed85644 status: experimental description: Detects potential network activity of Connectwise Automate (LabTech) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/connectwise_automate__labtech__processes_sigma.yml b/detections/sigma/connectwise_automate__labtech__processes_sigma.yml index a6635c19..c156a3f9 100644 --- a/detections/sigma/connectwise_automate__labtech__processes_sigma.yml +++ b/detections/sigma/connectwise_automate__labtech__processes_sigma.yml @@ -9,12 +9,12 @@ detection: - ltsvcmon.exe - lttray.exe condition: selection -id: 56b0c72a-d206-4e36-9fb9-97e97c0737bb +id: 3fc5c412-a53a-47ae-b2cc-e140e32a22ce status: experimental description: Detects potential processes activity of Connectwise Automate (LabTech) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/connectwise_control_network_sigma.yml b/detections/sigma/connectwise_control_network_sigma.yml index 3f9ad744..fb68be3b 100644 --- a/detections/sigma/connectwise_control_network_sigma.yml +++ b/detections/sigma/connectwise_control_network_sigma.yml @@ -8,11 +8,11 @@ detection: - live.screenconnect.com - control.connectwise.com condition: selection -id: b65464a9-856e-44bc-bdf6-6ebe26bec7bf +id: 9132f3d7-e95a-423c-80aa-03bae583833c status: experimental description: Detects potential network activity of ConnectWise Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/connectwise_control_processes_sigma.yml b/detections/sigma/connectwise_control_processes_sigma.yml index e3dd9c06..3b020ea4 100644 --- a/detections/sigma/connectwise_control_processes_sigma.yml +++ b/detections/sigma/connectwise_control_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - screenconnect.windowsclient.exe - connectwisechat-customer.exe condition: selection -id: 50b35c69-9bb9-47dd-964a-90942458314c +id: 4a407e58-10a2-4e23-8fad-2787ba64a5fb status: experimental description: Detects potential processes activity of ConnectWise Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/core_ftp_processes_sigma.yml b/detections/sigma/core_ftp_processes_sigma.yml index 2bf6e351..dcb2e377 100644 --- a/detections/sigma/core_ftp_processes_sigma.yml +++ b/detections/sigma/core_ftp_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - C:\*\coreftplite.exe - '*\coreftplite.exe' condition: selection -id: 620bd021-0b5d-455f-b75a-d90bc92f0eba +id: 394b2510-7844-4a84-be47-3f75ac85bd70 status: experimental description: Detects potential processes activity of Core FTP RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/crossloop_network_sigma.yml b/detections/sigma/crossloop_network_sigma.yml index 627d6b50..07c87124 100644 --- a/detections/sigma/crossloop_network_sigma.yml +++ b/detections/sigma/crossloop_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.crossloop.com' - crossloop.en.softonic.com condition: selection -id: c2deeec3-aacc-4631-8211-3cec54658a24 +id: bef711ea-7e18-441b-b4c0-609c348fd068 status: experimental description: Detects potential network activity of CrossLoop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/crossloop_processes_sigma.yml b/detections/sigma/crossloop_processes_sigma.yml index 8e9b6361..4d991378 100644 --- a/detections/sigma/crossloop_processes_sigma.yml +++ b/detections/sigma/crossloop_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - CrossLoopConnect.exe - WinVNCStub.exe condition: selection -id: 9ee6e4ab-46ea-42d1-96a7-0e41d0a5d2d9 +id: 22118921-1c0d-4211-a037-538710fa0107 status: experimental description: Detects potential processes activity of CrossLoop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/crosstec_remote_control_network_sigma.yml b/detections/sigma/crosstec_remote_control_network_sigma.yml index d37b732c..978cd4af 100644 --- a/detections/sigma/crosstec_remote_control_network_sigma.yml +++ b/detections/sigma/crosstec_remote_control_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - crosstecsoftware.com/remotecontrol condition: selection -id: a9dc2bac-a820-4ccf-943c-e2085914c194 +id: 8aca80db-6f0c-4f83-935a-d2da94e489dc status: experimental description: Detects potential network activity of CrossTec Remote Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/crosstec_remote_control_processes_sigma.yml b/detections/sigma/crosstec_remote_control_processes_sigma.yml index ef45e1a3..979d3b09 100644 --- a/detections/sigma/crosstec_remote_control_processes_sigma.yml +++ b/detections/sigma/crosstec_remote_control_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - PCIVIDEO.EXE - supporttool.exe condition: selection -id: 6e8cced7-1973-4a34-ab85-a3a6bf5440b8 +id: 97b2d8e4-652c-4722-b268-c21395609fbc status: experimental description: Detects potential processes activity of CrossTec Remote Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/cruz_network_sigma.yml b/detections/sigma/cruz_network_sigma.yml index 4ec8c09a..f8ea7b78 100644 --- a/detections/sigma/cruz_network_sigma.yml +++ b/detections/sigma/cruz_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - resources.doradosoftware.com/cruz-rmm condition: selection -id: a1ca6182-5cf5-479a-895e-e7a10445c6b5 +id: e3090529-bfd4-4a80-a961-519340833ece status: experimental description: Detects potential network activity of Cruz RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/cuteftp_processes_sigma.yml b/detections/sigma/cuteftp_processes_sigma.yml index e37995a8..b7570872 100644 --- a/detections/sigma/cuteftp_processes_sigma.yml +++ b/detections/sigma/cuteftp_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\cuteftppro.exe' condition: selection -id: 207ff40e-26a7-4ba6-b875-7167e3b5a5e7 +id: 83e2b32c-24fd-4f57-a3a2-807e4ff592d2 status: experimental description: Detects potential processes activity of CuteFTP RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/cyberduck_processes_sigma.yml b/detections/sigma/cyberduck_processes_sigma.yml index 7a64bf4d..b9a92867 100644 --- a/detections/sigma/cyberduck_processes_sigma.yml +++ b/detections/sigma/cyberduck_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\Cyberduck.exe' condition: selection -id: 6e64282f-f4ee-47fb-90f1-6cad17807ec8 +id: e55934bd-a4a0-4c44-8be7-cb86fb42f5d2 status: experimental description: Detects potential processes activity of Cyberduck RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml b/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml index 1a1cb22f..d16b3654 100644 --- a/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml +++ b/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml @@ -7,12 +7,12 @@ detection: DestinationHostname|endswith: - dameware.com condition: selection -id: ef1d354d-c7fa-41c9-8dfa-b1650ad6eb6f +id: 64f99179-c36e-4271-aee4-e3e75e866a86 status: experimental description: Detects potential network activity of Dameware-mini remote control Protocol RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml b/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml index eb35f433..2743d28c 100644 --- a/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml +++ b/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml @@ -8,12 +8,12 @@ detection: - dntus*.exe - dwrcs.exe condition: selection -id: ff1b272d-294c-422b-add5-b6e1f23659a9 +id: 37a2b016-e2ab-49f7-933b-1278a701b18f status: experimental description: Detects potential processes activity of Dameware-mini remote control Protocol RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/dameware_processes_sigma.yml b/detections/sigma/dameware_processes_sigma.yml index 09f59fb6..892eba89 100644 --- a/detections/sigma/dameware_processes_sigma.yml +++ b/detections/sigma/dameware_processes_sigma.yml @@ -12,11 +12,11 @@ detection: - DameWare Remote Support.exe - SolarWinds-Dameware-MRC*.exe condition: selection -id: 472346d9-395f-4aa7-8ca6-df009c3026d1 +id: 1d9073a9-6c31-4e3f-9b6d-ea50ad04a5ad status: experimental description: Detects potential processes activity of DameWare RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/datto_network_sigma.yml b/detections/sigma/datto_network_sigma.yml index 0ae027f1..102903d4 100644 --- a/detections/sigma/datto_network_sigma.yml +++ b/detections/sigma/datto_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - datto.com condition: selection -id: 1252a5b1-a905-40a0-8b19-3366a5927fcb +id: 899970a6-b2b2-4aa4-bcf9-554a37180f47 status: experimental description: Detects potential network activity of Datto RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/deskday_network_sigma.yml b/detections/sigma/deskday_network_sigma.yml index 4af8c7aa..8110e4c0 100644 --- a/detections/sigma/deskday_network_sigma.yml +++ b/detections/sigma/deskday_network_sigma.yml @@ -8,11 +8,11 @@ detection: - deskday.ai - app.deskday.ai condition: selection -id: 1e7352e0-fc3e-4a59-83b9-c957fa53cc19 +id: 38872e2b-956b-40eb-9af0-09f9bc4258ca status: experimental description: Detects potential network activity of DeskDay RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/deskday_processes_sigma.yml b/detections/sigma/deskday_processes_sigma.yml index 62b6e9d7..54d76f44 100644 --- a/detections/sigma/deskday_processes_sigma.yml +++ b/detections/sigma/deskday_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - ultimate_*.exe condition: selection -id: 66a073b7-15f1-4798-b2b7-8c0a2bc182f6 +id: 0cb80515-5804-40eb-9491-74381eb04a36 status: experimental description: Detects potential processes activity of DeskDay RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/deskshare_network_sigma.yml b/detections/sigma/deskshare_network_sigma.yml index 04022266..11cad315 100644 --- a/detections/sigma/deskshare_network_sigma.yml +++ b/detections/sigma/deskshare_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - user_managed condition: selection -id: eeb4ab03-601c-4fbc-9709-7eeda3949734 +id: cc4d6f65-b7c0-419a-97d2-107595b325cf status: experimental description: Detects potential network activity of DeskShare RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/deskshare_processes_sigma.yml b/detections/sigma/deskshare_processes_sigma.yml index 87135d9d..d4bc7c5c 100644 --- a/detections/sigma/deskshare_processes_sigma.yml +++ b/detections/sigma/deskshare_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - TeamTaskManager.exe - DSGuest.exe condition: selection -id: 626b8053-8365-4d4a-b767-0e27c37e4ec7 +id: 7bf7edf6-bcbe-4916-b9f0-139d63834ac3 status: experimental description: Detects potential processes activity of DeskShare RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/desktop_central_network_sigma.yml b/detections/sigma/desktop_central_network_sigma.yml index 44d071e2..5f60fd39 100644 --- a/detections/sigma/desktop_central_network_sigma.yml +++ b/detections/sigma/desktop_central_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - desktopcentral.manageengine.com condition: selection -id: 49049517-e26f-4e29-87af-fe66bae434b5 +id: 322f6513-eb99-4f59-a5dc-00cf5f3d020b status: experimental description: Detects potential network activity of Desktop Central RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/desktop_central_processes_sigma.yml b/detections/sigma/desktop_central_processes_sigma.yml index fef04a61..20f64798 100644 --- a/detections/sigma/desktop_central_processes_sigma.yml +++ b/detections/sigma/desktop_central_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - dcagentservice.exe condition: selection -id: 49210cc5-74c5-43d5-9a43-07d193e606f7 +id: 239e8a76-aee7-4840-9428-ecfe26be8103 status: experimental description: Detects potential processes activity of Desktop Central RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/desktopnow_network_sigma.yml b/detections/sigma/desktopnow_network_sigma.yml index eaf61932..3776b7a6 100644 --- a/detections/sigma/desktopnow_network_sigma.yml +++ b/detections/sigma/desktopnow_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.nchuser.com' condition: selection -id: 8a52c5e1-bc7c-4fb6-b6ae-b6b4ed0a5015 +id: 2541974e-61bc-4869-b902-f828f3db1a2d status: experimental description: Detects potential network activity of DesktopNow RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/desktopnow_processes_sigma.yml b/detections/sigma/desktopnow_processes_sigma.yml index d41c2e62..f1aead68 100644 --- a/detections/sigma/desktopnow_processes_sigma.yml +++ b/detections/sigma/desktopnow_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - desktopnow.exe condition: selection -id: 41abf633-3de1-4374-9521-8138962a7906 +id: 0e8c58da-b287-414c-86de-42efa6aaac8a status: experimental description: Detects potential processes activity of DesktopNow RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml b/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml index 1c720d20..f0ae4718 100644 --- a/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml +++ b/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml @@ -7,12 +7,12 @@ detection: DestinationHostname|endswith: - learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview condition: selection -id: 9bf57519-3848-4019-9bb9-204cbbccab36 +id: d241c4b6-c437-4e78-9942-ae798e840204 status: experimental description: Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/distant_desktop_network_sigma.yml b/detections/sigma/distant_desktop_network_sigma.yml index 51d4e54b..4537ad3d 100644 --- a/detections/sigma/distant_desktop_network_sigma.yml +++ b/detections/sigma/distant_desktop_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.distantdesktop.com' - '*signalserver.xyz' condition: selection -id: e2fbdd76-2bc3-43fa-9090-8a2edda86bc6 +id: 05201a97-1e4e-42d8-9dca-3a2af6c53fce status: experimental description: Detects potential network activity of Distant Desktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/distant_desktop_processes_sigma.yml b/detections/sigma/distant_desktop_processes_sigma.yml index 8edc23a9..a595e2fa 100644 --- a/detections/sigma/distant_desktop_processes_sigma.yml +++ b/detections/sigma/distant_desktop_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - dd.exe - distant-desktop.exe condition: selection -id: 960e377e-a5e7-4808-b307-f395dc213574 +id: b836c38b-2b26-4464-a575-7ebf486f040f status: experimental description: Detects potential processes activity of Distant Desktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/domotz_network_sigma.yml b/detections/sigma/domotz_network_sigma.yml index 762bc5ec..06a8c390 100644 --- a/detections/sigma/domotz_network_sigma.yml +++ b/detections/sigma/domotz_network_sigma.yml @@ -9,11 +9,11 @@ detection: - domotz.com - '*cell-1.domotz.com' condition: selection -id: fd38488d-6343-44a8-82c8-116377d4a672 +id: 3e2c6509-b097-4847-9162-be651728e793 status: experimental description: Detects potential network activity of Domotz RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/domotz_processes_sigma.yml b/detections/sigma/domotz_processes_sigma.yml index b9d26279..0db8b20a 100644 --- a/detections/sigma/domotz_processes_sigma.yml +++ b/detections/sigma/domotz_processes_sigma.yml @@ -12,11 +12,11 @@ detection: - Domotz Pro Desktop App Setup*.exe - domotz-windows*.exe condition: selection -id: b706db62-efcb-42f4-ae9c-4183747821a3 +id: 5b2ca434-384d-4c09-b980-ec6d63d23eab status: experimental description: Detects potential processes activity of Domotz RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/dragondisk_processes_sigma.yml b/detections/sigma/dragondisk_processes_sigma.yml index 0c92e212..24f78deb 100644 --- a/detections/sigma/dragondisk_processes_sigma.yml +++ b/detections/sigma/dragondisk_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\DragonDisk.exe' condition: selection -id: 64bf08b5-3cff-472a-a041-ed5b1f694439 +id: 65c97fea-d785-4b58-99c0-da8135c79f59 status: experimental description: Detects potential processes activity of DragonDisk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/drivemaker_processes_sigma.yml b/detections/sigma/drivemaker_processes_sigma.yml index e8d48b34..b883c34c 100644 --- a/detections/sigma/drivemaker_processes_sigma.yml +++ b/detections/sigma/drivemaker_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - C:\*\DriveMaker.exe - '*\DriveMaker.exe' condition: selection -id: 7f6b7e43-7312-4c04-9ea0-8e57bef0fb1c +id: 51338b36-de22-4824-9de4-04ef3d67da26 status: experimental description: Detects potential processes activity of DriveMaker RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/dropbox_processes_sigma.yml b/detections/sigma/dropbox_processes_sigma.yml index c73d9339..65d797ce 100644 --- a/detections/sigma/dropbox_processes_sigma.yml +++ b/detections/sigma/dropbox_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\Dropbox.exe' condition: selection -id: c9a987df-747a-4db6-90fa-9f41a2f8450d +id: 6300b5e7-3e3c-4c2b-8767-c92fb412f065 status: experimental description: Detects potential processes activity of Dropbox RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/duplicati_processes_sigma.yml b/detections/sigma/duplicati_processes_sigma.yml index e449f513..01338133 100644 --- a/detections/sigma/duplicati_processes_sigma.yml +++ b/detections/sigma/duplicati_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - c:\Program Files\*\Duplicati.Server.exe - '*\*\Duplicati.Server.exe' condition: selection -id: 9946b483-9087-469f-83d3-3a9dd4ab8668 +id: 270a1720-2a6c-43ab-8ff9-c694909ea6ae status: experimental description: Detects potential processes activity of Duplicati RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/dw_service_network_sigma.yml b/detections/sigma/dw_service_network_sigma.yml index 818449cd..4133925b 100644 --- a/detections/sigma/dw_service_network_sigma.yml +++ b/detections/sigma/dw_service_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.dwservice.net' condition: selection -id: 4b47ce00-b6c1-49fe-a586-55980d3839ca +id: 91d0fd60-1096-40d1-9080-b1793c54e687 status: experimental description: Detects potential network activity of DW Service RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/dw_service_processes_sigma.yml b/detections/sigma/dw_service_processes_sigma.yml index 708f60d7..d3c64186 100644 --- a/detections/sigma/dw_service_processes_sigma.yml +++ b/detections/sigma/dw_service_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - dwagent.exe - dwagsvc.exe condition: selection -id: 792a090b-1099-4e3a-98d4-f5a89eef51e6 +id: 5652feeb-de11-4703-a3fb-1d43fc633ebc status: experimental description: Detects potential processes activity of DW Service RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/echoware_processes_sigma.yml b/detections/sigma/echoware_processes_sigma.yml index b8c2cc84..18cae3ac 100644 --- a/detections/sigma/echoware_processes_sigma.yml +++ b/detections/sigma/echoware_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - echoserver*.exe condition: selection -id: a5837ca5-991e-4211-8c52-e7ed4bd72cf7 +id: 6f03854f-166a-472e-a756-fecade3b89b9 status: experimental description: Detects potential processes activity of Echoware RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ehorus_network_sigma.yml b/detections/sigma/ehorus_network_sigma.yml index 1cb77a67..dab4072e 100644 --- a/detections/sigma/ehorus_network_sigma.yml +++ b/detections/sigma/ehorus_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - ehorus.com condition: selection -id: 51b2e049-f994-43e8-929d-0d02cd815224 +id: c9053241-a95f-4408-b7c6-f898c969bbc1 status: experimental description: Detects potential network activity of eHorus RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ehorus_processes_sigma.yml b/detections/sigma/ehorus_processes_sigma.yml index 032641a5..f32990c5 100644 --- a/detections/sigma/ehorus_processes_sigma.yml +++ b/detections/sigma/ehorus_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - ehorus standalone.exe condition: selection -id: 2e53c538-3fff-45ac-b903-f4ab6afaf8dd +id: 006d9c2f-3eaf-4b59-b8c3-b9ee5ad5ba47 status: experimental description: Detects potential processes activity of eHorus RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/electric_network_sigma.yml b/detections/sigma/electric_network_sigma.yml index e8554b1a..07c13a71 100644 --- a/detections/sigma/electric_network_sigma.yml +++ b/detections/sigma/electric_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - electric.ai condition: selection -id: 3b56bafd-b0fa-4ee1-9a63-6fc1e5e683f9 +id: 13449186-dca1-4550-9b4b-d5eef84f88a2 status: experimental description: Detects potential network activity of Electric RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/emco_remote_console_network_sigma.yml b/detections/sigma/emco_remote_console_network_sigma.yml index 4b9280c5..9da0df65 100644 --- a/detections/sigma/emco_remote_console_network_sigma.yml +++ b/detections/sigma/emco_remote_console_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - emcosoftware.com condition: selection -id: c18f4446-bf56-478b-b34a-21649f517412 +id: d76fbf27-bd18-4f77-875f-a80a02b6e8cc status: experimental description: Detects potential network activity of EMCO Remote Console RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/emco_remote_console_processes_sigma.yml b/detections/sigma/emco_remote_console_processes_sigma.yml index d6991d78..64a14c6c 100644 --- a/detections/sigma/emco_remote_console_processes_sigma.yml +++ b/detections/sigma/emco_remote_console_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - remoteconsole.exe condition: selection -id: e93c8c59-c28e-4ad8-9659-8ea19e3658bd +id: 03128fb8-63b7-4c37-bebb-ed7f8fcc82ab status: experimental description: Detects potential processes activity of EMCO Remote Console RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/encapto_network_sigma.yml b/detections/sigma/encapto_network_sigma.yml index 5536be40..23367f9c 100644 --- a/detections/sigma/encapto_network_sigma.yml +++ b/detections/sigma/encapto_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - encapto.com condition: selection -id: b704e63b-f10c-4f64-8962-87d477c2586c +id: 78836ae6-3dc5-4271-9643-7d6f02e60b4b status: experimental description: Detects potential network activity of Encapto RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ericom_accessnow_network_sigma.yml b/detections/sigma/ericom_accessnow_network_sigma.yml index bb86772e..8eb073af 100644 --- a/detections/sigma/ericom_accessnow_network_sigma.yml +++ b/detections/sigma/ericom_accessnow_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - ericom.com condition: selection -id: ff565ebe-dfde-478d-8d53-70812493cea3 +id: 1251e733-2e04-4e79-a1fa-4c171f5b0e46 status: experimental description: Detects potential network activity of Ericom AccessNow RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ericom_accessnow_processes_sigma.yml b/detections/sigma/ericom_accessnow_processes_sigma.yml index 702ffd0a..b34b3aac 100644 --- a/detections/sigma/ericom_accessnow_processes_sigma.yml +++ b/detections/sigma/ericom_accessnow_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - accessserver*.exe - accessserver.exe condition: selection -id: 1c2e736f-2300-4d61-b987-8acaf4c7afe8 +id: b1f1b872-2e40-4538-acdb-1999ce3e8b1f status: experimental description: Detects potential processes activity of Ericom AccessNow RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ericom_connect_network_sigma.yml b/detections/sigma/ericom_connect_network_sigma.yml index 7993e4c5..d4e5b13e 100644 --- a/detections/sigma/ericom_connect_network_sigma.yml +++ b/detections/sigma/ericom_connect_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - ericom.com condition: selection -id: de61c636-0439-4eca-a924-c529a0062a55 +id: 774e5589-c1ad-4dac-bff8-f20069295f06 status: experimental description: Detects potential network activity of Ericom Connect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ericom_connect_processes_sigma.yml b/detections/sigma/ericom_connect_processes_sigma.yml index 4c4606bd..3b4bf3fa 100644 --- a/detections/sigma/ericom_connect_processes_sigma.yml +++ b/detections/sigma/ericom_connect_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - EricomConnectRemoteHost*.exe - ericomconnnectconfigurationtool.exe condition: selection -id: 0ac1f9b1-2298-4ecc-8ebc-69fd696ee875 +id: 9e1e58c9-17fe-4239-9292-9e5466ff5471 status: experimental description: Detects potential processes activity of Ericom Connect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/eset_remote_administrator_network_sigma.yml b/detections/sigma/eset_remote_administrator_network_sigma.yml index e700f78e..1e3f103f 100644 --- a/detections/sigma/eset_remote_administrator_network_sigma.yml +++ b/detections/sigma/eset_remote_administrator_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - eset.com/me/business/remote-management/remote-administrator/ condition: selection -id: 13ff2372-ded1-4577-b120-eb240ea6ab7b +id: d0f8dc3b-f6c4-4293-a6c3-9c5928d5355e status: experimental description: Detects potential network activity of ESET Remote Administrator RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/eset_remote_administrator_processes_sigma.yml b/detections/sigma/eset_remote_administrator_processes_sigma.yml index be3382be..4633187f 100644 --- a/detections/sigma/eset_remote_administrator_processes_sigma.yml +++ b/detections/sigma/eset_remote_administrator_processes_sigma.yml @@ -11,12 +11,12 @@ detection: - ezhelp*.exe - eratool.exe condition: selection -id: 3e59ba25-ec2b-40a4-b2e5-f1f6a340a200 +id: 3963c4a9-9c8f-46c9-999d-cd1859c4312f status: experimental description: Detects potential processes activity of ESET Remote Administrator RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/expandrive_processes_sigma.yml b/detections/sigma/expandrive_processes_sigma.yml index 0a708c1a..bbd10da6 100644 --- a/detections/sigma/expandrive_processes_sigma.yml +++ b/detections/sigma/expandrive_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - C:\Users\*\ExpanDrive.exe - '*\ExpanDrive.exe' condition: selection -id: 93becb5e-c88b-4ef3-8e1b-b51b4661ab18 +id: 063831a9-cbe9-4699-bc06-29cfc716b55f status: experimental description: Detects potential processes activity of ExpanDrive RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/extraputty_processes_sigma.yml b/detections/sigma/extraputty_processes_sigma.yml index 99a679c2..1ac5adce 100644 --- a/detections/sigma/extraputty_processes_sigma.yml +++ b/detections/sigma/extraputty_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - '*Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe' - '*\ExtraPuTTY-0.30-2016-01-28-installer.exe' condition: selection -id: 531a60b8-7bea-4ba0-b813-1e7f36516ca8 +id: 0389408b-eb81-4de9-8304-76da1d845757 status: experimental description: Detects potential processes activity of ExtraPuTTY RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ezhelp_network_sigma.yml b/detections/sigma/ezhelp_network_sigma.yml index 6d6c655b..ef712a2e 100644 --- a/detections/sigma/ezhelp_network_sigma.yml +++ b/detections/sigma/ezhelp_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.ezhelp.co.kr' - ezhelp.co.kr condition: selection -id: 74527672-ed2f-408d-bb34-d4d83ec5db9e +id: 1c9349b6-941a-4c1f-9ba0-ab78e16f06fa status: experimental description: Detects potential network activity of ezHelp RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ezhelp_processes_sigma.yml b/detections/sigma/ezhelp_processes_sigma.yml index 7841820d..a978b6a7 100644 --- a/detections/sigma/ezhelp_processes_sigma.yml +++ b/detections/sigma/ezhelp_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - ezHelpManager.exe - ezhelpclient.exe condition: selection -id: 41b78f9d-be97-482c-9e64-736fcef8573c +id: a3d5fca0-c518-4d77-aef3-80aaa4ff00cc status: experimental description: Detects potential processes activity of ezHelp RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fastviewer_network_sigma.yml b/detections/sigma/fastviewer_network_sigma.yml index 104488df..fdcc1ece 100644 --- a/detections/sigma/fastviewer_network_sigma.yml +++ b/detections/sigma/fastviewer_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.fastviewer.com' - fastviewer.com condition: selection -id: 1e62e748-c923-4d2a-a36f-763d6623b526 +id: 2bd1088d-19c5-4d3d-a22b-bf56245c9cc8 status: experimental description: Detects potential network activity of FastViewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fastviewer_processes_sigma.yml b/detections/sigma/fastviewer_processes_sigma.yml index 0fd65601..35f8fbc7 100644 --- a/detections/sigma/fastviewer_processes_sigma.yml +++ b/detections/sigma/fastviewer_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - fastmaster.exe - FastViewer.exe condition: selection -id: 9a23c48e-679a-476c-8540-d5711d3374f0 +id: 820782ac-3ab0-4d83-8ba2-0f5349a56a99 status: experimental description: Detects potential processes activity of FastViewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/filezilla_processes_sigma.yml b/detections/sigma/filezilla_processes_sigma.yml index 88ba416e..3cee0376 100644 --- a/detections/sigma/filezilla_processes_sigma.yml +++ b/detections/sigma/filezilla_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\FileZilla.exe' condition: selection -id: 02e7c49a-32ee-4f8a-8676-e16051290eab +id: 214b6209-b165-4b2a-943e-2bae48ad5664 status: experimental description: Detects potential processes activity of FileZilla RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fixme.it_network_sigma.yml b/detections/sigma/fixme.it_network_sigma.yml index ba3f7633..e6abe72f 100644 --- a/detections/sigma/fixme.it_network_sigma.yml +++ b/detections/sigma/fixme.it_network_sigma.yml @@ -11,11 +11,11 @@ detection: - '*set.me' - '*setme.net' condition: selection -id: e4887a12-cfa8-42f1-8182-85c92320316c +id: 67ebb693-3b35-44f5-ab91-d8905ff32eb3 status: experimental description: Detects potential network activity of FixMe.it RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fixme.it_processes_sigma.yml b/detections/sigma/fixme.it_processes_sigma.yml index bf21bf65..f9d0e675 100644 --- a/detections/sigma/fixme.it_processes_sigma.yml +++ b/detections/sigma/fixme.it_processes_sigma.yml @@ -15,11 +15,11 @@ detection: - TiClientCore.exe - TiClientHelper*.exe condition: selection -id: 0fe00003-3625-4c20-991f-2942ba5af8ee +id: f4cfc99a-3e0c-4f7a-afd8-3f999128a477 status: experimental description: Detects potential processes activity of FixMe.it RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fixme_network_sigma.yml b/detections/sigma/fixme_network_sigma.yml index 46bd47ec..7d0187ba 100644 --- a/detections/sigma/fixme_network_sigma.yml +++ b/detections/sigma/fixme_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - fixme.it condition: selection -id: 36321dca-a454-4453-9626-5df0a3272281 +id: 4ae6e481-664f-43dd-9e7f-8dc88b724da3 status: experimental description: Detects potential network activity of FixMe RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fixme_processes_sigma.yml b/detections/sigma/fixme_processes_sigma.yml index 8009f922..87347ae1 100644 --- a/detections/sigma/fixme_processes_sigma.yml +++ b/detections/sigma/fixme_processes_sigma.yml @@ -12,11 +12,11 @@ detection: - FixMeit Unattended Access Setup.exe - FixMeit Expert Setup.exe condition: selection -id: e6db4c2c-6fdb-4dab-94e8-a28e7f2a237d +id: 723d54d9-a8b0-40e4-9b27-a8c97881353f status: experimental description: Detects potential processes activity of FixMe RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fleetdeck.io_network_sigma.yml b/detections/sigma/fleetdeck.io_network_sigma.yml index efee7f04..7f832b54 100644 --- a/detections/sigma/fleetdeck.io_network_sigma.yml +++ b/detections/sigma/fleetdeck.io_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - fleetdeck.io condition: selection -id: 27d3bf44-72ef-4f02-9d7e-3e734abff9a4 +id: 430ac9bb-c9db-4f8f-85c3-b0db33be9d26 status: experimental description: Detects potential network activity of FleetDeck.io RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fleetdeck.io_processes_sigma.yml b/detections/sigma/fleetdeck.io_processes_sigma.yml index 0ae73f5c..f475400d 100644 --- a/detections/sigma/fleetdeck.io_processes_sigma.yml +++ b/detections/sigma/fleetdeck.io_processes_sigma.yml @@ -11,11 +11,11 @@ detection: - fleetdeck_commander_launcher.exe - fleetdeck_agent.exe condition: selection -id: 45c11c1b-e977-477e-a672-38a362bcb755 +id: 945182ec-fda2-4f02-a77e-aa649bc311b6 status: experimental description: Detects potential processes activity of FleetDeck.io RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fleetdeck_network_sigma.yml b/detections/sigma/fleetdeck_network_sigma.yml index 69f99659..10527919 100644 --- a/detections/sigma/fleetdeck_network_sigma.yml +++ b/detections/sigma/fleetdeck_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - fleetdeck.io condition: selection -id: e019217b-33f6-42df-bc70-081d77ee45c9 +id: dfc413ca-4f02-40b5-b4af-c2aa06129b6e status: experimental description: Detects potential network activity of FleetDeck RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fleetdeck_processes_sigma.yml b/detections/sigma/fleetdeck_processes_sigma.yml index 7eab9bc1..7307ee20 100644 --- a/detections/sigma/fleetdeck_processes_sigma.yml +++ b/detections/sigma/fleetdeck_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - fleetdeck_agent_svc.exe condition: selection -id: 6321c6cc-b12d-465c-91fe-ded016ffbac3 +id: b8194fd9-f7a9-4c15-97cd-34351971c00b status: experimental description: Detects potential processes activity of FleetDeck RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fleetdesk.io_network_sigma.yml b/detections/sigma/fleetdesk.io_network_sigma.yml index 30970783..985b1d6f 100644 --- a/detections/sigma/fleetdesk.io_network_sigma.yml +++ b/detections/sigma/fleetdesk.io_network_sigma.yml @@ -9,11 +9,11 @@ detection: - cognito-idp.us-west-2.amazonaws.com - fleetdeck.io condition: selection -id: 11a0d8f2-624d-4b56-914f-31ce904f0ae1 +id: 129d5713-af89-4506-97f2-ee966aaa34b1 status: experimental description: Detects potential network activity of FleetDesk.io RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fleetdesk.io_processes_sigma.yml b/detections/sigma/fleetdesk.io_processes_sigma.yml index a42bd443..e5785110 100644 --- a/detections/sigma/fleetdesk.io_processes_sigma.yml +++ b/detections/sigma/fleetdesk.io_processes_sigma.yml @@ -11,11 +11,11 @@ detection: - fleetdeck_agent.exe - fleetdeck_commander_launcher.exe condition: selection -id: cdb69ca7-560d-412d-b342-0b7b8c929d58 +id: 6d868e41-b759-4e0e-976d-7e3ce05b7b87 status: experimental description: Detects potential processes activity of FleetDesk.io RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/fortra_network_sigma.yml b/detections/sigma/fortra_network_sigma.yml index 633ead1c..2a57112a 100644 --- a/detections/sigma/fortra_network_sigma.yml +++ b/detections/sigma/fortra_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - fortra.com condition: selection -id: 10fc8d64-3bea-4969-a8d2-fa5b0da7117b +id: 995ea532-e7e8-4b53-a4ae-c6846a58cc75 status: experimental description: Detects potential network activity of Fortra RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/freefilesync_processes_sigma.yml b/detections/sigma/freefilesync_processes_sigma.yml index e2de51f1..28955f0f 100644 --- a/detections/sigma/freefilesync_processes_sigma.yml +++ b/detections/sigma/freefilesync_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\FreeFileSync.exe' condition: selection -id: ae9d7e28-3641-4bbf-84af-de03a781662d +id: 22878dc1-16ee-4206-a5bf-d28eb818b87e status: experimental description: Detects potential processes activity of FreeFileSync RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/freenx_processes_sigma.yml b/detections/sigma/freenx_processes_sigma.yml index 1e9133ad..65442a7a 100644 --- a/detections/sigma/freenx_processes_sigma.yml +++ b/detections/sigma/freenx_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - C:\*\nxplayer.exe - '*\nxplayer.exe' condition: selection -id: c2252758-992e-4760-b22b-754aa5a67bde +id: a8679551-7b77-4937-9b0d-d58e81caf27f status: experimental description: Detects potential processes activity of FreeNX RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml b/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml index 904cb404..c1ba53fa 100644 --- a/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml +++ b/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml @@ -9,12 +9,12 @@ detection: - '*.gatherplace.net' - gatherplace.com condition: selection -id: fd1ae6a3-eb22-4a41-86a9-e7698d77b0f4 +id: ef086892-3bcd-4b23-91b5-4838a3842152 status: experimental description: Detects potential network activity of GatherPlace-desktop sharing RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml b/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml index 422ff96c..23680495 100644 --- a/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml +++ b/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml @@ -9,12 +9,12 @@ detection: - gp4.exe - gp5.exe condition: selection -id: 2dd488b0-acf8-42d5-8b71-c5a770875ac1 +id: 5c52fe62-88f8-4156-b9b6-a53ec478bb98 status: experimental description: Detects potential processes activity of GatherPlace-desktop sharing RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/getscreen_network_sigma.yml b/detections/sigma/getscreen_network_sigma.yml index 1b6d54df..ff411397 100644 --- a/detections/sigma/getscreen_network_sigma.yml +++ b/detections/sigma/getscreen_network_sigma.yml @@ -9,11 +9,11 @@ detection: - GetScreen.me - '*.getscreen.me' condition: selection -id: fefb75cb-269d-4b86-9518-b987aa6c60cb +id: 6d5045f0-ab0c-49ef-aeb8-0fc087eb8bc3 status: experimental description: Detects potential network activity of GetScreen RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/getscreen_processes_sigma.yml b/detections/sigma/getscreen_processes_sigma.yml index 8e12bb21..120409f3 100644 --- a/detections/sigma/getscreen_processes_sigma.yml +++ b/detections/sigma/getscreen_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - GetScreen.exe - getscreen.exe condition: selection -id: 818c0c4e-f1f5-49bc-ac4d-dab7d0e0c549 +id: 0c38030b-b6a5-4df0-8c3e-bbe6c56c1bb7 status: experimental description: Detects potential processes activity of GetScreen RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/goodsync_processes_sigma.yml b/detections/sigma/goodsync_processes_sigma.yml index d9501611..ba64767b 100644 --- a/detections/sigma/goodsync_processes_sigma.yml +++ b/detections/sigma/goodsync_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - GoodSync-vsub-Setup.exe condition: selection -id: cd376eb4-90a1-46c0-8af5-dfc65f5478bc +id: 1de89b25-4e7d-4020-bf52-f51e1a22e38f status: experimental description: Detects potential processes activity of GoodSync RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/google_drive_processes_sigma.yml b/detections/sigma/google_drive_processes_sigma.yml index 7305a77e..1df07e1b 100644 --- a/detections/sigma/google_drive_processes_sigma.yml +++ b/detections/sigma/google_drive_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\GoogleDriveFS.exe' condition: selection -id: e09b30de-7916-4f8c-a80c-230c8e288f86 +id: b8b3c2a8-ac0d-4384-aaa0-ca4866c1ba1d status: experimental description: Detects potential processes activity of Google Drive RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/gotoassist_network_sigma.yml b/detections/sigma/gotoassist_network_sigma.yml index aa70e832..635c38d7 100644 --- a/detections/sigma/gotoassist_network_sigma.yml +++ b/detections/sigma/gotoassist_network_sigma.yml @@ -14,11 +14,11 @@ detection: - '*.gotoassist.at' - '*.desktopstreaming.com' condition: selection -id: ae06c136-d713-4125-9d83-487ff21d37a1 +id: 35baa228-9b56-416d-9652-d696f35ca87b status: experimental description: Detects potential network activity of GoToAssist RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/gotoassist_processes_sigma.yml b/detections/sigma/gotoassist_processes_sigma.yml index 9b032525..ff7708fa 100644 --- a/detections/sigma/gotoassist_processes_sigma.yml +++ b/detections/sigma/gotoassist_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - g2a*.exe - GoTo Assist Opener.exe condition: selection -id: 8130eb9f-41a4-4780-8f53-0764c797f675 +id: 07ec59df-b06d-40f6-86c0-5b90d94e5b34 status: experimental description: Detects potential processes activity of GoToAssist RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/gotohttp_network_sigma.yml b/detections/sigma/gotohttp_network_sigma.yml index 5fe93275..362a1c29 100644 --- a/detections/sigma/gotohttp_network_sigma.yml +++ b/detections/sigma/gotohttp_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.gotohttp.com' - gotohttp.com condition: selection -id: 75a00f1e-3eb2-40cd-94fa-85156e47c396 +id: 0ab632b8-05a4-4272-a55d-b53bf94ed676 status: experimental description: Detects potential network activity of GotoHTTP RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/gotohttp_processes_sigma.yml b/detections/sigma/gotohttp_processes_sigma.yml index a563f337..0205c370 100644 --- a/detections/sigma/gotohttp_processes_sigma.yml +++ b/detections/sigma/gotohttp_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - gotohttp.exe - GotoHTTP*.exe condition: selection -id: 73d4e848-f97f-448a-adbf-9251f2fde542 +id: e2dde6a3-0330-48e1-9b80-73ec40a9201c status: experimental description: Detects potential processes activity of GotoHTTP RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/gotomypc_files_sigma.yml b/detections/sigma/gotomypc_files_sigma.yml index dccfb678..8975d3ef 100644 --- a/detections/sigma/gotomypc_files_sigma.yml +++ b/detections/sigma/gotomypc_files_sigma.yml @@ -7,11 +7,11 @@ detection: TargetFilename|endswith: - '%AppData%\GoTo\Logs\goto.log' condition: selection -id: 6c87a776-30c5-48c0-b307-4f28bcf2c711 +id: 987976ac-6971-4332-894a-916a4a631629 status: experimental description: Detects potential files activity of GoToMyPC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/gotomypc_network_sigma.yml b/detections/sigma/gotomypc_network_sigma.yml index 5053cc92..8fa58732 100644 --- a/detections/sigma/gotomypc_network_sigma.yml +++ b/detections/sigma/gotomypc_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.GoToMyPC.com' condition: selection -id: 2d6122bc-eea9-4d95-bd13-ba5395138411 +id: a500441d-2754-4a91-8ce1-016086b78b26 status: experimental description: Detects potential network activity of GoToMyPC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/gotomypc_registry_sigma.yml b/detections/sigma/gotomypc_registry_sigma.yml index 4fdf856b..1f0fc6ee 100644 --- a/detections/sigma/gotomypc_registry_sigma.yml +++ b/detections/sigma/gotomypc_registry_sigma.yml @@ -10,11 +10,11 @@ detection: - HKEY_CURRENT_USER\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history - HKEY_USERS\\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history condition: selection -id: 42e10fa6-4158-4e0d-bf1d-986abbfb44ce +id: 19774fdd-89fd-43eb-9871-30c5930f1af4 status: experimental description: Detects potential registry activity of GoToMyPC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/goverlan_network_sigma.yml b/detections/sigma/goverlan_network_sigma.yml index 1d542466..335f50c3 100644 --- a/detections/sigma/goverlan_network_sigma.yml +++ b/detections/sigma/goverlan_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - goverlan.com condition: selection -id: 8c5d4901-1a0e-45e3-b244-d09f95d540c6 +id: 4564a8c4-c547-47dd-85e4-051f56cc080d status: experimental description: Detects potential network activity of Goverlan RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/goverlan_processes_sigma.yml b/detections/sigma/goverlan_processes_sigma.yml index b05f904e..9e66f3af 100644 --- a/detections/sigma/goverlan_processes_sigma.yml +++ b/detections/sigma/goverlan_processes_sigma.yml @@ -12,11 +12,11 @@ detection: - GovReachClient.exe - '*\GovSrv.exe' condition: selection -id: 603f2967-5a31-4335-8171-c0eb911cf2a1 +id: 2f46ef52-bdef-4473-b391-9ebbea36d547 status: experimental description: Detects potential processes activity of Goverlan RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/guacamole_network_sigma.yml b/detections/sigma/guacamole_network_sigma.yml index 6ed37f46..f634eea1 100644 --- a/detections/sigma/guacamole_network_sigma.yml +++ b/detections/sigma/guacamole_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - guacamole.apache.org condition: selection -id: 896eae41-1692-47e2-b54c-be224173b531 +id: 3ab12f88-dd15-4b80-9ecd-cf3ab4cc1faa status: experimental description: Detects potential network activity of Guacamole RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/guacamole_processes_sigma.yml b/detections/sigma/guacamole_processes_sigma.yml index 3b61b3ae..33dbce49 100644 --- a/detections/sigma/guacamole_processes_sigma.yml +++ b/detections/sigma/guacamole_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - guacd.exe condition: selection -id: 1c1e1d69-a65c-4788-9478-731ef46be597 +id: 12ace335-9d02-4845-bda4-10b1597afc3e status: experimental description: Detects potential processes activity of Guacamole RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/helpbeam_network_sigma.yml b/detections/sigma/helpbeam_network_sigma.yml index 192b7c13..962bef5a 100644 --- a/detections/sigma/helpbeam_network_sigma.yml +++ b/detections/sigma/helpbeam_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - helpbeam.software.informer.com condition: selection -id: 8dc08d74-0048-4ddb-90da-5f2115cc7ba7 +id: c54ba54d-fc25-4501-89f8-ecebae615d7a status: experimental description: Detects potential network activity of HelpBeam RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/helpbeam_processes_sigma.yml b/detections/sigma/helpbeam_processes_sigma.yml index 8606f105..4b149bdf 100644 --- a/detections/sigma/helpbeam_processes_sigma.yml +++ b/detections/sigma/helpbeam_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - helpbeam*.exe condition: selection -id: d3d9bc5d-7363-4336-b44c-565cf1426489 +id: a79a8449-d2a8-4d4e-9050-3e1fb530f790 status: experimental description: Detects potential processes activity of HelpBeam RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/helpu_network_sigma.yml b/detections/sigma/helpu_network_sigma.yml index 06c65d18..5cf3c12c 100644 --- a/detections/sigma/helpu_network_sigma.yml +++ b/detections/sigma/helpu_network_sigma.yml @@ -8,11 +8,11 @@ detection: - helpu.co.kr - '*.helpu.co.kr' condition: selection -id: 739baa64-d07d-4b66-998e-4a79161fff6e +id: f7818a0e-2039-4ad5-ae84-891d93dff067 status: experimental description: Detects potential network activity of HelpU RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/helpu_processes_sigma.yml b/detections/sigma/helpu_processes_sigma.yml index 49dae47f..0bb87e9e 100644 --- a/detections/sigma/helpu_processes_sigma.yml +++ b/detections/sigma/helpu_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - HelpuUpdater.exe - HelpuManager.exe condition: selection -id: fdff99d2-6d9a-4478-9b96-5eaf6db84f16 +id: 0779ec5e-05d7-4174-ab1c-a66175b3bf92 status: experimental description: Detects potential processes activity of HelpU RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/i'm_intouch_network_sigma.yml b/detections/sigma/i'm_intouch_network_sigma.yml index c6ffb4c8..5c3dfe88 100644 --- a/detections/sigma/i'm_intouch_network_sigma.yml +++ b/detections/sigma/i'm_intouch_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.01com.com' - 01com.com/imintouch-remote-pc-desktop condition: selection -id: c19da028-3bbd-402e-b73e-6439ceb561eb +id: e9c4aa64-be23-4708-a1dd-e8c3661d74e6 status: experimental description: Detects potential network activity of I'm InTouch RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/i'm_intouch_processes_sigma.yml b/detections/sigma/i'm_intouch_processes_sigma.yml index 3489e41f..1b44a04c 100644 --- a/detections/sigma/i'm_intouch_processes_sigma.yml +++ b/detections/sigma/i'm_intouch_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - intouch.exe - I'm InTouch Go Installer.exe condition: selection -id: d17b064d-4f3e-49f6-8bbb-79b35d6e25d0 +id: 1f3ab0ec-8988-4e28-964f-53a54c756e4c status: experimental description: Detects potential processes activity of I'm InTouch RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/impero_connect_network_sigma.yml b/detections/sigma/impero_connect_network_sigma.yml index cffa1d87..3976e85b 100644 --- a/detections/sigma/impero_connect_network_sigma.yml +++ b/detections/sigma/impero_connect_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - imperosoftware.com condition: selection -id: d4fbc9e7-9ef9-45d0-8cb6-f261f0673cea +id: fc474a0d-c3ae-43b7-9547-65ae0417e4fb status: experimental description: Detects potential network activity of Impero Connect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/impero_connect_processes_sigma.yml b/detections/sigma/impero_connect_processes_sigma.yml index 9e2594c1..6a668b0c 100644 --- a/detections/sigma/impero_connect_processes_sigma.yml +++ b/detections/sigma/impero_connect_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - ImperoClientSVC.exe condition: selection -id: 3e22900e-4ff6-42cc-bf8c-3813e5194882 +id: 271eea29-f7dc-499a-85a6-4907de4cd34a status: experimental description: Detects potential processes activity of Impero Connect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/instant_housecall_network_sigma.yml b/detections/sigma/instant_housecall_network_sigma.yml index 9ac26182..bb1d9495 100644 --- a/detections/sigma/instant_housecall_network_sigma.yml +++ b/detections/sigma/instant_housecall_network_sigma.yml @@ -10,11 +10,11 @@ detection: - '*.instanthousecall.net' - instanthousecall.com condition: selection -id: 95c7d7ea-cdea-4d62-bf6d-373003a04727 +id: 8d93e400-46bd-4d83-af61-d70ea2da9750 status: experimental description: Detects potential network activity of Instant Housecall RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/instant_housecall_processes_sigma.yml b/detections/sigma/instant_housecall_processes_sigma.yml index 27d8a39c..bff255c2 100644 --- a/detections/sigma/instant_housecall_processes_sigma.yml +++ b/detections/sigma/instant_housecall_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - ihcserver.exe - instanthousecall.exe condition: selection -id: fe519a4c-803f-454a-89f4-63e3a36cb860 +id: ff766798-323b-4075-a0cb-67b617ede5a9 status: experimental description: Detects potential processes activity of Instant Housecall RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/insync_processes_sigma.yml b/detections/sigma/insync_processes_sigma.yml index 198a449b..ce71eb7e 100644 --- a/detections/sigma/insync_processes_sigma.yml +++ b/detections/sigma/insync_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - '*Users\*\AppData\Roaming\Insync\App\Insync.exe' - '*\Insync.exe' condition: selection -id: 42e1d0d4-4bb1-438c-9627-1a2a5eb96feb +id: 1b5f0d04-d37b-4e61-8d20-7dac0f2c3c7c status: experimental description: Detects potential processes activity of Insync RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/intelliadmin_remote_control_network_sigma.yml b/detections/sigma/intelliadmin_remote_control_network_sigma.yml index 62168891..e7dea12a 100644 --- a/detections/sigma/intelliadmin_remote_control_network_sigma.yml +++ b/detections/sigma/intelliadmin_remote_control_network_sigma.yml @@ -9,12 +9,12 @@ detection: - '*.intelliadmin.com' - intelliadmin.com/remote-control condition: selection -id: ef5fac60-6b75-4c50-ba2e-02b0325bcf4b +id: 9bcee176-b4ba-4e1c-87fb-eb7f9dbfffae status: experimental description: Detects potential network activity of IntelliAdmin Remote Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/intelliadmin_remote_control_processes_sigma.yml b/detections/sigma/intelliadmin_remote_control_processes_sigma.yml index 65256b6f..36d54756 100644 --- a/detections/sigma/intelliadmin_remote_control_processes_sigma.yml +++ b/detections/sigma/intelliadmin_remote_control_processes_sigma.yml @@ -11,12 +11,12 @@ detection: - agent64.exe - agent_setup_5.exe condition: selection -id: 03d4392c-9a36-42ff-8281-e499373a8c82 +id: 92dd3c65-418e-4acf-802e-d1e2bf377863 status: experimental description: Detects potential processes activity of IntelliAdmin Remote Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/iperius_remote_network_sigma.yml b/detections/sigma/iperius_remote_network_sigma.yml index a3a5f002..37badbdf 100644 --- a/detections/sigma/iperius_remote_network_sigma.yml +++ b/detections/sigma/iperius_remote_network_sigma.yml @@ -10,11 +10,11 @@ detection: - '*.iperius-rs.com' - iperiusremote.com condition: selection -id: 85596ce8-a4e0-4c61-9e20-ecb5dde9d1f0 +id: a0b1f500-b4b2-40c3-9f7e-6ab5bbacf0e9 status: experimental description: Detects potential network activity of Iperius Remote RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/iperius_remote_processes_sigma.yml b/detections/sigma/iperius_remote_processes_sigma.yml index 4402b39e..85c5ebd5 100644 --- a/detections/sigma/iperius_remote_processes_sigma.yml +++ b/detections/sigma/iperius_remote_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - iperius.exe - iperiusremote.exe condition: selection -id: cb0c4646-c363-4107-8c13-29ab63e220cc +id: 971a62f4-b00c-49ac-95fe-b275ca6ce6e0 status: experimental description: Detects potential processes activity of Iperius Remote RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/isl_light_network_sigma.yml b/detections/sigma/isl_light_network_sigma.yml index 5277abbf..9ab271f0 100644 --- a/detections/sigma/isl_light_network_sigma.yml +++ b/detections/sigma/isl_light_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - islonline.com condition: selection -id: 51d67156-0fae-402f-b874-5643410197b2 +id: 962c66b5-e5d4-4e59-b31e-d127fbc500bb status: experimental description: Detects potential network activity of ISL Light RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/isl_light_processes_sigma.yml b/detections/sigma/isl_light_processes_sigma.yml index c123a3e6..815081cf 100644 --- a/detections/sigma/isl_light_processes_sigma.yml +++ b/detections/sigma/isl_light_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - isllight.exe - isllightservice.exe condition: selection -id: f5df51e2-0ed0-48f2-8158-f0da9c7f1957 +id: 28dff07b-24d9-454b-a219-d096ed081c61 status: experimental description: Detects potential processes activity of ISL Light RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/isl_online_network_sigma.yml b/detections/sigma/isl_online_network_sigma.yml index ec00dc72..4268972e 100644 --- a/detections/sigma/isl_online_network_sigma.yml +++ b/detections/sigma/isl_online_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.islonline.com' - '*.islonline.net' condition: selection -id: 28edea4d-3c36-4c36-849c-dd50f34623ea +id: e4272154-3b2d-4ce4-b736-b22f7000a025 status: experimental description: Detects potential network activity of ISL Online RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/isl_online_processes_sigma.yml b/detections/sigma/isl_online_processes_sigma.yml index b18cf1ce..eec0fc29 100644 --- a/detections/sigma/isl_online_processes_sigma.yml +++ b/detections/sigma/isl_online_processes_sigma.yml @@ -11,11 +11,11 @@ detection: - ISLLightClient.exe - '*\ISLLight.exe' condition: selection -id: 859b7b71-b8f1-408e-aa2b-ed76c6ae8f5b +id: 377c9711-2892-4ed8-b90e-ebcb8bc0cfdd status: experimental description: Detects potential processes activity of ISL Online RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/itarian_network_sigma.yml b/detections/sigma/itarian_network_sigma.yml index 977b92a5..9440c8e6 100644 --- a/detections/sigma/itarian_network_sigma.yml +++ b/detections/sigma/itarian_network_sigma.yml @@ -11,11 +11,11 @@ detection: - remoteaccess.itarian.com - servicedesk.itarian.com condition: selection -id: 8ba16778-fb8a-4ed4-a423-88bf449b0a10 +id: e125647e-f920-4f3f-b3de-4bed2a58e51e status: experimental description: Detects potential network activity of Itarian RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/itarian_processes_sigma.yml b/detections/sigma/itarian_processes_sigma.yml index 5d9a57d0..844d0c7e 100644 --- a/detections/sigma/itarian_processes_sigma.yml +++ b/detections/sigma/itarian_processes_sigma.yml @@ -16,11 +16,11 @@ detection: - ITSMService.exe - RHost.exe condition: selection -id: 27a1ec01-6826-4395-9be2-c0a40f8c7580 +id: 57c6e0df-6077-4f29-b48d-2999d628c549 status: experimental description: Detects potential processes activity of Itarian RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/itsupport247__connectwise__network_sigma.yml b/detections/sigma/itsupport247__connectwise__network_sigma.yml index 4c510c0e..63103928 100644 --- a/detections/sigma/itsupport247__connectwise__network_sigma.yml +++ b/detections/sigma/itsupport247__connectwise__network_sigma.yml @@ -8,12 +8,12 @@ detection: - '*.itsupport247.net' - itsupport247.net condition: selection -id: 0647c412-8092-4dee-9be4-a736e4ed7b6f +id: 7c677c95-b608-4705-8573-4cf6f0e2432a status: experimental description: Detects potential network activity of ITSupport247 (ConnectWise) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/itsupport247__connectwise__processes_sigma.yml b/detections/sigma/itsupport247__connectwise__processes_sigma.yml index c2f4d6c4..4a9dc927 100644 --- a/detections/sigma/itsupport247__connectwise__processes_sigma.yml +++ b/detections/sigma/itsupport247__connectwise__processes_sigma.yml @@ -7,12 +7,12 @@ detection: ParentImage|endswith: - saazapsc.exe condition: selection -id: 8550c5e3-5dae-4a6d-bede-29a6fe0d28fe +id: 68ba025f-ec04-406d-98ab-4f6517a09105 status: experimental description: Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ivanti_remote_control_network_sigma.yml b/detections/sigma/ivanti_remote_control_network_sigma.yml index acd8c70d..72e8c89d 100644 --- a/detections/sigma/ivanti_remote_control_network_sigma.yml +++ b/detections/sigma/ivanti_remote_control_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.ivanticloud.com' condition: selection -id: 7638eeef-f973-4274-8e5e-f57c2523e948 +id: 2f3899f6-7982-43c2-ab5b-cba5ccaf5686 status: experimental description: Detects potential network activity of Ivanti Remote Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ivanti_remote_control_processes_sigma.yml b/detections/sigma/ivanti_remote_control_processes_sigma.yml index 54ee81b9..e7434c53 100644 --- a/detections/sigma/ivanti_remote_control_processes_sigma.yml +++ b/detections/sigma/ivanti_remote_control_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - ArcUI.exe - AgentlessRC.exe condition: selection -id: b6b520cb-bd22-4dd5-a657-94faac8d20b6 +id: 3036c733-577f-4cc4-ab1c-2d67cc133328 status: experimental description: Detects potential processes activity of Ivanti Remote Control RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/jump_cloud_network_sigma.yml b/detections/sigma/jump_cloud_network_sigma.yml index 7de00136..a6aa00dd 100644 --- a/detections/sigma/jump_cloud_network_sigma.yml +++ b/detections/sigma/jump_cloud_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.api.jumpcloud.com' - '*.assist.jumpcloud.com' condition: selection -id: 3e096c39-5da8-47c5-bc83-74aacaff37e3 +id: c1e37014-daab-4e69-8224-a2d59eecc118 status: experimental description: Detects potential network activity of Jump Cloud RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/jump_desktop_network_sigma.yml b/detections/sigma/jump_desktop_network_sigma.yml index 42a7aa83..db4a48f0 100644 --- a/detections/sigma/jump_desktop_network_sigma.yml +++ b/detections/sigma/jump_desktop_network_sigma.yml @@ -10,11 +10,11 @@ detection: - jumpto.me - '*.jumpto.me' condition: selection -id: 350d2a57-976a-46fc-b5e5-6679ad13a54e +id: 5e78e6b3-b646-460b-8407-7135a837bd9f status: experimental description: Detects potential network activity of Jump Desktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/jump_desktop_processes_sigma.yml b/detections/sigma/jump_desktop_processes_sigma.yml index 9b0b4fe0..be347c93 100644 --- a/detections/sigma/jump_desktop_processes_sigma.yml +++ b/detections/sigma/jump_desktop_processes_sigma.yml @@ -11,11 +11,11 @@ detection: - jumpconnect.exe - jumpupdater.exe condition: selection -id: 59631d60-60c2-450d-87a0-b3c03d53472a +id: 9bd9e57e-e4b7-4a81-9d61-960cad0f654e status: experimental description: Detects potential processes activity of Jump Desktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/kabuto_network_sigma.yml b/detections/sigma/kabuto_network_sigma.yml index 11b9f9f0..fb32c0b7 100644 --- a/detections/sigma/kabuto_network_sigma.yml +++ b/detections/sigma/kabuto_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.kabuto.io' - repairtechsolutions.com/kabuto/ condition: selection -id: 7f412ef1-821b-44ea-bfe3-96e54e087e9d +id: 7748836e-1d1a-4c37-8d82-b9ef3f50764c status: experimental description: Detects potential network activity of Kabuto RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/kabuto_processes_sigma.yml b/detections/sigma/kabuto_processes_sigma.yml index da1d2639..0377622d 100644 --- a/detections/sigma/kabuto_processes_sigma.yml +++ b/detections/sigma/kabuto_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - Kabuto.App.Runner.exe condition: selection -id: e7a4d8f9-bf93-4af8-984d-b861778c3957 +id: 3322a1a5-e221-49f9-a4bc-53a40519d447 status: experimental description: Detects potential processes activity of Kabuto RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/kaseya__vsa__files_sigma.yml b/detections/sigma/kaseya__vsa__files_sigma.yml index 5779cdca..b311bab1 100644 --- a/detections/sigma/kaseya__vsa__files_sigma.yml +++ b/detections/sigma/kaseya__vsa__files_sigma.yml @@ -22,11 +22,11 @@ detection: - C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\KaseyaEndpoint* - C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\Session_* condition: selection -id: 8293aac2-fea0-4fa9-84c0-a5bc93eb4a9b +id: 6d887504-0f57-484a-ad7f-9479291eccd1 status: experimental description: Detects potential files activity of Kaseya (VSA) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/kaseya__vsa__network_sigma.yml b/detections/sigma/kaseya__vsa__network_sigma.yml index 938fec68..d573270a 100644 --- a/detections/sigma/kaseya__vsa__network_sigma.yml +++ b/detections/sigma/kaseya__vsa__network_sigma.yml @@ -10,11 +10,11 @@ detection: - '*.kaseya.net' - kaseya.com condition: selection -id: dffea627-3a34-487c-b597-07241638f177 +id: 92bfd790-5430-4154-b3fd-25aad0220766 status: experimental description: Detects potential network activity of Kaseya (VSA) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/khelpdesk_network_sigma.yml b/detections/sigma/khelpdesk_network_sigma.yml index 2a27e9f9..9f26560f 100644 --- a/detections/sigma/khelpdesk_network_sigma.yml +++ b/detections/sigma/khelpdesk_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.khelpdesk.com.br' condition: selection -id: b59a8a5b-5c0b-4b1f-afcb-f36d935ef624 +id: fb3acb0c-c623-44d5-97fa-3595c4bf8a35 status: experimental description: Detects potential network activity of KHelpDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/khelpdesk_processes_sigma.yml b/detections/sigma/khelpdesk_processes_sigma.yml index d2833023..bf58c5e4 100644 --- a/detections/sigma/khelpdesk_processes_sigma.yml +++ b/detections/sigma/khelpdesk_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - KHelpDesk.exe condition: selection -id: 9204612d-c27f-40b2-aa71-a0977e5e60b6 +id: f202fd9a-3f36-48b5-8902-65e393a61805 status: experimental description: Detects potential processes activity of KHelpDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/kickidler_network_sigma.yml b/detections/sigma/kickidler_network_sigma.yml index c10c10b7..3256f133 100644 --- a/detections/sigma/kickidler_network_sigma.yml +++ b/detections/sigma/kickidler_network_sigma.yml @@ -8,11 +8,11 @@ detection: - kickidler.com - my.kickidler.com condition: selection -id: 12f8c8ca-f36c-40fb-9ee7-dc0d2832fbe1 +id: c20767f9-ddf7-44af-84dc-1c2731c69665 status: experimental description: Detects potential network activity of KickIdler RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/kitty_processes_sigma.yml b/detections/sigma/kitty_processes_sigma.yml index a2383bfa..a40f2f0a 100644 --- a/detections/sigma/kitty_processes_sigma.yml +++ b/detections/sigma/kitty_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - C:\*\kitty.exe - '*\kitty.exe' condition: selection -id: e5a30831-ef55-4914-98bf-0d749db25fe6 +id: 3fad837e-9c84-4098-a411-d0accba8543d status: experimental description: Detects potential processes activity of KiTTY RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/labteach__connectwise_automate__processes_sigma.yml b/detections/sigma/labteach__connectwise_automate__processes_sigma.yml index a6bc1133..bae7182c 100644 --- a/detections/sigma/labteach__connectwise_automate__processes_sigma.yml +++ b/detections/sigma/labteach__connectwise_automate__processes_sigma.yml @@ -7,12 +7,12 @@ detection: ParentImage|endswith: - ltsvc.exe condition: selection -id: 8991b756-f264-4426-afa9-2a5216779fec +id: 3696a0f8-c8a0-417a-a408-e9bdf4caf318 status: experimental description: Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml b/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml index 5deaecc2..662dddc0 100644 --- a/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml +++ b/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml @@ -7,12 +7,12 @@ detection: DestinationHostname|endswith: - connectwise.com condition: selection -id: 32d3fd5a-c1f2-4468-8b06-6dff37475b11 +id: 96f37a1b-04e0-47ea-bdb3-238f903e8e0d status: experimental description: Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml b/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml index bb4a6959..dcf881a7 100644 --- a/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml +++ b/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml @@ -9,12 +9,12 @@ detection: - ltsvcmon.exe - lttray.exe condition: selection -id: 5a7e5641-29fb-4543-826d-75d967684f8d +id: 618f0058-e014-443d-ac07-18e946dcfc4e status: experimental description: Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/landesk_network_sigma.yml b/detections/sigma/landesk_network_sigma.yml index bb2ef778..1311eb93 100644 --- a/detections/sigma/landesk_network_sigma.yml +++ b/detections/sigma/landesk_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.ivanti.com' - ivanti.com condition: selection -id: 36db7bcf-975e-4430-812a-1a8b21e6dc8d +id: 4733dea8-ac1b-475a-a9f4-cb502e80699e status: experimental description: Detects potential network activity of LANDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/landesk_processes_sigma.yml b/detections/sigma/landesk_processes_sigma.yml index 58898d99..cd0fdbb0 100644 --- a/detections/sigma/landesk_processes_sigma.yml +++ b/detections/sigma/landesk_processes_sigma.yml @@ -14,11 +14,11 @@ detection: - '*\softmon.exe' - '*\tmcsvc.exe' condition: selection -id: 6a8e2dd0-88c2-4259-ad74-c1f69fec758c +id: a2b98f5b-a4f2-4e25-a2f7-60aa5426888c status: experimental description: Detects potential processes activity of LANDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/laplink_everywhere_network_sigma.yml b/detections/sigma/laplink_everywhere_network_sigma.yml index 65c2280c..346aa2d7 100644 --- a/detections/sigma/laplink_everywhere_network_sigma.yml +++ b/detections/sigma/laplink_everywhere_network_sigma.yml @@ -9,11 +9,11 @@ detection: - le.laplink.com - atled.syspectr.com condition: selection -id: cf6322ff-5c9b-42e7-bee1-ca4b3b684428 +id: 59176766-d732-472f-9ee1-db3c096ba760 status: experimental description: Detects potential network activity of Laplink Everywhere RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/laplink_everywhere_processes_sigma.yml b/detections/sigma/laplink_everywhere_processes_sigma.yml index 819c7062..173ca316 100644 --- a/detections/sigma/laplink_everywhere_processes_sigma.yml +++ b/detections/sigma/laplink_everywhere_processes_sigma.yml @@ -12,11 +12,11 @@ detection: - serverproxyservice.exe - OOSysAgent.exe condition: selection -id: 0b740aa2-91ee-4d44-920a-16f7f8bf8df2 +id: 556a0418-03d1-42de-b217-68bf2856e15d status: experimental description: Detects potential processes activity of Laplink Everywhere RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/laplink_gold_network_sigma.yml b/detections/sigma/laplink_gold_network_sigma.yml index 76b832af..05361697 100644 --- a/detections/sigma/laplink_gold_network_sigma.yml +++ b/detections/sigma/laplink_gold_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - wen.laplink.com/product/laplink-gold condition: selection -id: 0b4fb91e-3efc-481f-bf98-fe5ccfc5e3f3 +id: 6e659208-d21e-4981-af48-79bf35b52b87 status: experimental description: Detects potential network activity of Laplink Gold RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/laplink_gold_processes_sigma.yml b/detections/sigma/laplink_gold_processes_sigma.yml index 651fdb59..650229a7 100644 --- a/detections/sigma/laplink_gold_processes_sigma.yml +++ b/detections/sigma/laplink_gold_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - tsircusr.exe - laplink.exe condition: selection -id: 8e5c65c1-d79a-48b5-b14e-782901e5c195 +id: 2cc6e670-7511-4bf0-b36f-b1079e7f8a24 status: experimental description: Detects potential processes activity of Laplink Gold RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/level.io_network_sigma.yml b/detections/sigma/level.io_network_sigma.yml index 6236d0d8..5f342125 100644 --- a/detections/sigma/level.io_network_sigma.yml +++ b/detections/sigma/level.io_network_sigma.yml @@ -8,11 +8,11 @@ detection: - level.io - '*.level.io' condition: selection -id: 19598e56-c542-4c9f-9635-f255180b017e +id: 5b3131cc-ad91-4dbf-b429-2b013e7f8a69 status: experimental description: Detects potential network activity of Level.io RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/level.io_processes_sigma.yml b/detections/sigma/level.io_processes_sigma.yml index 50740c31..3be022c1 100644 --- a/detections/sigma/level.io_processes_sigma.yml +++ b/detections/sigma/level.io_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - level.exe - level-remote-control-ffmpeg.exe condition: selection -id: fd2c2c3d-4957-492f-be6e-0bbb4cbbc309 +id: b7c6d269-7610-4165-801e-5e4473915c75 status: experimental description: Detects potential processes activity of Level.io RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/level_network_sigma.yml b/detections/sigma/level_network_sigma.yml index cd4b95f0..b3b7db00 100644 --- a/detections/sigma/level_network_sigma.yml +++ b/detections/sigma/level_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - level.io condition: selection -id: 10f1eb93-be92-490a-ab2d-8ae1af6f61af +id: b70ec84f-3abc-4a31-92e4-1731e62496f5 status: experimental description: Detects potential network activity of Level RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/litemanager_network_sigma.yml b/detections/sigma/litemanager_network_sigma.yml index dd29d7ee..eee42327 100644 --- a/detections/sigma/litemanager_network_sigma.yml +++ b/detections/sigma/litemanager_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.litemanager.com' - litemanager.com condition: selection -id: 41ae8d72-857d-41ae-a8bd-8d58649d7c97 +id: 4a4aa609-2d4c-4056-a00d-b884785c4678 status: experimental description: Detects potential network activity of LiteManager RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/litemanager_processes_sigma.yml b/detections/sigma/litemanager_processes_sigma.yml index 92d044e3..aa6eb30c 100644 --- a/detections/sigma/litemanager_processes_sigma.yml +++ b/detections/sigma/litemanager_processes_sigma.yml @@ -12,11 +12,11 @@ detection: - romserver.exe - ROMServer.exe condition: selection -id: 8a0a8a91-ff6e-4985-9d54-240e30409785 +id: 8dca1aac-5754-4637-b668-04e7689f767b status: experimental description: Detects potential processes activity of LiteManager RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/logmein_network_sigma.yml b/detections/sigma/logmein_network_sigma.yml index ca70fb96..20a553f1 100644 --- a/detections/sigma/logmein_network_sigma.yml +++ b/detections/sigma/logmein_network_sigma.yml @@ -11,11 +11,11 @@ detection: - logmeinrescue.com - '*.logmeininc.com' condition: selection -id: 140c52df-e816-47f1-b8f4-d232b2a5f659 +id: 566b2839-f874-48c5-a378-72f82083aa35 status: experimental description: Detects potential network activity of LogMeIn RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/logmein_rescue_network_sigma.yml b/detections/sigma/logmein_rescue_network_sigma.yml index dfa93127..ab8413c3 100644 --- a/detections/sigma/logmein_rescue_network_sigma.yml +++ b/detections/sigma/logmein_rescue_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.logmeinrescue.eu' - logmeinrescue.com condition: selection -id: 7faeb6e9-bf43-48e9-a137-f03fe531ea12 +id: eadfb2f5-ad74-4729-ace0-3fc1131880b9 status: experimental description: Detects potential network activity of LogMeIn rescue RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/logmein_rescue_processes_sigma.yml b/detections/sigma/logmein_rescue_processes_sigma.yml index 8bda8b05..b3cbb531 100644 --- a/detections/sigma/logmein_rescue_processes_sigma.yml +++ b/detections/sigma/logmein_rescue_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - support-logmeinrescue.exe - lmi_rescue.exe condition: selection -id: e0e4d26a-917d-4682-8acb-3c02d65841b2 +id: 1d9b0eb0-ad3f-4385-bd87-8a63c8c946d8 status: experimental description: Detects potential processes activity of LogMeIn rescue RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/manage_engine__desktop_central__network_sigma.yml b/detections/sigma/manage_engine__desktop_central__network_sigma.yml index c6d876ce..03fdcc31 100644 --- a/detections/sigma/manage_engine__desktop_central__network_sigma.yml +++ b/detections/sigma/manage_engine__desktop_central__network_sigma.yml @@ -12,12 +12,12 @@ detection: - '*.dms.zoho.com.eu' - '*.-dms.zoho.com.cn' condition: selection -id: ef6a2323-711d-436a-8247-2c9f75ed0587 +id: 0b0a90db-548e-48b6-9c11-97c408b57dc1 status: experimental description: Detects potential network activity of Manage Engine (Desktop Central) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/manage_engine__desktop_central__processes_sigma.yml b/detections/sigma/manage_engine__desktop_central__processes_sigma.yml index 81264d6c..b93ef4c5 100644 --- a/detections/sigma/manage_engine__desktop_central__processes_sigma.yml +++ b/detections/sigma/manage_engine__desktop_central__processes_sigma.yml @@ -8,12 +8,12 @@ detection: - dcagentservice.exe - dcagentregister.exe condition: selection -id: a4b7941c-dee0-419f-9c5a-21d2b193fdef +id: ff26154b-b874-43f2-8497-5fa6b26f382f status: experimental description: Detects potential processes activity of Manage Engine (Desktop Central) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/manageengine_processes_sigma.yml b/detections/sigma/manageengine_processes_sigma.yml index 7d9c9c05..78259e33 100644 --- a/detections/sigma/manageengine_processes_sigma.yml +++ b/detections/sigma/manageengine_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - ManageEngine_Remote_Access_Plus.exe - '*\dcagentservice.exe' condition: selection -id: 334bb064-254f-43c6-b6fd-860fbbf71878 +id: 829a2556-2fa1-4ddd-bd0c-a3c6318a9596 status: experimental description: Detects potential processes activity of ManageEngine RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/manageengine_rmm_central_network_sigma.yml b/detections/sigma/manageengine_rmm_central_network_sigma.yml index 56c2c875..a5c3e78e 100644 --- a/detections/sigma/manageengine_rmm_central_network_sigma.yml +++ b/detections/sigma/manageengine_rmm_central_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - manageengine.com/remote-monitoring-management/ condition: selection -id: 3a6ae97b-b6ca-4e15-a580-bfaf4fe0b138 +id: 3b13b430-0a0e-4422-a0d1-8b5b0f844b69 status: experimental description: Detects potential network activity of ManageEngine RMM Central RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/megasync_processes_sigma.yml b/detections/sigma/megasync_processes_sigma.yml index 0ad7c297..1f1a957c 100644 --- a/detections/sigma/megasync_processes_sigma.yml +++ b/detections/sigma/megasync_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - '*\MEGAsyncSetup64.exe' - '*\MEGAupdater.exe' condition: selection -id: e6685ca9-f9cf-472d-b73a-77e601e33eb8 +id: a0026069-13de-49ef-be27-1951aecc3581 status: experimental description: Detects potential processes activity of MEGAsync RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/meshcentral_network_sigma.yml b/detections/sigma/meshcentral_network_sigma.yml index e69c89d8..6beb33ee 100644 --- a/detections/sigma/meshcentral_network_sigma.yml +++ b/detections/sigma/meshcentral_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - meshcentral.com condition: selection -id: bb08971a-ec87-4b11-b00b-fd143cb919c9 +id: 3003ec5e-21f0-4c8b-8ed6-02a3ee9e3794 status: experimental description: Detects potential network activity of MeshCentral RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/meshcentral_processes_sigma.yml b/detections/sigma/meshcentral_processes_sigma.yml index ac0241ca..3228ea83 100644 --- a/detections/sigma/meshcentral_processes_sigma.yml +++ b/detections/sigma/meshcentral_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - meshcentral*.exe - mesh*.exe condition: selection -id: be89c905-3142-4422-a6d9-96893eb6a738 +id: 86eb4e28-14e7-4dfa-8d6d-3e35db4f7d2e status: experimental description: Detects potential processes activity of MeshCentral RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/microsoft_quick_assist_network_sigma.yml b/detections/sigma/microsoft_quick_assist_network_sigma.yml index a7e82aa2..8933313d 100644 --- a/detections/sigma/microsoft_quick_assist_network_sigma.yml +++ b/detections/sigma/microsoft_quick_assist_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - user_managed condition: selection -id: 8e62f1bf-bf32-4906-9dbe-55918e6aa74f +id: 9a0fc403-4c77-4519-85e8-84c36bd6456b status: experimental description: Detects potential network activity of Microsoft Quick Assist RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/microsoft_quick_assist_processes_sigma.yml b/detections/sigma/microsoft_quick_assist_processes_sigma.yml index 8e8a5b19..26e094cd 100644 --- a/detections/sigma/microsoft_quick_assist_processes_sigma.yml +++ b/detections/sigma/microsoft_quick_assist_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - quickassist.exe condition: selection -id: 8e8b1b16-f337-40eb-a353-c9d63422a102 +id: e9080b05-c0ea-4365-be44-461450421166 status: experimental description: Detects potential processes activity of Microsoft Quick Assist RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/microsoft_rdp_processes_sigma.yml b/detections/sigma/microsoft_rdp_processes_sigma.yml index 39a07912..986cac20 100644 --- a/detections/sigma/microsoft_rdp_processes_sigma.yml +++ b/detections/sigma/microsoft_rdp_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - mstsc.exe condition: selection -id: 25e436bf-6c1d-46f0-b1f0-2ac838300fab +id: 1865354f-ee9f-4e21-a959-490ef6cce164 status: experimental description: Detects potential processes activity of Microsoft RDP RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/microsoft_tsc_processes_sigma.yml b/detections/sigma/microsoft_tsc_processes_sigma.yml index 91ee6cea..b26a512a 100644 --- a/detections/sigma/microsoft_tsc_processes_sigma.yml +++ b/detections/sigma/microsoft_tsc_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - termsrv.exe - mstsc.exe condition: selection -id: 7fc55366-60d7-41fd-815f-7e84814a7134 +id: 68f5e6b4-717f-4d4f-a633-c99e342469ea status: experimental description: Detects potential processes activity of Microsoft TSC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mikogo_network_sigma.yml b/detections/sigma/mikogo_network_sigma.yml index 70a1a17a..72cabb9d 100644 --- a/detections/sigma/mikogo_network_sigma.yml +++ b/detections/sigma/mikogo_network_sigma.yml @@ -10,11 +10,11 @@ detection: - '*.mikogo.com' - mikogo.com condition: selection -id: 6c10acd2-41bb-4a88-aadd-62b3fd8cf23d +id: 5c555745-beff-4d2b-97ec-56d195946030 status: experimental description: Detects potential network activity of Mikogo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mikogo_processes_sigma.yml b/detections/sigma/mikogo_processes_sigma.yml index 550749a0..18a2b249 100644 --- a/detections/sigma/mikogo_processes_sigma.yml +++ b/detections/sigma/mikogo_processes_sigma.yml @@ -12,11 +12,11 @@ detection: - '*\Mikogo-Service.exe' - '*\Mikogo-Screen-Service.exe' condition: selection -id: e313fb7f-7384-4f9a-8eb4-5a0b9e24fc2a +id: 2d03f8d5-126b-4b10-8e69-c7408a861cc0 status: experimental description: Detects potential processes activity of Mikogo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml b/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml index cfe77da2..38dd0905 100644 --- a/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml +++ b/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml @@ -8,12 +8,12 @@ detection: - mionet.exe - mionetmanager.exe condition: selection -id: 4039e2e4-b395-42d5-8aa5-cdd6ccf0fb2b +id: 88102b66-9f64-425c-86cf-fb29cdd68806 status: experimental description: Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml b/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml index 4a06de47..792c6ef4 100644 --- a/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml +++ b/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml @@ -8,12 +8,12 @@ detection: - mionet.exe - mionetmanager.exe condition: selection -id: c62a771c-4e88-4773-bcc4-8d8a3c8822bb +id: a7966542-dfb9-4d1d-b984-4444f5a76bf8 status: experimental description: Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mremoteng_files_sigma.yml b/detections/sigma/mremoteng_files_sigma.yml index f263961a..62b5f94f 100644 --- a/detections/sigma/mremoteng_files_sigma.yml +++ b/detections/sigma/mremoteng_files_sigma.yml @@ -9,11 +9,11 @@ detection: - C:\Users\*\AppData\Roaming\mRemoteNG\confCons.xml - C:\Users\*\AppData\*\mRemoteNG\**10\user.config condition: selection -id: dbb80e26-c3f2-42de-9dc4-85b750524ecb +id: f05be463-6a61-4a89-ab8b-f17bf9b879e3 status: experimental description: Detects potential files activity of mRemoteNG RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mremoteng_network_sigma.yml b/detections/sigma/mremoteng_network_sigma.yml index 4e01fff4..3e7ad235 100644 --- a/detections/sigma/mremoteng_network_sigma.yml +++ b/detections/sigma/mremoteng_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - mremoteng.org condition: selection -id: 98913407-048d-4179-ab3d-23c00ff5f2ac +id: e3a3f39b-4957-499f-9cf8-98ba863950ac status: experimental description: Detects potential network activity of mRemoteNG RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mremoteng_processes_sigma.yml b/detections/sigma/mremoteng_processes_sigma.yml index 8e85db74..24763d6d 100644 --- a/detections/sigma/mremoteng_processes_sigma.yml +++ b/detections/sigma/mremoteng_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - '*\mRemoteNG.exe' - '*\mRemoteNG.exe' condition: selection -id: f68491b7-3e94-4cf1-a240-1f5cd08998f1 +id: 0e45e59e-8578-4251-b097-15e6f99f5134 status: experimental description: Detects potential processes activity of mRemoteNG RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/msp360_network_sigma.yml b/detections/sigma/msp360_network_sigma.yml index 3197ca72..20435e64 100644 --- a/detections/sigma/msp360_network_sigma.yml +++ b/detections/sigma/msp360_network_sigma.yml @@ -10,11 +10,11 @@ detection: - '*.mspbackups.com' - msp360.com condition: selection -id: 68081126-d30b-4965-9193-c19af365d575 +id: 5b9b0cf1-ebcc-4ec2-97b9-af7911ce3624 status: experimental description: Detects potential network activity of MSP360 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/msp360_processes_sigma.yml b/detections/sigma/msp360_processes_sigma.yml index c4e5567c..dfda43bd 100644 --- a/detections/sigma/msp360_processes_sigma.yml +++ b/detections/sigma/msp360_processes_sigma.yml @@ -17,11 +17,11 @@ detection: - Remote Desktop.exe - Connect.exe condition: selection -id: dbf2f768-4f03-4ad9-93b5-dc880deccf4a +id: 8bb15580-456b-4f5c-87ba-895a2f5fc91a status: experimental description: Detects potential processes activity of MSP360 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mstsc_processes_sigma.yml b/detections/sigma/mstsc_processes_sigma.yml index 9bd80fd5..8563d6eb 100644 --- a/detections/sigma/mstsc_processes_sigma.yml +++ b/detections/sigma/mstsc_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - C:\Windows\System32\mstsc.exe - '*Windows\System32\mstsc.exe' condition: selection -id: 3811a06f-cc68-419a-8313-4a31a443632d +id: 95a522bd-aa12-4d0b-9e44-37381ef561c0 status: experimental description: Detects potential processes activity of mstsc RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mygreenpc_network_sigma.yml b/detections/sigma/mygreenpc_network_sigma.yml index 6fb5d8db..6d280051 100644 --- a/detections/sigma/mygreenpc_network_sigma.yml +++ b/detections/sigma/mygreenpc_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*mygreenpc.com' condition: selection -id: 2cba09e3-4478-4429-9c10-af8ee8a0b6ef +id: 2aa2b1ef-3d1f-40f0-b530-431ea2bea222 status: experimental description: Detects potential network activity of MyGreenPC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/mygreenpc_processes_sigma.yml b/detections/sigma/mygreenpc_processes_sigma.yml index d8436cff..1b4e59a6 100644 --- a/detections/sigma/mygreenpc_processes_sigma.yml +++ b/detections/sigma/mygreenpc_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - mygreenpc.exe condition: selection -id: 685fb54b-5ba1-4daa-a134-f0c76a6f096e +id: b31936e6-2ba0-4eaf-9965-ceadb135f6c3 status: experimental description: Detects potential processes activity of MyGreenPC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/myivo_network_sigma.yml b/detections/sigma/myivo_network_sigma.yml index 482c1974..3e3d3b95 100644 --- a/detections/sigma/myivo_network_sigma.yml +++ b/detections/sigma/myivo_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - myivo-server.software.informer.com condition: selection -id: 83b240da-c6e7-409b-baf4-a2eca396de3e +id: f1af04ef-8b80-4de2-bc4f-cb0fbe7c5b2a status: experimental description: Detects potential network activity of MyIVO RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/myivo_processes_sigma.yml b/detections/sigma/myivo_processes_sigma.yml index d0d7fe13..bf44e423 100644 --- a/detections/sigma/myivo_processes_sigma.yml +++ b/detections/sigma/myivo_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - myivomgr.exe - myivomanager.exe condition: selection -id: 5b8dfe1c-c608-4b24-b2bd-4632239b343b +id: ebbf3afb-cee4-4024-8da8-48e156b003d1 status: experimental description: Detects potential processes activity of MyIVO RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml b/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml index 55e66172..c4b51663 100644 --- a/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml +++ b/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml @@ -25,12 +25,12 @@ detection: - systemmonitor.eu.com - '*.n-able.com' condition: selection -id: 2055e220-81bd-45f6-87c4-a90b5ac57cf6 +id: ca8791dc-7469-4a02-945f-80b9a131b0c4 status: experimental description: Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml b/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml index 3662c7f2..56f11e1b 100644 --- a/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml +++ b/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml @@ -13,12 +13,12 @@ detection: - BASEClient.exe - BASupSrvcCnfg.exe condition: selection -id: 9e551a5d-1d5d-4457-87e8-00eb4d222fc0 +id: e5bd2958-99d7-4d10-99cc-56d3e2ec3d56 status: experimental description: Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/n-able_remote_access_software_network_sigma.yml b/detections/sigma/n-able_remote_access_software_network_sigma.yml index 1071fad7..d0ecd115 100644 --- a/detections/sigma/n-able_remote_access_software_network_sigma.yml +++ b/detections/sigma/n-able_remote_access_software_network_sigma.yml @@ -7,12 +7,12 @@ detection: DestinationHostname|endswith: - n-able.com condition: selection -id: 08134126-6619-4434-b01f-c65998bd6d35 +id: 4eba2de3-3df8-41f8-986f-a9d8b649eac0 status: experimental description: Detects potential network activity of N-ABLE Remote Access Software RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/nateon-desktop_sharing_network_sigma.yml b/detections/sigma/nateon-desktop_sharing_network_sigma.yml index 27053aa5..3cd9cdcc 100644 --- a/detections/sigma/nateon-desktop_sharing_network_sigma.yml +++ b/detections/sigma/nateon-desktop_sharing_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.nate.com' condition: selection -id: 4f6a1bdc-dfc2-49b6-a1b6-f1fe13ce0a84 +id: a14b3a24-e9c8-4c9b-9668-65953bf06324 status: experimental description: Detects potential network activity of NateOn-desktop sharing RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/nateon-desktop_sharing_processes_sigma.yml b/detections/sigma/nateon-desktop_sharing_processes_sigma.yml index 9dbcbcfe..cab2dab6 100644 --- a/detections/sigma/nateon-desktop_sharing_processes_sigma.yml +++ b/detections/sigma/nateon-desktop_sharing_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - nateon.exe - nateonmain.exe condition: selection -id: 6fe97cb7-aae9-4e95-a4a4-21a2473630eb +id: e2be2ea0-9906-4ce7-80a6-c803d38f04a6 status: experimental description: Detects potential processes activity of NateOn-desktop sharing RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/naverisk_network_sigma.yml b/detections/sigma/naverisk_network_sigma.yml index d2c36f08..2878dd80 100644 --- a/detections/sigma/naverisk_network_sigma.yml +++ b/detections/sigma/naverisk_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - naverisk.com condition: selection -id: d2e4453c-a76c-46b4-8066-f71172d1ced1 +id: 5dbbce46-68fb-4d3c-a3e0-6c0d9e23cde9 status: experimental description: Detects potential network activity of Naverisk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/naverisk_processes_sigma.yml b/detections/sigma/naverisk_processes_sigma.yml index 314c87d9..8f731cbb 100644 --- a/detections/sigma/naverisk_processes_sigma.yml +++ b/detections/sigma/naverisk_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - AgentSetup-*.exe condition: selection -id: cbee1e76-a86f-45a8-9cf8-25b78205d612 +id: 937c6b2e-0b0f-4ebb-a5a5-6dbcf9e7bde2 status: experimental description: Detects potential processes activity of Naverisk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml b/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml index 1a711898..0657406d 100644 --- a/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml +++ b/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml @@ -7,12 +7,12 @@ detection: DestinationHostname|endswith: - imperosoftware.com/impero-connect/ condition: selection -id: 7f9b9dcb-7516-4b13-98a9-c642a7bb17c0 +id: a1e072c6-6662-4fed-8c3f-24731315a82a status: experimental description: Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml b/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml index 855ca19e..765d83b4 100644 --- a/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml +++ b/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml @@ -10,12 +10,12 @@ detection: - nldrw32.exe - rmserverconsolemediator.exe condition: selection -id: 4b71dd98-1381-4dd2-8be1-804f40f63039 +id: 3a4303d5-7d7f-4ea2-9d7e-f218c5971713 status: experimental description: Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml b/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml index db3e952a..41943a56 100644 --- a/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml +++ b/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml @@ -8,12 +8,12 @@ detection: - '*.connect.backdrop.cloud' - '*.netop.com' condition: selection -id: 01b1b541-7fe3-46d0-b1a5-90d3f8c0a610 +id: 5501bcd1-7a4f-4dc4-b85f-d7071e5f7f00 status: experimental description: Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml b/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml index f288ebaa..9fe3134e 100644 --- a/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml +++ b/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml @@ -15,12 +15,12 @@ detection: - Connect.Backdrop.cloud*.exe - ImperoClientSVC.exe condition: selection -id: 38819b97-b44e-4f6d-ae56-c078e59959fc +id: 4c7a92e7-bc61-4a3f-aeed-5dfe56fae30a status: experimental description: Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netreo_network_sigma.yml b/detections/sigma/netreo_network_sigma.yml index a905770d..f0e8b0bf 100644 --- a/detections/sigma/netreo_network_sigma.yml +++ b/detections/sigma/netreo_network_sigma.yml @@ -10,11 +10,11 @@ detection: - '*.api.netreo.com' - netreo.com condition: selection -id: 00f55b50-efb6-4de8-a936-d92634a081ff +id: bce122a6-0821-4d9a-953a-2b1e9d5b218b status: experimental description: Detects potential network activity of Netreo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netsupport_manager_network_sigma.yml b/detections/sigma/netsupport_manager_network_sigma.yml index 826a997e..e87341a4 100644 --- a/detections/sigma/netsupport_manager_network_sigma.yml +++ b/detections/sigma/netsupport_manager_network_sigma.yml @@ -9,11 +9,11 @@ detection: - netsupportmanager.com - '*.netsupportmanager.com' condition: selection -id: 158dd963-b994-44d0-952e-ee35c977eea6 +id: 12c50888-08e9-4d43-b6d5-6d65ea4fcb49 status: experimental description: Detects potential network activity of NetSupport Manager RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netsupport_manager_processes_sigma.yml b/detections/sigma/netsupport_manager_processes_sigma.yml index a45a7565..a76bf760 100644 --- a/detections/sigma/netsupport_manager_processes_sigma.yml +++ b/detections/sigma/netsupport_manager_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - client32.exe - pcicfgui.exe condition: selection -id: 9dd16421-b86b-47cd-818a-4abf97687a23 +id: 4205c323-1702-4b84-9d11-a705987a1098 status: experimental description: Detects potential processes activity of NetSupport Manager RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/neturo_network_sigma.yml b/detections/sigma/neturo_network_sigma.yml index c1434897..646d138e 100644 --- a/detections/sigma/neturo_network_sigma.yml +++ b/detections/sigma/neturo_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - neturo.uplus.co.kr condition: selection -id: f57bd79d-f4cf-4df3-bbee-6d82c3022310 +id: 39327f41-3a98-4a53-ac28-6b610b138cba status: experimental description: Detects potential network activity of Neturo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/neturo_processes_sigma.yml b/detections/sigma/neturo_processes_sigma.yml index a8cdd1b1..597e6081 100644 --- a/detections/sigma/neturo_processes_sigma.yml +++ b/detections/sigma/neturo_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - ntrntservice.exe - neturo.exe condition: selection -id: b3349de8-1401-45aa-b30e-0c9822e6f580 +id: 229b9923-a34d-4c65-b024-2160ed14557e status: experimental description: Detects potential processes activity of Neturo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netviewer__gotomeet__processes_sigma.yml b/detections/sigma/netviewer__gotomeet__processes_sigma.yml index 67da56aa..937de51f 100644 --- a/detections/sigma/netviewer__gotomeet__processes_sigma.yml +++ b/detections/sigma/netviewer__gotomeet__processes_sigma.yml @@ -8,11 +8,11 @@ detection: - nvClient.exe - netviewer.exe condition: selection -id: 41193a61-287e-4469-bda1-184d3bdd6ebd +id: dcbbb83f-6aac-41dc-831b-c4a7a9091fa5 status: experimental description: Detects potential processes activity of Netviewer (GoToMeet) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netviewer_network_sigma.yml b/detections/sigma/netviewer_network_sigma.yml index ca55bf82..97663826 100644 --- a/detections/sigma/netviewer_network_sigma.yml +++ b/detections/sigma/netviewer_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - download.cnet.com/Net-Viewer/3000-2370_4-10034828.html condition: selection -id: c4be0001-98f2-42bc-a0cf-0e6eecdc7480 +id: f861142d-58b1-4c98-a407-83e458a59444 status: experimental description: Detects potential network activity of Netviewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/netviewer_processes_sigma.yml b/detections/sigma/netviewer_processes_sigma.yml index 878b869b..8f108dea 100644 --- a/detections/sigma/netviewer_processes_sigma.yml +++ b/detections/sigma/netviewer_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - netviewer*.exe - netviewer.exe condition: selection -id: c6955780-c235-47c4-92e9-c8180a25bdea +id: dcf2f0c3-4771-4020-ac33-97b1558997ff status: experimental description: Detects potential processes activity of Netviewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ngrok_network_sigma.yml b/detections/sigma/ngrok_network_sigma.yml index 43b0ed4b..86718404 100644 --- a/detections/sigma/ngrok_network_sigma.yml +++ b/detections/sigma/ngrok_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - ngrok.com condition: selection -id: 2a22abaa-eed9-4d56-a427-13bd5ac26f2b +id: 2f94f187-ac51-4e50-a6f5-7f6c3bfa5578 status: experimental description: Detects potential network activity of ngrok RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ngrok_processes_sigma.yml b/detections/sigma/ngrok_processes_sigma.yml index 84f5755f..c18b0ac6 100644 --- a/detections/sigma/ngrok_processes_sigma.yml +++ b/detections/sigma/ngrok_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - ngrok.exe condition: selection -id: cb5e7847-18d5-4f41-a762-c280ae647080 +id: 5c6a492b-4f87-4f2f-8f1d-95b1c7c16ef1 status: experimental description: Detects potential processes activity of ngrok RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ninjarmm_network_sigma.yml b/detections/sigma/ninjarmm_network_sigma.yml index dd01c6f1..01730dbe 100644 --- a/detections/sigma/ninjarmm_network_sigma.yml +++ b/detections/sigma/ninjarmm_network_sigma.yml @@ -10,11 +10,11 @@ detection: - resources.ninjarmm.com - ninjaone.com condition: selection -id: 943a0877-790f-4440-bed5-182a1977adc5 +id: 36fd47e6-13f9-4eb0-a826-8f34e3e1dc0e status: experimental description: Detects potential network activity of NinjaRMM RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ninjarmm_processes_sigma.yml b/detections/sigma/ninjarmm_processes_sigma.yml index 2fec6b57..427b8098 100644 --- a/detections/sigma/ninjarmm_processes_sigma.yml +++ b/detections/sigma/ninjarmm_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - NinjaRMMAgenPatcher.exe - ninjarmm-cli.exe condition: selection -id: df993854-40a2-4846-988d-930ceb6376d3 +id: ba65e84e-5ded-409f-9c72-c9704732786d status: experimental description: Detects potential processes activity of NinjaRMM RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/nomachine_network_sigma.yml b/detections/sigma/nomachine_network_sigma.yml index 8fd32f1b..1c786a6f 100644 --- a/detections/sigma/nomachine_network_sigma.yml +++ b/detections/sigma/nomachine_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - nomachine.com condition: selection -id: 2e10dab2-67bf-4e63-9e60-e21b6f136d1b +id: b80bd471-4420-482d-93c4-d2755a4ed4dc status: experimental description: Detects potential network activity of NoMachine RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/nomachine_processes_sigma.yml b/detections/sigma/nomachine_processes_sigma.yml index 92a122be..ccea5460 100644 --- a/detections/sigma/nomachine_processes_sigma.yml +++ b/detections/sigma/nomachine_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - nomachine*.exe - nxd.exe condition: selection -id: 2cf50b1f-c1bb-4ac8-9ddc-05c0ae1eb54b +id: 40a4638d-dc15-40f9-be1f-f5667b56a562 status: experimental description: Detects potential processes activity of NoMachine RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/noteon-desktop_sharing_processes_sigma.yml b/detections/sigma/noteon-desktop_sharing_processes_sigma.yml index 9f90026e..e417446a 100644 --- a/detections/sigma/noteon-desktop_sharing_processes_sigma.yml +++ b/detections/sigma/noteon-desktop_sharing_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - nateon.exe - nateonmain.exe condition: selection -id: bc03649e-a7fe-42d0-8f29-59c5de5f39e1 +id: cee2070b-07ca-4fec-a1e3-1653fdd6da8a status: experimental description: Detects potential processes activity of NoteOn-desktop sharing RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ntr_remote_network_sigma.yml b/detections/sigma/ntr_remote_network_sigma.yml index 6a387d85..1031d07b 100644 --- a/detections/sigma/ntr_remote_network_sigma.yml +++ b/detections/sigma/ntr_remote_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.ntrsupport.com' condition: selection -id: 7e360029-f687-48f0-a58d-5010ba4ba70c +id: d34f06a0-1823-45ff-a667-43b140058f47 status: experimental description: Detects potential network activity of NTR Remote RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ntr_remote_processes_sigma.yml b/detections/sigma/ntr_remote_processes_sigma.yml index 4b98cfd5..e9568509 100644 --- a/detections/sigma/ntr_remote_processes_sigma.yml +++ b/detections/sigma/ntr_remote_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - NTRsupportPro_EN.exe condition: selection -id: e2c4554b-daaa-4f19-80e3-167c81ae53d2 +id: 47a5d227-0695-472d-b9c6-b0642522e98e status: experimental description: Detects potential processes activity of NTR Remote RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ocs_inventory_network_sigma.yml b/detections/sigma/ocs_inventory_network_sigma.yml index 1539f870..177c397b 100644 --- a/detections/sigma/ocs_inventory_network_sigma.yml +++ b/detections/sigma/ocs_inventory_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - ocsinventory-ng.org condition: selection -id: e0006d7f-7915-4519-9aae-fc555774f28b +id: cfe53dff-bb84-4eec-aac7-284628e1ac49 status: experimental description: Detects potential network activity of OCS inventory RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ocs_inventory_processes_sigma.yml b/detections/sigma/ocs_inventory_processes_sigma.yml index d930355f..a035b81f 100644 --- a/detections/sigma/ocs_inventory_processes_sigma.yml +++ b/detections/sigma/ocs_inventory_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - ocsinventory.exe - ocsservice.exe condition: selection -id: bd83466c-be84-49eb-b225-a699ecea1eec +id: 9da56624-e193-40ca-85a3-831343f5b797 status: experimental description: Detects potential processes activity of OCS inventory RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/odrive_processes_sigma.yml b/detections/sigma/odrive_processes_sigma.yml index 68b71ebe..3907e4f9 100644 --- a/detections/sigma/odrive_processes_sigma.yml +++ b/detections/sigma/odrive_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\Odriveapp.exe' condition: selection -id: 9e015d9d-8c3b-4f4c-b0f9-fc75ee54f50e +id: 3ecd5480-76d3-45f4-9c12-0adb425592a5 status: experimental description: Detects potential processes activity of ODrive RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/onionshare_processes_sigma.yml b/detections/sigma/onionshare_processes_sigma.yml index 71c82889..5b424ee5 100644 --- a/detections/sigma/onionshare_processes_sigma.yml +++ b/detections/sigma/onionshare_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\onionshare*.exe' condition: selection -id: 84a46952-fbfa-43af-af4b-748f54e2ee6f +id: 47582285-6b9b-4f48-a5ad-f60b1a9da608 status: experimental description: Detects potential processes activity of Onionshare RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/optitune_network_sigma.yml b/detections/sigma/optitune_network_sigma.yml index f447f021..53daffc9 100644 --- a/detections/sigma/optitune_network_sigma.yml +++ b/detections/sigma/optitune_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.optitune.us' - '*.opti-tune.com' condition: selection -id: 411944b0-da03-4d35-a49e-6fdb83850250 +id: 22949aea-1e6c-4d5a-9caa-069a8561716c status: experimental description: Detects potential network activity of OptiTune RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/optitune_processes_sigma.yml b/detections/sigma/optitune_processes_sigma.yml index 8699e051..426105ac 100644 --- a/detections/sigma/optitune_processes_sigma.yml +++ b/detections/sigma/optitune_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - OTService.exe - OTPowerShell.exe condition: selection -id: 145f5308-f844-4178-b836-bf20f10dbe82 +id: 6f92accd-69ed-4cea-a134-e55bb58f496a status: experimental description: Detects potential processes activity of OptiTune RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pandora_rc__ehorus__network_sigma.yml b/detections/sigma/pandora_rc__ehorus__network_sigma.yml index 9a095c76..5c38142d 100644 --- a/detections/sigma/pandora_rc__ehorus__network_sigma.yml +++ b/detections/sigma/pandora_rc__ehorus__network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - portal.ehorus.com condition: selection -id: 36f176db-1352-4a64-beef-8032366df8e4 +id: 9a1e3e4b-16fd-4465-afab-39614fd0132b status: experimental description: Detects potential network activity of Pandora RC (eHorus) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pandora_rc__ehorus__processes_sigma.yml b/detections/sigma/pandora_rc__ehorus__processes_sigma.yml index 474279dd..50160fa8 100644 --- a/detections/sigma/pandora_rc__ehorus__processes_sigma.yml +++ b/detections/sigma/pandora_rc__ehorus__processes_sigma.yml @@ -8,11 +8,11 @@ detection: - ehorus standalone.exe - ehorus_agent.exe condition: selection -id: abd38a66-2d22-46ce-ae31-6658be5528e1 +id: 0a18fcba-4d6d-4a78-9e5a-81294907bc16 status: experimental description: Detects potential processes activity of Pandora RC (eHorus) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/panorama9_network_sigma.yml b/detections/sigma/panorama9_network_sigma.yml index 10175885..ba60deee 100644 --- a/detections/sigma/panorama9_network_sigma.yml +++ b/detections/sigma/panorama9_network_sigma.yml @@ -9,11 +9,11 @@ detection: - changes.panorama9.com - panorama9.com condition: selection -id: feb5fde0-63e1-444b-bf94-35f4996e4e35 +id: 637c51b3-5ac9-488a-8cae-f387fa503575 status: experimental description: Detects potential network activity of Panorama9 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/panorama9_processes_sigma.yml b/detections/sigma/panorama9_processes_sigma.yml index d89fa7d3..11d9eba4 100644 --- a/detections/sigma/panorama9_processes_sigma.yml +++ b/detections/sigma/panorama9_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - p9agent*.exe condition: selection -id: 6eb8de75-36ac-4243-b7d0-c10883359eaa +id: 9913f423-61c0-41ca-a7e6-4853d5228b45 status: experimental description: Detects potential processes activity of Panorama9 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/parallels_access_network_sigma.yml b/detections/sigma/parallels_access_network_sigma.yml index e5cc3911..b40bdfd8 100644 --- a/detections/sigma/parallels_access_network_sigma.yml +++ b/detections/sigma/parallels_access_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.parallels.com' - parallels.com/products/ras/try condition: selection -id: 8bd68c1a-b835-483b-b0f0-3966a38767ea +id: 77e59b05-dafb-45e4-a552-99826ab6f85a status: experimental description: Detects potential network activity of Parallels Access RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/parallels_access_processes_sigma.yml b/detections/sigma/parallels_access_processes_sigma.yml index 016a8d24..d7f27332 100644 --- a/detections/sigma/parallels_access_processes_sigma.yml +++ b/detections/sigma/parallels_access_processes_sigma.yml @@ -11,11 +11,11 @@ detection: - prl_deskctl_wizard.exe - prl_pm_service.exe condition: selection -id: 0730f421-f7b0-42fd-b906-3ffd264aefe4 +id: 4ec659d8-483d-42a2-b935-21c32bf4e37e status: experimental description: Detects potential processes activity of Parallels Access RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pcanywhere_network_sigma.yml b/detections/sigma/pcanywhere_network_sigma.yml index 930803b3..05a36212 100644 --- a/detections/sigma/pcanywhere_network_sigma.yml +++ b/detections/sigma/pcanywhere_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - user_managed condition: selection -id: fca66b1b-fca5-468f-8980-5bd2c2cf1304 +id: 6c56c938-14d3-405c-ab44-c7c806b17ab8 status: experimental description: Detects potential network activity of pcAnywhere RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pcanywhere_processes_sigma.yml b/detections/sigma/pcanywhere_processes_sigma.yml index 27f8099d..bb2fcd5a 100644 --- a/detections/sigma/pcanywhere_processes_sigma.yml +++ b/detections/sigma/pcanywhere_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - pcaquickconnect.exe - winaw32.exe condition: selection -id: 1740d837-2239-4d57-910c-c1e2164e7fd1 +id: b46a081f-220d-44bc-b6d7-56151c414478 status: experimental description: Detects potential processes activity of pcAnywhere RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pcloud_processes_sigma.yml b/detections/sigma/pcloud_processes_sigma.yml index 02ed5338..fc7d7bb7 100644 --- a/detections/sigma/pcloud_processes_sigma.yml +++ b/detections/sigma/pcloud_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\pCloud.exe' condition: selection -id: baa552cf-c8c3-4198-96b5-48bd0283f0b4 +id: 3362dfd5-217c-4d6f-afe8-c2a4d25e5e56 status: experimental description: Detects potential processes activity of pCloud RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pcnow_network_sigma.yml b/detections/sigma/pcnow_network_sigma.yml index 42c15349..42732711 100644 --- a/detections/sigma/pcnow_network_sigma.yml +++ b/detections/sigma/pcnow_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - au.pcmag.com/utilities/21470/webex-pcnow condition: selection -id: 9cde03fd-742d-46f7-a066-c7bb6c19ceba +id: f3ce42d7-b932-4009-9d84-6ff8c6385b19 status: experimental description: Detects potential network activity of Pcnow RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pcnow_processes_sigma.yml b/detections/sigma/pcnow_processes_sigma.yml index 79aec323..ec4b4cbb 100644 --- a/detections/sigma/pcnow_processes_sigma.yml +++ b/detections/sigma/pcnow_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - pcnmgr.exe - webexpcnow.exe condition: selection -id: bc89ae60-5c10-4261-bf1b-7742678e0464 +id: 2bc661c4-b05f-4971-bfc8-eef0bcddad00 status: experimental description: Detects potential processes activity of Pcnow RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pcvisit_network_sigma.yml b/detections/sigma/pcvisit_network_sigma.yml index 8aa204e6..45dac135 100644 --- a/detections/sigma/pcvisit_network_sigma.yml +++ b/detections/sigma/pcvisit_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.pcvisit.de' - pcvisit.de condition: selection -id: 2096b807-b8e4-4d13-bf90-5a6f9522a239 +id: 75e41cc0-eaa9-4795-b240-8b679fb9862e status: experimental description: Detects potential network activity of Pcvisit RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pcvisit_processes_sigma.yml b/detections/sigma/pcvisit_processes_sigma.yml index aaffef20..84ffc2ca 100644 --- a/detections/sigma/pcvisit_processes_sigma.yml +++ b/detections/sigma/pcvisit_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - pcvisit-easysupport.exe - pcvisit_service_client.exe condition: selection -id: d642e75b-db71-4fb0-8439-3704455eb7d0 +id: da7aef8c-62ce-4abf-adf3-9df130d9dd30 status: experimental description: Detects potential processes activity of Pcvisit RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pdq_connect_network_sigma.yml b/detections/sigma/pdq_connect_network_sigma.yml index 66550143..da9d3ea0 100644 --- a/detections/sigma/pdq_connect_network_sigma.yml +++ b/detections/sigma/pdq_connect_network_sigma.yml @@ -8,11 +8,11 @@ detection: - app.pdq.com - cfcdn.pdq.com condition: selection -id: ec16f6cc-8433-4c5a-a4b2-28c44004da30 +id: e27c6d0b-9d16-4eb3-9abd-8ba0a2cc0f6e status: experimental description: Detects potential network activity of PDQ Connect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pdq_connect_processes_sigma.yml b/detections/sigma/pdq_connect_processes_sigma.yml index 551e83d1..5b11d122 100644 --- a/detections/sigma/pdq_connect_processes_sigma.yml +++ b/detections/sigma/pdq_connect_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - pdq-connect*.exe condition: selection -id: aeb1c68a-95a5-45c4-bebf-c8acf2468f9b +id: 53f5bc8e-62d8-409e-9588-7910e706dc5f status: experimental description: Detects potential processes activity of PDQ Connect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pilixo_network_sigma.yml b/detections/sigma/pilixo_network_sigma.yml index 118b188e..d4cfaf42 100644 --- a/detections/sigma/pilixo_network_sigma.yml +++ b/detections/sigma/pilixo_network_sigma.yml @@ -9,11 +9,11 @@ detection: - download.pilixo.com - '*.pilixo.com' condition: selection -id: 4c200777-e2b3-47dc-964f-efec934f8ebb +id: 11be93dd-95ec-496f-902b-77c07a26a467 status: experimental description: Detects potential network activity of Pilixo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pilixo_processes_sigma.yml b/detections/sigma/pilixo_processes_sigma.yml index 2f47d9bd..c3a6fc50 100644 --- a/detections/sigma/pilixo_processes_sigma.yml +++ b/detections/sigma/pilixo_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - rdp.exe - Pilixo_Installer*.exe condition: selection -id: 8761dc56-25aa-4ca1-ad15-b27e8e680a62 +id: c2649604-3b30-47b0-ae8b-aaea69ccdf9b status: experimental description: Detects potential processes activity of Pilixo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pocket_cloud__wyse__processes_sigma.yml b/detections/sigma/pocket_cloud__wyse__processes_sigma.yml index d7be69a4..c83be960 100644 --- a/detections/sigma/pocket_cloud__wyse__processes_sigma.yml +++ b/detections/sigma/pocket_cloud__wyse__processes_sigma.yml @@ -8,11 +8,11 @@ detection: - pocketcloud*.exe - pocketcloudservice.exe condition: selection -id: 710ca6b0-4944-4469-9d2e-d2ce5d93eb30 +id: 1a280030-c626-468f-b74a-bffacbc724e3 status: experimental description: Detects potential processes activity of Pocket Cloud (Wyse) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml b/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml index ed57cce3..81cbb789 100644 --- a/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml +++ b/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml @@ -7,12 +7,12 @@ detection: DestinationHostname|endswith: - '*soti.net' condition: selection -id: 9d79323f-16ed-4db4-b185-66e14d6babbd +id: e49aea52-4057-4ebf-9c22-3424e1c52632 status: experimental description: Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml b/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml index e122793c..d48b313d 100644 --- a/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml +++ b/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml @@ -9,12 +9,12 @@ detection: - wysebrowser.exe - XSightService.exe condition: selection -id: b95f9a39-4f5d-4496-ae32-cde30b6d30f5 +id: 7e666c30-2204-4f07-8ba0-8e46e054c24b status: experimental description: Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pocket_controller_network_sigma.yml b/detections/sigma/pocket_controller_network_sigma.yml index aaf69881..7a150479 100644 --- a/detections/sigma/pocket_controller_network_sigma.yml +++ b/detections/sigma/pocket_controller_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - soti.net/products/soti-pocket-controller condition: selection -id: 7036f6e6-e4c6-4db1-8a73-81b8e5ce68e3 +id: bb79c471-cfa9-47cc-9325-b65101bbb1f5 status: experimental description: Detects potential network activity of Pocket Controller RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pocket_controller_processes_sigma.yml b/detections/sigma/pocket_controller_processes_sigma.yml index db94ad96..319c025c 100644 --- a/detections/sigma/pocket_controller_processes_sigma.yml +++ b/detections/sigma/pocket_controller_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - pocketcloudservice.exe - wysebrowser.exe condition: selection -id: 413781b5-5f19-47f6-b8ae-e438d89e8be8 +id: b942a1b1-e907-4817-b13c-56b43f741606 status: experimental description: Detects potential processes activity of Pocket Controller RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/psexec__clone__network_sigma.yml b/detections/sigma/psexec__clone__network_sigma.yml index c76df495..799acc71 100644 --- a/detections/sigma/psexec__clone__network_sigma.yml +++ b/detections/sigma/psexec__clone__network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - user_managed condition: selection -id: 8f7b7ad3-b7e2-4a74-8959-5e8e477fea2b +id: 0e19d5d5-98be-43da-8498-9b25a7794086 status: experimental description: Detects potential network activity of PSEXEC (Clone) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/psexec__clone__processes_sigma.yml b/detections/sigma/psexec__clone__processes_sigma.yml index 4668ea29..c2fec991 100644 --- a/detections/sigma/psexec__clone__processes_sigma.yml +++ b/detections/sigma/psexec__clone__processes_sigma.yml @@ -12,11 +12,11 @@ detection: - xcmd.exe - xcmdsvc.exe condition: selection -id: 3bf1b4ee-eadc-4ffb-b007-763156991f06 +id: ce875247-1a7a-4679-8fdd-23736f66fbf7 status: experimental description: Detects potential processes activity of PSEXEC (Clone) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/psexec_network_sigma.yml b/detections/sigma/psexec_network_sigma.yml index 0051c2f6..d263de68 100644 --- a/detections/sigma/psexec_network_sigma.yml +++ b/detections/sigma/psexec_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - user_managed condition: selection -id: e4cff708-d52f-4383-8c5e-9353e960c88b +id: 8b96d374-2a49-47cd-b7b6-6065eab92469 status: experimental description: Detects potential network activity of PSEXEC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/psexec_processes_sigma.yml b/detections/sigma/psexec_processes_sigma.yml index f0eb1a30..22ab30f2 100644 --- a/detections/sigma/psexec_processes_sigma.yml +++ b/detections/sigma/psexec_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - psexec.exe - psexecsvc.exe condition: selection -id: 6733a308-74b7-45ef-8b4c-378f5310fe48 +id: 11340ea1-ca47-436e-a3ec-658556aa3615 status: experimental description: Detects potential processes activity of PSEXEC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pulseway_network_sigma.yml b/detections/sigma/pulseway_network_sigma.yml index 386e8ec8..4d1a3fe7 100644 --- a/detections/sigma/pulseway_network_sigma.yml +++ b/detections/sigma/pulseway_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - pulseway.com condition: selection -id: ea1f256c-6716-4f1a-ac14-12d12168aa35 +id: 786ef50c-ef11-4ee2-b3fd-84e55f779ed8 status: experimental description: Detects potential network activity of Pulseway RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/pulseway_processes_sigma.yml b/detections/sigma/pulseway_processes_sigma.yml index 54fe4668..915fed7f 100644 --- a/detections/sigma/pulseway_processes_sigma.yml +++ b/detections/sigma/pulseway_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - PCMonitorManager.exe - pcmonitorsrv.exe condition: selection -id: 9203087c-e11c-46f4-9758-ed336c532c04 +id: 930a0b94-5ff4-4d7d-a8cc-dfd1d4f9c489 status: experimental description: Detects potential processes activity of Pulseway RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/putty_tray_processes_sigma.yml b/detections/sigma/putty_tray_processes_sigma.yml index 6232f3e1..25f3a1b2 100644 --- a/detections/sigma/putty_tray_processes_sigma.yml +++ b/detections/sigma/putty_tray_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - C:\*\puttytray.exe - '*\puttytray.exe' condition: selection -id: f60da527-7653-4689-81fa-0f6ac08e9e72 +id: c66fd994-a408-4c47-aa4f-23cb9355f9c4 status: experimental description: Detects potential processes activity of PuTTY Tray RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/qq_im-remote_assistance_network_sigma.yml b/detections/sigma/qq_im-remote_assistance_network_sigma.yml index 58f1b638..d8449756 100644 --- a/detections/sigma/qq_im-remote_assistance_network_sigma.yml +++ b/detections/sigma/qq_im-remote_assistance_network_sigma.yml @@ -10,11 +10,11 @@ detection: - upload_data.qq.com - qq-messenger.en.softonic.com condition: selection -id: e9475957-1152-443b-bad4-f288034e78da +id: a433daa3-deae-474a-9958-36cb9b287bb4 status: experimental description: Detects potential network activity of QQ IM-remote assistance RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/qq_im-remote_assistance_processes_sigma.yml b/detections/sigma/qq_im-remote_assistance_processes_sigma.yml index ea24fa35..001ef7ab 100644 --- a/detections/sigma/qq_im-remote_assistance_processes_sigma.yml +++ b/detections/sigma/qq_im-remote_assistance_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - QQProtect.exe - qqpcmgr.exe condition: selection -id: 8b7e56d6-f575-4ff6-96dd-6ef58e5c7791 +id: d9d973a5-c10a-425e-8bbd-585dd3c24015 status: experimental description: Detects potential processes activity of QQ IM-remote assistance RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml b/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml index 7093943f..501217f2 100644 --- a/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml +++ b/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml @@ -8,12 +8,12 @@ detection: - '*.kace.com' - www.quest.com/kace/ condition: selection -id: ddf7fe14-66c0-49bc-b6d9-373416946956 +id: 41765104-e0bb-4caf-9d80-f0b76da82722 status: experimental description: Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml b/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml index e49c0595..dee1b86f 100644 --- a/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml +++ b/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml @@ -7,12 +7,12 @@ detection: ParentImage|endswith: - konea.exe condition: selection -id: 940df660-0a64-4bf8-a995-82c9ed3dc7fa +id: eda0239d-73f8-4440-98cb-f1fa957e42b4 status: experimental description: Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/quick_assist_network_sigma.yml b/detections/sigma/quick_assist_network_sigma.yml index 5c1834cb..58758017 100644 --- a/detections/sigma/quick_assist_network_sigma.yml +++ b/detections/sigma/quick_assist_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.support.services.microsoft.com' condition: selection -id: ef0bb107-4809-4b37-8f1a-ec10fed183d8 +id: 9608d135-d052-4723-ad00-89a3c9797416 status: experimental description: Detects potential network activity of Quick Assist RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/quick_assist_processes_sigma.yml b/detections/sigma/quick_assist_processes_sigma.yml index c451d804..69a37dae 100644 --- a/detections/sigma/quick_assist_processes_sigma.yml +++ b/detections/sigma/quick_assist_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - quickassist.exe condition: selection -id: 26360916-7bc0-4005-98ab-14595c87b6f2 +id: b263aa13-5bd2-4540-a32d-f33c21ec545c status: experimental description: Detects potential processes activity of Quick Assist RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/radmin_files_sigma.yml b/detections/sigma/radmin_files_sigma.yml index 913f80f3..8a1e5d13 100644 --- a/detections/sigma/radmin_files_sigma.yml +++ b/detections/sigma/radmin_files_sigma.yml @@ -10,11 +10,11 @@ detection: - C:\Windows\System32\rserver30\CHATLOGS\*\*.htm - C:\Users\*\Documents\ChatLogs\*\*.htm condition: selection -id: e464c51a-6a46-451c-9e35-22c26cf974c8 +id: a731af2c-02a3-40d0-8c86-e410c4c259cd status: experimental description: Detects potential files activity of RAdmin RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/radmin_network_sigma.yml b/detections/sigma/radmin_network_sigma.yml index d7663a73..7c8c1fa2 100644 --- a/detections/sigma/radmin_network_sigma.yml +++ b/detections/sigma/radmin_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - radmin.com condition: selection -id: 54af6cd0-c311-40ae-9e4b-9e51dc5d46be +id: 2f743e87-b02b-4178-b327-c0047197e2cd status: experimental description: Detects potential network activity of RAdmin RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/radmin_processes_sigma.yml b/detections/sigma/radmin_processes_sigma.yml index 90e8c4f5..c5c27f53 100644 --- a/detections/sigma/radmin_processes_sigma.yml +++ b/detections/sigma/radmin_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe - C:\Windows\SysWOW64\rserver30\rserver3.exe condition: selection -id: 603006fc-b5b3-41f4-8fbc-5a847ada9660 +id: b47e3faf-70e8-4067-b211-000156df756b status: experimental description: Detects potential processes activity of RAdmin RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/radmin_registry_sigma.yml b/detections/sigma/radmin_registry_sigma.yml index 0fa88cb8..930d6970 100644 --- a/detections/sigma/radmin_registry_sigma.yml +++ b/detections/sigma/radmin_registry_sigma.yml @@ -8,11 +8,11 @@ detection: - HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin Security condition: selection -id: 92949938-da53-4bc2-b6a7-279500b6dc32 +id: 239f1c2a-4f19-4c92-8ef5-5bbd9c367887 status: experimental description: Detects potential registry activity of RAdmin RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rapid7_network_sigma.yml b/detections/sigma/rapid7_network_sigma.yml index f5bb3147..fb73a6e7 100644 --- a/detections/sigma/rapid7_network_sigma.yml +++ b/detections/sigma/rapid7_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.analytics.insight.rapid7.com' - '*.endpoint.ingress.rapid7.com' condition: selection -id: f8c9b88c-c245-47df-8440-b6ce62fcedfb +id: 7f04155f-dc7e-4ed7-ad64-716130f1352e status: experimental description: Detects potential network activity of Rapid7 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rapid7_processes_sigma.yml b/detections/sigma/rapid7_processes_sigma.yml index 7a5aacc1..d1573985 100644 --- a/detections/sigma/rapid7_processes_sigma.yml +++ b/detections/sigma/rapid7_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - rapid7_agent_core.exe - rapid7_endpoint_broker.exe condition: selection -id: f25540c6-ee87-4b05-a54a-92a946ef83dc +id: 020a798c-246d-45fb-85bf-5df3be0cbf06 status: experimental description: Detects potential processes activity of Rapid7 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rclone_processes_sigma.yml b/detections/sigma/rclone_processes_sigma.yml index 7fad4e73..ef830c65 100644 --- a/detections/sigma/rclone_processes_sigma.yml +++ b/detections/sigma/rclone_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\rclone.exe' condition: selection -id: a8d3f007-d640-4037-8824-50918c4f7f96 +id: d722606f-8f80-42b8-9ac2-1fb8d5cdb42e status: experimental description: Detects potential processes activity of rclone RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rdp2tcp_network_sigma.yml b/detections/sigma/rdp2tcp_network_sigma.yml index dcc391d8..0043f062 100644 --- a/detections/sigma/rdp2tcp_network_sigma.yml +++ b/detections/sigma/rdp2tcp_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - github.com/V-E-O/rdp2tcp condition: selection -id: c25f85bd-7b60-4f30-afd9-b46f5e2f73f8 +id: a378c29e-4c16-48a0-bf97-74cd91c1090e status: experimental description: Detects potential network activity of rdp2tcp RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rdp2tcp_processes_sigma.yml b/detections/sigma/rdp2tcp_processes_sigma.yml index 2bb9c8c8..e8f543d7 100644 --- a/detections/sigma/rdp2tcp_processes_sigma.yml +++ b/detections/sigma/rdp2tcp_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - tdp2tcp.exe condition: selection -id: e6616c93-a7d3-4a1e-8fa3-fd0f91c4a395 +id: a4f71aeb-9561-4483-b35b-267093abd3a0 status: experimental description: Detects potential processes activity of rdp2tcp RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rdpview_network_sigma.yml b/detections/sigma/rdpview_network_sigma.yml index 0d086579..7a688a2c 100644 --- a/detections/sigma/rdpview_network_sigma.yml +++ b/detections/sigma/rdpview_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - systemmanager.ru/dntu.en/rdp_view.htm condition: selection -id: 2edfa714-43d0-4c14-aba4-c2957e159e3c +id: 68ade31f-2e89-4455-af5a-f7ec0826ad39 status: experimental description: Detects potential network activity of RDPView RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rdpview_processes_sigma.yml b/detections/sigma/rdpview_processes_sigma.yml index a9fb51e0..122c3639 100644 --- a/detections/sigma/rdpview_processes_sigma.yml +++ b/detections/sigma/rdpview_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - dwrcs.exe condition: selection -id: 5fdf254f-cbd3-4608-8566-220cb3cffae8 +id: 251045d0-56ca-4477-a089-7c7ccd0f7017 status: experimental description: Detects potential processes activity of RDPView RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rdpwrap_network_sigma.yml b/detections/sigma/rdpwrap_network_sigma.yml index 66c6553c..3e5364c1 100644 --- a/detections/sigma/rdpwrap_network_sigma.yml +++ b/detections/sigma/rdpwrap_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - github.com/stascorp/rdpwrap condition: selection -id: 72469538-033e-4dbf-8bad-d1b9188fb431 +id: 572e0b60-49b2-436f-a35c-4d8124455479 status: experimental description: Detects potential network activity of rdpwrap RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rdpwrap_processes_sigma.yml b/detections/sigma/rdpwrap_processes_sigma.yml index 83d16b04..5f8932e5 100644 --- a/detections/sigma/rdpwrap_processes_sigma.yml +++ b/detections/sigma/rdpwrap_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - RDPCheck.exe - RDPConf.exe condition: selection -id: 5897d163-5bd5-4456-b71e-f3ae36fe83ed +id: fc73ff2a-3bdc-4b57-bec3-8eb9e1c2c833 status: experimental description: Detects potential processes activity of rdpwrap RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remcos_processes_sigma.yml b/detections/sigma/remcos_processes_sigma.yml index b2a1813e..7573c41b 100644 --- a/detections/sigma/remcos_processes_sigma.yml +++ b/detections/sigma/remcos_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - remcos*.exe condition: selection -id: a0b580fc-d021-4a9a-8dfc-73b031abec78 +id: 18b30604-7121-43a5-9015-dcf63d2e6d0b status: experimental description: Detects potential processes activity of Remcos RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remobo_network_sigma.yml b/detections/sigma/remobo_network_sigma.yml index 1e950ae3..2b4d55ef 100644 --- a/detections/sigma/remobo_network_sigma.yml +++ b/detections/sigma/remobo_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - remobo.en.softonic.com condition: selection -id: ca71a43c-1423-4004-8a96-b789a80b1cc3 +id: 93e3bc0d-2fd2-4803-a4bd-06c3ce99dd6e status: experimental description: Detects potential network activity of Remobo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remobo_processes_sigma.yml b/detections/sigma/remobo_processes_sigma.yml index 752206eb..90c2f8d6 100644 --- a/detections/sigma/remobo_processes_sigma.yml +++ b/detections/sigma/remobo_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - remobo_client.exe - remobo_tracker.exe condition: selection -id: 71349374-d006-4c54-bdeb-5aa4c797d4e5 +id: aba9003a-5514-4eea-a077-2b17cf760473 status: experimental description: Detects potential processes activity of Remobo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remote.it_network_sigma.yml b/detections/sigma/remote.it_network_sigma.yml index fadbcb2a..3be4d7ca 100644 --- a/detections/sigma/remote.it_network_sigma.yml +++ b/detections/sigma/remote.it_network_sigma.yml @@ -9,11 +9,11 @@ detection: - api.remote.it - remote.it condition: selection -id: cad8e6ef-d128-406d-b0eb-b1f279715289 +id: 99b84fe2-27e5-4fc8-8da7-b11ee8e9dc36 status: experimental description: Detects potential network activity of Remote.it RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remote.it_processes_sigma.yml b/detections/sigma/remote.it_processes_sigma.yml index 301cf7b0..89035ef8 100644 --- a/detections/sigma/remote.it_processes_sigma.yml +++ b/detections/sigma/remote.it_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - remote.it.exe - remoteit.exe condition: selection -id: 5bde239f-c0ed-4a62-8a48-0098b2bc135a +id: 38279ba5-0030-43ca-a724-b631f7080888 status: experimental description: Detects potential processes activity of Remote.it RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remote_desktop_plus_network_sigma.yml b/detections/sigma/remote_desktop_plus_network_sigma.yml index 33c18128..c5a67009 100644 --- a/detections/sigma/remote_desktop_plus_network_sigma.yml +++ b/detections/sigma/remote_desktop_plus_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - donkz.nl condition: selection -id: 8d6e63bc-0f07-4720-887b-55ca3681d866 +id: 0234d2e6-d57e-49a3-898f-bee1543163c5 status: experimental description: Detects potential network activity of Remote Desktop Plus RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remote_desktop_plus_processes_sigma.yml b/detections/sigma/remote_desktop_plus_processes_sigma.yml index 8b0ca98e..d53c680f 100644 --- a/detections/sigma/remote_desktop_plus_processes_sigma.yml +++ b/detections/sigma/remote_desktop_plus_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - rdp.exe condition: selection -id: 5ebbc977-79f7-416d-a0be-6bde707ea877 +id: 628b038a-8b36-481f-be3d-4ca385aea7be status: experimental description: Detects potential processes activity of Remote Desktop Plus RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remote_manipulator_system_network_sigma.yml b/detections/sigma/remote_manipulator_system_network_sigma.yml index 056afaff..b4a7d1a1 100644 --- a/detections/sigma/remote_manipulator_system_network_sigma.yml +++ b/detections/sigma/remote_manipulator_system_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.internetid.ru' - rmansys.ru condition: selection -id: e6ceaa1d-4b94-4e3e-af7f-233af7f4a074 +id: ade1656e-2425-423d-ab31-d97438ed9c8f status: experimental description: Detects potential network activity of Remote Manipulator System RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remote_manipulator_system_processes_sigma.yml b/detections/sigma/remote_manipulator_system_processes_sigma.yml index d391458d..f333a463 100644 --- a/detections/sigma/remote_manipulator_system_processes_sigma.yml +++ b/detections/sigma/remote_manipulator_system_processes_sigma.yml @@ -8,12 +8,12 @@ detection: - rfusclient.exe - rutserv.exe condition: selection -id: 9ef0d1d2-f5cf-46d6-9ff1-21a62c688322 +id: 358291ff-ba8b-4422-858c-7a9e321a527d status: experimental description: Detects potential processes activity of Remote Manipulator System RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remote_utilities_network_sigma.yml b/detections/sigma/remote_utilities_network_sigma.yml index 7b2e214b..4e093c8e 100644 --- a/detections/sigma/remote_utilities_network_sigma.yml +++ b/detections/sigma/remote_utilities_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.internetid.ru' condition: selection -id: 739d6520-282b-4da3-a81e-804e0d42969b +id: 99a2b4e7-a1ee-40ff-8133-088df4428c1b status: experimental description: Detects potential network activity of Remote Utilities RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remote_utilities_processes_sigma.yml b/detections/sigma/remote_utilities_processes_sigma.yml index c452e414..e7b7a472 100644 --- a/detections/sigma/remote_utilities_processes_sigma.yml +++ b/detections/sigma/remote_utilities_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - rutview.exe - rutserv.exe condition: selection -id: 6d3f8b2a-0895-463c-aaa7-ffc50088cf4a +id: 25341a7d-f001-4a8b-89ae-dec90cbe3817 status: experimental description: Detects potential processes activity of Remote Utilities RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remotecall_network_sigma.yml b/detections/sigma/remotecall_network_sigma.yml index 485f4ae1..89c5e3fc 100644 --- a/detections/sigma/remotecall_network_sigma.yml +++ b/detections/sigma/remotecall_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.startsupport.com' - remotecall.com condition: selection -id: 1cbbab9a-2f1f-4431-83f0-289879a2617c +id: 79c87892-d0a9-4a57-836b-d4ee63ec5187 status: experimental description: Detects potential network activity of RemoteCall RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remotecall_processes_sigma.yml b/detections/sigma/remotecall_processes_sigma.yml index e524ad20..0d300fbf 100644 --- a/detections/sigma/remotecall_processes_sigma.yml +++ b/detections/sigma/remotecall_processes_sigma.yml @@ -13,11 +13,11 @@ detection: - agentu.exe - remotesupportplayeru.exe condition: selection -id: 5e36e48c-f001-4058-9660-910bdc8c92fb +id: 31a0b59a-c838-485a-8e60-c8d428f1c812 status: experimental description: Detects potential processes activity of RemoteCall RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remotepass_network_sigma.yml b/detections/sigma/remotepass_network_sigma.yml index 73c7e1d0..cc2bf89f 100644 --- a/detections/sigma/remotepass_network_sigma.yml +++ b/detections/sigma/remotepass_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - remotepass.com condition: selection -id: bf1cc13b-925a-4546-b827-12e94c167f10 +id: 82fd5bc7-0dad-4558-950d-1833b2325333 status: experimental description: Detects potential network activity of RemotePass RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remotepass_processes_sigma.yml b/detections/sigma/remotepass_processes_sigma.yml index ccbc838b..4bc5b328 100644 --- a/detections/sigma/remotepass_processes_sigma.yml +++ b/detections/sigma/remotepass_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - rpaccess.exe - rpwhostscr.exe condition: selection -id: 791c9377-5187-4bd3-b448-f89357e432a2 +id: f525d157-826e-472f-9800-9e5b08d3e430 status: experimental description: Detects potential processes activity of RemotePass RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remotepc_network_sigma.yml b/detections/sigma/remotepc_network_sigma.yml index 7335ce36..95ca28aa 100644 --- a/detections/sigma/remotepc_network_sigma.yml +++ b/detections/sigma/remotepc_network_sigma.yml @@ -10,11 +10,11 @@ detection: - www.remotepc.com - remotepc.com condition: selection -id: 340f2c24-b35b-4082-bccc-1193e459ba85 +id: fa8e726b-d853-4ac5-9d88-905be2962b0b status: experimental description: Detects potential network activity of RemotePC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remotepc_processes_sigma.yml b/detections/sigma/remotepc_processes_sigma.yml index a58fcb9b..7b32276a 100644 --- a/detections/sigma/remotepc_processes_sigma.yml +++ b/detections/sigma/remotepc_processes_sigma.yml @@ -12,11 +12,11 @@ detection: - '*\RemotePCService.exe' - RemotePCService.exe condition: selection -id: 6fd12cf3-4020-4aa8-b200-dfd538f16c0d +id: 5afe5393-d9b5-47e6-a332-a32ba5f07fea status: experimental description: Detects potential processes activity of RemotePC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remoteutilities_network_sigma.yml b/detections/sigma/remoteutilities_network_sigma.yml index ae4b56d6..4885598a 100644 --- a/detections/sigma/remoteutilities_network_sigma.yml +++ b/detections/sigma/remoteutilities_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - remoteutilities.com condition: selection -id: 344e66ba-237a-429a-9152-2aeb17227bb0 +id: 073bc5bd-92d0-46ee-b021-cc17b9aa9d5a status: experimental description: Detects potential network activity of RemoteUtilities RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remoteutilities_processes_sigma.yml b/detections/sigma/remoteutilities_processes_sigma.yml index a22db474..68bb5a20 100644 --- a/detections/sigma/remoteutilities_processes_sigma.yml +++ b/detections/sigma/remoteutilities_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - rutserv.exe - '*\rutserv.exe' condition: selection -id: f888d1d6-fca9-4907-abda-2b145fb29c40 +id: 2f17d129-5b12-40a4-a603-72f0e378057d status: experimental description: Detects potential processes activity of RemoteUtilities RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remoteview_network_sigma.yml b/detections/sigma/remoteview_network_sigma.yml index dba7900c..d3c6b9d9 100644 --- a/detections/sigma/remoteview_network_sigma.yml +++ b/detections/sigma/remoteview_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.rview.com' - content.rview.com condition: selection -id: 67692309-c9e7-40ce-bdc5-88f5fc9c705f +id: f9311795-53c6-4b41-8633-2dd5848a5aaf status: experimental description: Detects potential network activity of RemoteView RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/remoteview_processes_sigma.yml b/detections/sigma/remoteview_processes_sigma.yml index 64c9624e..b53127e1 100644 --- a/detections/sigma/remoteview_processes_sigma.yml +++ b/detections/sigma/remoteview_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - rvagent.exe - rvagtray.exe condition: selection -id: 653f6d79-85af-4014-8f3b-7a7f155871e3 +id: 6f0bead3-a60a-4f69-934c-72de73a18d10 status: experimental description: Detects potential processes activity of RemoteView RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/res_automation_manager_network_sigma.yml b/detections/sigma/res_automation_manager_network_sigma.yml index 533b6f9a..8d9e2381 100644 --- a/detections/sigma/res_automation_manager_network_sigma.yml +++ b/detections/sigma/res_automation_manager_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - ivanti.com/ condition: selection -id: eb1d5a1f-77b9-4d5b-ad4e-403595dc0ec8 +id: c04bd4ba-7b7a-46a2-8eb0-0abf217e7122 status: experimental description: Detects potential network activity of RES Automation Manager RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/res_automation_manager_processes_sigma.yml b/detections/sigma/res_automation_manager_processes_sigma.yml index ae901867..682dba16 100644 --- a/detections/sigma/res_automation_manager_processes_sigma.yml +++ b/detections/sigma/res_automation_manager_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - wmc_deployer.exe - wmcsvc.exe condition: selection -id: 639e971d-ec16-4286-9ba5-c84d41d25669 +id: 556b34bd-f79f-4227-9d8c-bd628620f472 status: experimental description: Detects potential processes activity of RES Automation Manager RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rocket_remote_desktop_processes_sigma.yml b/detections/sigma/rocket_remote_desktop_processes_sigma.yml index 48985ca4..e5d45285 100644 --- a/detections/sigma/rocket_remote_desktop_processes_sigma.yml +++ b/detections/sigma/rocket_remote_desktop_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - RDConsole.exe - RocketRemoteDesktop_Setup.exe condition: selection -id: b781922e-bd33-43df-bf08-9333e175f293 +id: ffe2edfb-5ae7-4817-a2c0-644f1e22a5b0 status: experimental description: Detects potential processes activity of Rocket Remote Desktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/royal_apps_network_sigma.yml b/detections/sigma/royal_apps_network_sigma.yml index b5f6032c..93f3b378 100644 --- a/detections/sigma/royal_apps_network_sigma.yml +++ b/detections/sigma/royal_apps_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - user_managed condition: selection -id: d50c3772-ac44-4dfe-9a7f-8f15a6a87145 +id: 6c1927ed-a2c9-46de-9ed0-095b1e64ca66 status: experimental description: Detects potential network activity of Royal Apps RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/royal_apps_processes_sigma.yml b/detections/sigma/royal_apps_processes_sigma.yml index 1248cbbb..0e8d91ab 100644 --- a/detections/sigma/royal_apps_processes_sigma.yml +++ b/detections/sigma/royal_apps_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - royalserver.exe - royalts.exe condition: selection -id: fff6feab-baa5-4edf-8c00-8287d998f22e +id: ab8415ac-55c4-483d-8843-96742a18aa14 status: experimental description: Detects potential processes activity of Royal Apps RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/royal_server_network_sigma.yml b/detections/sigma/royal_server_network_sigma.yml index 9cdde587..33f1b99a 100644 --- a/detections/sigma/royal_server_network_sigma.yml +++ b/detections/sigma/royal_server_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - royalapps.com condition: selection -id: e4efda53-eb11-4928-9d1e-728e594e95cc +id: 74218c9f-58b7-44c2-a820-e19e6a7dd939 status: experimental description: Detects potential network activity of Royal Server RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/royal_ts_network_sigma.yml b/detections/sigma/royal_ts_network_sigma.yml index 97a484e6..ec7a8e01 100644 --- a/detections/sigma/royal_ts_network_sigma.yml +++ b/detections/sigma/royal_ts_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - royalapps.com condition: selection -id: 4b728567-ea5c-47d2-98ae-d2376b0b1b8a +id: 6b0eb373-eb26-4648-84e3-cfd0259bbd8e status: experimental description: Detects potential network activity of Royal TS RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/royal_ts_processes_sigma.yml b/detections/sigma/royal_ts_processes_sigma.yml index 21fab54b..206bdd61 100644 --- a/detections/sigma/royal_ts_processes_sigma.yml +++ b/detections/sigma/royal_ts_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - royalts.exe condition: selection -id: f6b58ad2-cafb-40be-93dd-515c43674019 +id: 5a1504da-daca-4287-995f-3b911f517848 status: experimental description: Detects potential processes activity of Royal TS RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rport_network_sigma.yml b/detections/sigma/rport_network_sigma.yml index b4b27884..db75f929 100644 --- a/detections/sigma/rport_network_sigma.yml +++ b/detections/sigma/rport_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - rport.io condition: selection -id: 5327298d-6448-4a92-9882-3ba955c968c0 +id: 61cccc5f-5847-446b-a421-6a0ac02375ee status: experimental description: Detects potential network activity of RPort RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rport_processes_sigma.yml b/detections/sigma/rport_processes_sigma.yml index 10c7c4d2..610d5bae 100644 --- a/detections/sigma/rport_processes_sigma.yml +++ b/detections/sigma/rport_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - rport.exe condition: selection -id: 148de890-e4b6-4d14-9464-fb1c55c0ed70 +id: 0a914737-0a66-4bfb-98f4-4f6e46c25f86 status: experimental description: Detects potential processes activity of RPort RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rudesktop_network_sigma.yml b/detections/sigma/rudesktop_network_sigma.yml index b7747668..d716c593 100644 --- a/detections/sigma/rudesktop_network_sigma.yml +++ b/detections/sigma/rudesktop_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.rudesktop.ru' - rudesktop.ru condition: selection -id: 24f7d5ef-b4b9-4c86-b32d-ca0e8a0204f5 +id: 3a37ab9b-197e-4d4d-8cb1-43c8cbe70298 status: experimental description: Detects potential network activity of RuDesktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rudesktop_processes_sigma.yml b/detections/sigma/rudesktop_processes_sigma.yml index fac8ae1a..6a1c6eae 100644 --- a/detections/sigma/rudesktop_processes_sigma.yml +++ b/detections/sigma/rudesktop_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - rd.exe - rudesktop*.exe condition: selection -id: 490a6bd7-7f44-44d7-a102-7d4efabb03ee +id: 26af703f-9c35-4356-a7d5-01a61b9e981f status: experimental description: Detects potential processes activity of RuDesktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/runsmart_network_sigma.yml b/detections/sigma/runsmart_network_sigma.yml index 5aa9ade5..02cd1322 100644 --- a/detections/sigma/runsmart_network_sigma.yml +++ b/detections/sigma/runsmart_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - runsmart.io condition: selection -id: ccc25e14-d20c-44f5-8c49-351e584ec3be +id: c95bdc66-f183-4eed-9c0a-8278185269bf status: experimental description: Detects potential network activity of RunSmart RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rustdesk_network_sigma.yml b/detections/sigma/rustdesk_network_sigma.yml index 4d1fbddd..91fe151d 100644 --- a/detections/sigma/rustdesk_network_sigma.yml +++ b/detections/sigma/rustdesk_network_sigma.yml @@ -9,11 +9,11 @@ detection: - user_managed - web.rustdesk.com condition: selection -id: 69fa67ae-7e43-4bf6-a4d8-69923f1c970a +id: 9dfd4863-c198-462d-95d4-44c654d3a6b4 status: experimental description: Detects potential network activity of RustDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/rustdesk_processes_sigma.yml b/detections/sigma/rustdesk_processes_sigma.yml index f8722105..b44b06dd 100644 --- a/detections/sigma/rustdesk_processes_sigma.yml +++ b/detections/sigma/rustdesk_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - rustdesk*.exe - rustdesk.exe condition: selection -id: 05bf5bfd-36f9-446c-9c0c-cfb16684ad23 +id: c586fb90-dabc-4b16-b0b3-f6b0f6024b91 status: experimental description: Detects potential processes activity of RustDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/s3_browser_processes_sigma.yml b/detections/sigma/s3_browser_processes_sigma.yml index a516ee61..406d2f50 100644 --- a/detections/sigma/s3_browser_processes_sigma.yml +++ b/detections/sigma/s3_browser_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\s3browser*.exe' condition: selection -id: f67a2571-7d02-4f20-8e39-8a94727c17c9 +id: 578521d9-c5ea-4acb-848b-137796c5bd3a status: experimental description: Detects potential processes activity of S3 Browser RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/screenconnect_files_sigma.yml b/detections/sigma/screenconnect_files_sigma.yml index 788f4ac4..b032c27f 100644 --- a/detections/sigma/screenconnect_files_sigma.yml +++ b/detections/sigma/screenconnect_files_sigma.yml @@ -9,11 +9,11 @@ detection: - C:\Program Files*\ScreenConnect\App_Data\User.xml - C:\ProgramData\ScreenConnect Client*\user.config condition: selection -id: 7946b8d4-9321-4ee7-916c-d7de92832038 +id: adb2440e-8700-4ab3-9a1a-6b761826955f status: experimental description: Detects potential files activity of ScreenConnect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/screenconnect_network_sigma.yml b/detections/sigma/screenconnect_network_sigma.yml index 7ec3e404..f6e6e7f0 100644 --- a/detections/sigma/screenconnect_network_sigma.yml +++ b/detections/sigma/screenconnect_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.connectwise.com' - '*.screenconnect.com' condition: selection -id: 8369b67f-a422-4ccf-bed5-150032ea38c7 +id: 745f1940-e16c-42f5-87bb-66f342e0dba8 status: experimental description: Detects potential network activity of ScreenConnect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/screenconnect_processes_sigma.yml b/detections/sigma/screenconnect_processes_sigma.yml index 61d3b0c9..d7d5ff26 100644 --- a/detections/sigma/screenconnect_processes_sigma.yml +++ b/detections/sigma/screenconnect_processes_sigma.yml @@ -18,11 +18,11 @@ detection: - screenconnect.windowsclient.exe - screenconnect.clientservice.exe condition: selection -id: db8b0664-603b-497e-a86e-02b545ace4ca +id: bc9c7d89-4f55-4a5b-beb2-e4f6ad488fec status: experimental description: Detects potential processes activity of ScreenConnect RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/screenmeet_network_sigma.yml b/detections/sigma/screenmeet_network_sigma.yml index 6abd584b..f7c61081 100644 --- a/detections/sigma/screenmeet_network_sigma.yml +++ b/detections/sigma/screenmeet_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.screenmeet.com' - '*.scrn.mt' condition: selection -id: 7d29b8a4-7a01-4cf8-aead-2f2f415ab219 +id: 8a5e7ba1-65ff-4f55-a524-62411a667b65 status: experimental description: Detects potential network activity of ScreenMeet RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/screenmeet_processes_sigma.yml b/detections/sigma/screenmeet_processes_sigma.yml index 3ddf07b2..60a2546c 100644 --- a/detections/sigma/screenmeet_processes_sigma.yml +++ b/detections/sigma/screenmeet_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - ScreenMeetSupport.exe - ScreenMeet.Support.exe condition: selection -id: fb392741-397f-451c-8cff-3e847fa381dc +id: 613fe1d2-7cb9-4de8-9cf4-99eaf7798277 status: experimental description: Detects potential processes activity of ScreenMeet RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/securecrt_processes_sigma.yml b/detections/sigma/securecrt_processes_sigma.yml index 5258286d..47b06ffa 100644 --- a/detections/sigma/securecrt_processes_sigma.yml +++ b/detections/sigma/securecrt_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - C:\*\SecureCRT.EXE - '*\SecureCRT.EXE' condition: selection -id: 62857972-bb15-4d01-8cc6-b083b3106033 +id: 2061644f-6016-4f64-8c09-111c8e6422fe status: experimental description: Detects potential processes activity of SecureCRT RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/seetrol_network_sigma.yml b/detections/sigma/seetrol_network_sigma.yml index 9e81c616..b3a7f150 100644 --- a/detections/sigma/seetrol_network_sigma.yml +++ b/detections/sigma/seetrol_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - seetrol.co.kr condition: selection -id: 90dc26d8-355a-4a02-95fd-5614f8b1a9e3 +id: 7c4f13a7-2112-432b-9ba4-bbcf9ed5d985 status: experimental description: Detects potential network activity of Seetrol RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/seetrol_processes_sigma.yml b/detections/sigma/seetrol_processes_sigma.yml index 243771eb..6ecc573b 100644 --- a/detections/sigma/seetrol_processes_sigma.yml +++ b/detections/sigma/seetrol_processes_sigma.yml @@ -11,11 +11,11 @@ detection: - seetrolremote.exe - seetrolsetting.exe condition: selection -id: 13298822-dd6b-4d97-94ce-11c1d01895d0 +id: c958ff14-82e4-43b4-9b64-e150fc85144c status: experimental description: Detects potential processes activity of Seetrol RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/senso.cloud_network_sigma.yml b/detections/sigma/senso.cloud_network_sigma.yml index 0a46347f..8a239c8e 100644 --- a/detections/sigma/senso.cloud_network_sigma.yml +++ b/detections/sigma/senso.cloud_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.senso.cloud' - senso.cloud condition: selection -id: 8ca2efd7-9525-45c5-8109-41983d5a5326 +id: 442fed01-60ef-4b36-996a-9dcaca32fe48 status: experimental description: Detects potential network activity of Senso.cloud RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/senso.cloud_processes_sigma.yml b/detections/sigma/senso.cloud_processes_sigma.yml index b0d86548..98eaac7e 100644 --- a/detections/sigma/senso.cloud_processes_sigma.yml +++ b/detections/sigma/senso.cloud_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - SensoService.exe - aadg.exe condition: selection -id: 15130ca1-18d6-4064-a888-77a151630aa3 +id: 5d9ac385-c633-4d68-b713-0b4067fc223e status: experimental description: Detects potential processes activity of Senso.cloud RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/servereye_network_sigma.yml b/detections/sigma/servereye_network_sigma.yml index dabd02df..6eac92e2 100644 --- a/detections/sigma/servereye_network_sigma.yml +++ b/detections/sigma/servereye_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.server-eye.de' condition: selection -id: b867eeea-bea0-4148-b5d9-24df9e67b700 +id: cb61655a-fb52-45a6-97a7-8de1f1320c2a status: experimental description: Detects potential network activity of ServerEye RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/servereye_processes_sigma.yml b/detections/sigma/servereye_processes_sigma.yml index 7fba2b49..2965f3b2 100644 --- a/detections/sigma/servereye_processes_sigma.yml +++ b/detections/sigma/servereye_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - servereye*.exe - ServiceProxyLocalSys.exe condition: selection -id: abb42680-66bf-4e6f-9f08-ea0290b09953 +id: a50f03f8-3431-42b6-96a0-ce50a88d4ef8 status: experimental description: Detects potential processes activity of ServerEye RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/showmypc_network_sigma.yml b/detections/sigma/showmypc_network_sigma.yml index 23ecbce8..a10716ea 100644 --- a/detections/sigma/showmypc_network_sigma.yml +++ b/detections/sigma/showmypc_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.showmypc.com' - showmypc.com condition: selection -id: 9a5c062f-4a66-4c04-9670-7495b14acb89 +id: b5e51b9f-67b9-4e77-8dea-93de4f367a8d status: experimental description: Detects potential network activity of ShowMyPC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/showmypc_processes_sigma.yml b/detections/sigma/showmypc_processes_sigma.yml index 97da116f..71f2ecbf 100644 --- a/detections/sigma/showmypc_processes_sigma.yml +++ b/detections/sigma/showmypc_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - showmypc.exe - smpcsetup.exe condition: selection -id: ba5a0a1e-085c-4a59-94b0-fe6188bc914e +id: d4ccc591-a330-4be4-bbf1-f2168cdfb166 status: experimental description: Detects potential processes activity of ShowMyPC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/simplehelp_network_sigma.yml b/detections/sigma/simplehelp_network_sigma.yml index ab5e2b51..80d66dd8 100644 --- a/detections/sigma/simplehelp_network_sigma.yml +++ b/detections/sigma/simplehelp_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - simple-help.com condition: selection -id: e45efa45-c836-42c7-b259-8acf6371d472 +id: 79838aad-36c1-4ca7-b3f4-9f5334d242ae status: experimental description: Detects potential network activity of SimpleHelp RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/simplehelp_processes_sigma.yml b/detections/sigma/simplehelp_processes_sigma.yml index 8ffd7ebd..5135489d 100644 --- a/detections/sigma/simplehelp_processes_sigma.yml +++ b/detections/sigma/simplehelp_processes_sigma.yml @@ -11,11 +11,11 @@ detection: - remote access.exe - windowslauncher.exe condition: selection -id: fc385326-9703-4e2c-bd37-cd44115e2ae7 +id: a9f963f8-d1f7-482e-a72d-d61ba2a8cfd5 status: experimental description: Detects potential processes activity of SimpleHelp RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/site24x7_network_sigma.yml b/detections/sigma/site24x7_network_sigma.yml index 66b8f3be..e8da51c9 100644 --- a/detections/sigma/site24x7_network_sigma.yml +++ b/detections/sigma/site24x7_network_sigma.yml @@ -12,11 +12,11 @@ detection: - plus*.site24x7.net.au - site24x7.com/msp condition: selection -id: a050e16b-7d1e-41bc-8fe7-dc185bc8b065 +id: d81c6910-6e18-47ad-84f1-eca46efba94e status: experimental description: Detects potential network activity of Site24x7 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/site24x7_processes_sigma.yml b/detections/sigma/site24x7_processes_sigma.yml index 250d6c98..66a76baa 100644 --- a/detections/sigma/site24x7_processes_sigma.yml +++ b/detections/sigma/site24x7_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - Site24x7WindowsAgentTrayIcon.exe - Site24x7PluginAgent.exe condition: selection -id: bf19a09d-d750-44ae-b020-6d0eef91aef3 +id: 9d04b875-51f1-4a55-8ce7-56e9a8af5b63 status: experimental description: Detects potential processes activity of Site24x7 RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/skyfex_network_sigma.yml b/detections/sigma/skyfex_network_sigma.yml index 3aaf6711..00abd743 100644 --- a/detections/sigma/skyfex_network_sigma.yml +++ b/detections/sigma/skyfex_network_sigma.yml @@ -9,11 +9,11 @@ detection: - deskroll.com - '*.deskroll.com' condition: selection -id: 909be690-22c1-4f58-a5cf-48a7bf64af6b +id: 9576d699-5443-4d7b-b464-e2443de129b3 status: experimental description: Detects potential network activity of SkyFex RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/skyfex_processes_sigma.yml b/detections/sigma/skyfex_processes_sigma.yml index 074eff86..b35be243 100644 --- a/detections/sigma/skyfex_processes_sigma.yml +++ b/detections/sigma/skyfex_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - Deskroll.exe - DeskRollUA.exe condition: selection -id: b0e062f7-424f-4bb4-926e-394a6b6583d3 +id: 6a2573e2-7550-4caf-927b-ed8f490a68b7 status: experimental description: Detects potential processes activity of SkyFex RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/smartty_processes_sigma.yml b/detections/sigma/smartty_processes_sigma.yml index f0705077..b86fb841 100644 --- a/detections/sigma/smartty_processes_sigma.yml +++ b/detections/sigma/smartty_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\SmarTTY.exe' condition: selection -id: b6c62549-30e5-4a85-8bc5-5c89149e82da +id: adb38ae5-f722-4cf0-92ea-881354509552 status: experimental description: Detects potential processes activity of SmarTTY RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/solar-putty_processes_sigma.yml b/detections/sigma/solar-putty_processes_sigma.yml index 5402a8ff..a03d48df 100644 --- a/detections/sigma/solar-putty_processes_sigma.yml +++ b/detections/sigma/solar-putty_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\Solar-PuTTY.exe' condition: selection -id: b1c81fc5-b27c-4c42-8fd0-f9e3e60deed3 +id: f97f2561-15d9-4649-a34c-ca25cb71ad2e status: experimental description: Detects potential processes activity of Solar-PuTTY RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/sophos-remote_management_system_network_sigma.yml b/detections/sigma/sophos-remote_management_system_network_sigma.yml index c2bdcc98..4bf2215a 100644 --- a/detections/sigma/sophos-remote_management_system_network_sigma.yml +++ b/detections/sigma/sophos-remote_management_system_network_sigma.yml @@ -10,12 +10,12 @@ detection: - '*.sophosupd.net' - community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system condition: selection -id: 5c6fccbd-c8ff-44fd-ad83-75635b48b68e +id: 78b4d010-29f8-4fea-b406-c2c335039e41 status: experimental description: Detects potential network activity of Sophos-Remote Management System RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/sophos-remote_management_system_processes_sigma.yml b/detections/sigma/sophos-remote_management_system_processes_sigma.yml index afc99b82..bc373a95 100644 --- a/detections/sigma/sophos-remote_management_system_processes_sigma.yml +++ b/detections/sigma/sophos-remote_management_system_processes_sigma.yml @@ -9,12 +9,12 @@ detection: - mgntsvc.exe - routernt.exe condition: selection -id: a9b5ed5c-d618-4940-8f88-7f4f5560c1c8 +id: e01d827a-4e75-484d-bbc5-c5c5179f56a4 status: experimental description: Detects potential processes activity of Sophos-Remote Management System RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/sorillus_network_sigma.yml b/detections/sigma/sorillus_network_sigma.yml index 44916b01..67e11493 100644 --- a/detections/sigma/sorillus_network_sigma.yml +++ b/detections/sigma/sorillus_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.sorillus.com' - sorillus.com condition: selection -id: da1481ce-10c2-4282-9275-a6fccdf17fd0 +id: 45386208-afd8-47ad-835f-9d060c4da5db status: experimental description: Detects potential network activity of Sorillus RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/sorillus_processes_sigma.yml b/detections/sigma/sorillus_processes_sigma.yml index 2547e7fc..538ee387 100644 --- a/detections/sigma/sorillus_processes_sigma.yml +++ b/detections/sigma/sorillus_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - Sorillus-Launcher*.exe - Sorillus Launcher.exe condition: selection -id: eb89bcb8-c503-43d5-bf78-a3a2274beafa +id: dd380a97-a692-4e46-90cd-aa151b207089 status: experimental description: Detects potential processes activity of Sorillus RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/splashtop__beta__network_sigma.yml b/detections/sigma/splashtop__beta__network_sigma.yml index 1292116d..d878eb48 100644 --- a/detections/sigma/splashtop__beta__network_sigma.yml +++ b/detections/sigma/splashtop__beta__network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - splashtop.com condition: selection -id: f533f2f5-ac8a-4823-a6b1-0cda94d1f809 +id: 8a11b1f6-da18-4327-a2fc-235373851669 status: experimental description: Detects potential network activity of Splashtop (Beta) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/splashtop__beta__processes_sigma.yml b/detections/sigma/splashtop__beta__processes_sigma.yml index 9377a8e1..da68c132 100644 --- a/detections/sigma/splashtop__beta__processes_sigma.yml +++ b/detections/sigma/splashtop__beta__processes_sigma.yml @@ -10,11 +10,11 @@ detection: - Splashtop_Streamer_Windows*.exe - SRManager.exe condition: selection -id: a59f4049-70d8-4d80-885d-d451e119e565 +id: e6c17068-b536-42b3-836e-23bb280bc9ed status: experimental description: Detects potential processes activity of Splashtop (Beta) RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/splashtop_files_sigma.yml b/detections/sigma/splashtop_files_sigma.yml index c79f7cca..3c82db42 100644 --- a/detections/sigma/splashtop_files_sigma.yml +++ b/detections/sigma/splashtop_files_sigma.yml @@ -19,11 +19,11 @@ detection: - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3 condition: selection -id: cafe8dee-b8bc-4b1b-a092-4826b9010f83 +id: 4281fc0d-d007-4455-93a4-c74479a91204 status: experimental description: Detects potential files activity of Splashtop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/splashtop_network_sigma.yml b/detections/sigma/splashtop_network_sigma.yml index 3937d49b..89eee9e8 100644 --- a/detections/sigma/splashtop_network_sigma.yml +++ b/detections/sigma/splashtop_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - '*.splashtop.com' condition: selection -id: 1a007436-4cef-43e0-a05a-ddcd2b860d92 +id: 435cfa08-9ab6-4ddf-b68c-580819dbe116 status: experimental description: Detects potential network activity of Splashtop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/splashtop_processes_sigma.yml b/detections/sigma/splashtop_processes_sigma.yml index 4004d213..cdb911c5 100644 --- a/detections/sigma/splashtop_processes_sigma.yml +++ b/detections/sigma/splashtop_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - strwinclt.exe condition: selection -id: 929cdf7d-ead5-42a2-a9e0-a09b5c9b6ab7 +id: 7fb2bbef-d140-461d-aca3-9c0cfe6d3d4b status: experimental description: Detects potential processes activity of Splashtop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/splashtop_registry_sigma.yml b/detections/sigma/splashtop_registry_sigma.yml index f9a66341..a62b4f65 100644 --- a/detections/sigma/splashtop_registry_sigma.yml +++ b/detections/sigma/splashtop_registry_sigma.yml @@ -22,11 +22,11 @@ detection: Remote Printer - HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\* condition: selection -id: 46ec9250-2779-4df2-8835-34920087ddda +id: 04c91c15-0a2e-4092-8417-e011178ae756 status: experimental description: Detects potential registry activity of Splashtop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/splashtop_remote_network_sigma.yml b/detections/sigma/splashtop_remote_network_sigma.yml index 0532c507..6eb9ac37 100644 --- a/detections/sigma/splashtop_remote_network_sigma.yml +++ b/detections/sigma/splashtop_remote_network_sigma.yml @@ -10,11 +10,11 @@ detection: - '*.relay.splashtop.com' - '*.api.splashtop.eu' condition: selection -id: ec94d3db-ebb4-4b27-a5ca-a1f1e1c21f60 +id: 18041451-00ec-4664-8583-db22469e1d84 status: experimental description: Detects potential network activity of Splashtop Remote RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/splashtop_remote_processes_sigma.yml b/detections/sigma/splashtop_remote_processes_sigma.yml index 812c61cd..9cbc0982 100644 --- a/detections/sigma/splashtop_remote_processes_sigma.yml +++ b/detections/sigma/splashtop_remote_processes_sigma.yml @@ -13,11 +13,11 @@ detection: - srserver.exe - srservice.exe condition: selection -id: 0796bee9-1457-4def-b2f3-d5fe05207563 +id: eeafd28d-ed54-4904-b5e0-81c88109d0ac status: experimental description: Detects potential processes activity of Splashtop Remote RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/spyanywhere_network_sigma.yml b/detections/sigma/spyanywhere_network_sigma.yml index 3addfc5d..8f1abe9c 100644 --- a/detections/sigma/spyanywhere_network_sigma.yml +++ b/detections/sigma/spyanywhere_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.spytech-web.com' - spyanywhere.com condition: selection -id: 9bb15227-d20a-492f-823a-bb7060c832f2 +id: 1e8c6d41-cfc1-4912-92eb-5eb4a55f8b85 status: experimental description: Detects potential network activity of SpyAnywhere RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/spyanywhere_processes_sigma.yml b/detections/sigma/spyanywhere_processes_sigma.yml index e6f0f55a..6fe04607 100644 --- a/detections/sigma/spyanywhere_processes_sigma.yml +++ b/detections/sigma/spyanywhere_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - sysdiag.exe condition: selection -id: 42514a85-c189-46f8-a293-8f7f48f55012 +id: cd302294-1c3e-479a-a464-aff706a761af status: experimental description: Detects potential processes activity of SpyAnywhere RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/sunlogin_network_sigma.yml b/detections/sigma/sunlogin_network_sigma.yml index 16fb409c..36fa900f 100644 --- a/detections/sigma/sunlogin_network_sigma.yml +++ b/detections/sigma/sunlogin_network_sigma.yml @@ -8,11 +8,11 @@ detection: - sunlogin.oray.com - client.oray.net condition: selection -id: 3bf0c03d-effa-4265-b158-a01fc3ed7895 +id: 31635987-f2ef-41e0-b788-a1c0bfd9f096 status: experimental description: Detects potential network activity of SunLogin RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/sunlogin_processes_sigma.yml b/detections/sigma/sunlogin_processes_sigma.yml index 5cf3b914..3fd71c71 100644 --- a/detections/sigma/sunlogin_processes_sigma.yml +++ b/detections/sigma/sunlogin_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - OrayRemoteService.exe - sunlogin*.exe condition: selection -id: b63646f8-1a94-4cad-b965-a372ceec3b91 +id: 820431ec-1186-4462-b809-17dbc4603614 status: experimental description: Detects potential processes activity of SunLogin RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/superops_network_sigma.yml b/detections/sigma/superops_network_sigma.yml index 8075dda5..c3ef52e0 100644 --- a/detections/sigma/superops_network_sigma.yml +++ b/detections/sigma/superops_network_sigma.yml @@ -11,11 +11,11 @@ detection: - '*.superops.ai' - '*.superopsalpha.com' condition: selection -id: dfc1f885-91cc-4e9a-a055-6e1075c08ee4 +id: a4febe28-4847-4951-aef1-001d0ee0b927 status: experimental description: Detects potential network activity of SuperOps RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/superops_processes_sigma.yml b/detections/sigma/superops_processes_sigma.yml index d960f192..2ef8c08d 100644 --- a/detections/sigma/superops_processes_sigma.yml +++ b/detections/sigma/superops_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - superopsticket.exe - superops.exe condition: selection -id: c4ebaabb-84f6-4b31-bf6f-fecdfcfca8a2 +id: b40a28b6-6003-4142-a64e-e084556270b7 status: experimental description: Detects potential processes activity of SuperOps RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/superputty_processes_sigma.yml b/detections/sigma/superputty_processes_sigma.yml index e2a3a08c..8538a3de 100644 --- a/detections/sigma/superputty_processes_sigma.yml +++ b/detections/sigma/superputty_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\superputty.exe' condition: selection -id: b3c4138d-4ba4-4f7e-9514-393815e4e9c4 +id: 41eff1f5-a23d-4545-bfd4-97cc71fb51fa status: experimental description: Detects potential processes activity of SuperPuTTY RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/supremo_network_sigma.yml b/detections/sigma/supremo_network_sigma.yml index 15548ede..96c8bd4c 100644 --- a/detections/sigma/supremo_network_sigma.yml +++ b/detections/sigma/supremo_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.supremocontrol.com' - '* .nanosystems.it' condition: selection -id: 01908e55-ca2f-4a2f-b8d2-459c5096054e +id: f6e480a2-9d9e-48ba-abb3-86799bbc999d status: experimental description: Detects potential network activity of Supremo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/supremo_processes_sigma.yml b/detections/sigma/supremo_processes_sigma.yml index c1224ebf..42b66cc6 100644 --- a/detections/sigma/supremo_processes_sigma.yml +++ b/detections/sigma/supremo_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - supremosystem.exe - supremohelper.exe condition: selection -id: 1bfb1878-e57c-43cb-80a6-2cfdd7d6da65 +id: d00d2571-88c6-459e-a2e1-6c928b6be5e5 status: experimental description: Detects potential processes activity of Supremo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/syncro_network_sigma.yml b/detections/sigma/syncro_network_sigma.yml index be2b001e..c143ecb9 100644 --- a/detections/sigma/syncro_network_sigma.yml +++ b/detections/sigma/syncro_network_sigma.yml @@ -17,11 +17,11 @@ detection: - kabutoservices.com - attachments.servably.com condition: selection -id: 69005fdf-9381-48cc-ae6c-99e454d6e355 +id: a6178ede-3a67-4e98-8285-c0e5a99c7777 status: experimental description: Detects potential network activity of Syncro RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/syncro_processes_sigma.yml b/detections/sigma/syncro_processes_sigma.yml index a4964a5c..0da927bf 100644 --- a/detections/sigma/syncro_processes_sigma.yml +++ b/detections/sigma/syncro_processes_sigma.yml @@ -16,11 +16,11 @@ detection: - SyncroLive.Service.exe - SyncroLive.Agent.exe condition: selection -id: 9443925c-0d3c-4454-86e0-9b01674eea71 +id: 1dae4fcd-efac-4f3a-8a66-9faa8db0f808 status: experimental description: Detects potential processes activity of Syncro RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/syncthing_processes_sigma.yml b/detections/sigma/syncthing_processes_sigma.yml index 2e71d8c0..f3b13e31 100644 --- a/detections/sigma/syncthing_processes_sigma.yml +++ b/detections/sigma/syncthing_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\Syncthing.exe' condition: selection -id: 0ad13468-0ded-455c-bbd5-5b71fda91c5c +id: 44dd04d8-4691-4d7f-9fb0-c4eb4a654465 status: experimental description: Detects potential processes activity of Syncthing RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/synergy_network_sigma.yml b/detections/sigma/synergy_network_sigma.yml index 138e8fbf..58e6bf62 100644 --- a/detections/sigma/synergy_network_sigma.yml +++ b/detections/sigma/synergy_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - user_managed condition: selection -id: ae203b38-67bf-479b-8bb2-03b897de2302 +id: 8a14773a-b4b5-4d4a-962b-b080c95b7812 status: experimental description: Detects potential network activity of Synergy RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/sysaid_processes_sigma.yml b/detections/sigma/sysaid_processes_sigma.yml index 28cd19ff..1048b376 100644 --- a/detections/sigma/sysaid_processes_sigma.yml +++ b/detections/sigma/sysaid_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\IliAS.exe' condition: selection -id: 837586eb-5625-4b4f-b144-efbd74d38b0d +id: 8ff7285f-da3e-4a2f-b941-e23f63c29013 status: experimental description: Detects potential processes activity of SysAid RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/syspectr_network_sigma.yml b/detections/sigma/syspectr_network_sigma.yml index e1531afe..de4cbe37 100644 --- a/detections/sigma/syspectr_network_sigma.yml +++ b/detections/sigma/syspectr_network_sigma.yml @@ -8,11 +8,11 @@ detection: - atled.syspectr.com - app.syspectr.com condition: selection -id: c6c62120-4908-4241-b42d-ae278d611414 +id: 1c369a6a-d658-458d-8b8c-8afc2c192e6e status: experimental description: Detects potential network activity of Syspectr RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/syspectr_processes_sigma.yml b/detections/sigma/syspectr_processes_sigma.yml index 5e7f4769..56783f28 100644 --- a/detections/sigma/syspectr_processes_sigma.yml +++ b/detections/sigma/syspectr_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - oo-syspectr*.exe - OOSysAgent.exe condition: selection -id: 47aaf8ca-0a83-45e1-a38c-4aee9e2bbda2 +id: cee48c18-78d7-4b7b-ab00-7def87fb17c5 status: experimental description: Detects potential processes activity of Syspectr RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tactical_rmm_network_sigma.yml b/detections/sigma/tactical_rmm_network_sigma.yml index f85ea495..c592a301 100644 --- a/detections/sigma/tactical_rmm_network_sigma.yml +++ b/detections/sigma/tactical_rmm_network_sigma.yml @@ -9,11 +9,11 @@ detection: - login.tailscale.com - docs.tacticalrmm.com condition: selection -id: 3b2877e6-a54a-4e1a-b57e-3526ce5d0c71 +id: 607074fd-7a44-49eb-948a-8bf893afc142 status: experimental description: Detects potential network activity of Tactical RMM RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tactical_rmm_processes_sigma.yml b/detections/sigma/tactical_rmm_processes_sigma.yml index 010c399b..b2cd0e90 100644 --- a/detections/sigma/tactical_rmm_processes_sigma.yml +++ b/detections/sigma/tactical_rmm_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - tacticalrmm.exe - tacticalrmm.exe condition: selection -id: cf319572-0845-41a2-9cbb-e5c54e5d1c02 +id: 58f7ad72-6d1a-46b6-b998-4a984395f7d5 status: experimental description: Detects potential processes activity of Tactical RMM RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tailscale_network_sigma.yml b/detections/sigma/tailscale_network_sigma.yml index 97fda509..916657c6 100644 --- a/detections/sigma/tailscale_network_sigma.yml +++ b/detections/sigma/tailscale_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.tailscale.io' - tailscale.com condition: selection -id: 028528fd-5e98-4eb8-96fd-41594073a25d +id: a4f61da1-8b97-46ff-8814-00d492e00b18 status: experimental description: Detects potential network activity of Tailscale RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tailscale_processes_sigma.yml b/detections/sigma/tailscale_processes_sigma.yml index cd0bf8cb..11c8c289 100644 --- a/detections/sigma/tailscale_processes_sigma.yml +++ b/detections/sigma/tailscale_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - tailscaled.exe - tailscale-ipn.exe condition: selection -id: c52d608d-e2d8-4f4c-9039-674d19dfd3cc +id: 0b2d2c36-e382-49d8-982a-9805d7c50f67 status: experimental description: Detects potential processes activity of Tailscale RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tanium_deploy_network_sigma.yml b/detections/sigma/tanium_deploy_network_sigma.yml index 35f12bf3..d254b4a9 100644 --- a/detections/sigma/tanium_deploy_network_sigma.yml +++ b/detections/sigma/tanium_deploy_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - tanium.com/products/tanium-deploy condition: selection -id: fa03eb29-961a-40fa-bf6e-e85b5502224a +id: 3b543ca9-031b-4480-aeb3-a99b2314770d status: experimental description: Detects potential network activity of Tanium Deploy RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tanium_network_sigma.yml b/detections/sigma/tanium_network_sigma.yml index 58083032..7845e459 100644 --- a/detections/sigma/tanium_network_sigma.yml +++ b/detections/sigma/tanium_network_sigma.yml @@ -8,11 +8,11 @@ detection: - cloud.tanium.com - '*.cloud.tanium.com' condition: selection -id: c67acdcb-aa09-4fe8-8821-eeefd1d7c743 +id: baa01bb8-f609-4d18-9831-dce77aa66a16 status: experimental description: Detects potential network activity of Tanium RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tanium_processes_sigma.yml b/detections/sigma/tanium_processes_sigma.yml index 7ce64362..cf3a0061 100644 --- a/detections/sigma/tanium_processes_sigma.yml +++ b/detections/sigma/tanium_processes_sigma.yml @@ -11,11 +11,11 @@ detection: - TaniumFileInfo.exe - TPowerShell.exe condition: selection -id: 5eaa48c4-0a97-4746-b5ad-dc3b84a3e65a +id: aeb6d6fa-ca62-4f34-91c6-5a5dbf4d2448 status: experimental description: Detects potential processes activity of Tanium RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/teamviewer_files_sigma.yml b/detections/sigma/teamviewer_files_sigma.yml index 2b7d0212..c6b8947a 100644 --- a/detections/sigma/teamviewer_files_sigma.yml +++ b/detections/sigma/teamviewer_files_sigma.yml @@ -23,11 +23,11 @@ detection: - C:\Program Files*\TeamViewer\connections*.txt - C:\Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\*tvc condition: selection -id: 8d164608-dc8a-4dc6-a8fc-508183765b7c +id: a690575f-3b07-494b-8783-2ab290a28275 status: experimental description: Detects potential files activity of TeamViewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/teamviewer_network_sigma.yml b/detections/sigma/teamviewer_network_sigma.yml index a64721b2..a80c0972 100644 --- a/detections/sigma/teamviewer_network_sigma.yml +++ b/detections/sigma/teamviewer_network_sigma.yml @@ -10,11 +10,11 @@ detection: - client.teamviewer.com - taf.teamviewer.com condition: selection -id: 8bb232d7-382c-440a-a3b7-7da96f4beaa6 +id: 298163bf-7c5d-4d8d-b9b7-6f0df2820afc status: experimental description: Detects potential network activity of TeamViewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/teamviewer_processes_sigma.yml b/detections/sigma/teamviewer_processes_sigma.yml index 79baad47..0b999f0f 100644 --- a/detections/sigma/teamviewer_processes_sigma.yml +++ b/detections/sigma/teamviewer_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - teamviewer_desktop.exe - teamviewer_service.exe condition: selection -id: 60a63015-fb67-4303-8691-d8a3661b0543 +id: 6da6259d-68f3-4da4-aa39-7d1b75496e67 status: experimental description: Detects potential processes activity of TeamViewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/teamviewer_registry_sigma.yml b/detections/sigma/teamviewer_registry_sigma.yml index c77740ea..75728805 100644 --- a/detections/sigma/teamviewer_registry_sigma.yml +++ b/detections/sigma/teamviewer_registry_sigma.yml @@ -22,11 +22,11 @@ detection: - HKU\SID\SOFTWARE\TeamViewer\ClientWindow_Mode - HKU\SID\SOFTWARE\TeamViewer\ClientWindowPositions condition: selection -id: a8763337-5097-4018-a8f0-2d17a1d39571 +id: 8bc53048-ffad-4f92-9b66-a75d19e9dde9 status: experimental description: Detects potential registry activity of TeamViewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/teledesktop_network_sigma.yml b/detections/sigma/teledesktop_network_sigma.yml index f64b6956..57b02e96 100644 --- a/detections/sigma/teledesktop_network_sigma.yml +++ b/detections/sigma/teledesktop_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - tele-desk.com condition: selection -id: 1af396e2-b88e-49a9-8301-403363033e62 +id: 81a1ee71-af2f-4190-8402-8f48876a11fa status: experimental description: Detects potential network activity of TeleDesktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/teledesktop_processes_sigma.yml b/detections/sigma/teledesktop_processes_sigma.yml index 48fed0b9..59dcd3ca 100644 --- a/detections/sigma/teledesktop_processes_sigma.yml +++ b/detections/sigma/teledesktop_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - ptdskclient.exe - ptdskhost.exe condition: selection -id: fe9d74df-35a6-4a20-8f07-171f046552f6 +id: 43f2f2b7-a006-4ed3-814a-e16eceb94cf6 status: experimental description: Detects potential processes activity of TeleDesktop RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/teracloud_processes_sigma.yml b/detections/sigma/teracloud_processes_sigma.yml index 21993ec1..cd78c059 100644 --- a/detections/sigma/teracloud_processes_sigma.yml +++ b/detections/sigma/teracloud_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\Livedrive-Setup.exe' condition: selection -id: cf555ad9-f528-4601-a4d2-995986111993 +id: 77ad4b3c-dc22-42b6-931d-8bbc1a648ead status: experimental description: Detects potential processes activity of TeraCLOUD RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tigervnc_network_sigma.yml b/detections/sigma/tigervnc_network_sigma.yml index efaa9a33..5a7902c8 100644 --- a/detections/sigma/tigervnc_network_sigma.yml +++ b/detections/sigma/tigervnc_network_sigma.yml @@ -7,11 +7,11 @@ detection: DestinationHostname|endswith: - user_managed condition: selection -id: b1046ed6-e6cc-4579-9fd5-cd743b111f66 +id: d40e408b-1732-48a3-8d81-88409cd9ebfe status: experimental description: Detects potential network activity of TigerVNC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tigervnc_processes_sigma.yml b/detections/sigma/tigervnc_processes_sigma.yml index 50cd35d4..0c372da9 100644 --- a/detections/sigma/tigervnc_processes_sigma.yml +++ b/detections/sigma/tigervnc_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - winvnc4.exe - '*\tvnserver.exe' condition: selection -id: 34a15942-348e-4511-9c28-9a801c2cbc98 +id: af9eb98b-be96-42a9-b890-4149290c19ff status: experimental description: Detects potential processes activity of TigerVNC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tightvnc_network_sigma.yml b/detections/sigma/tightvnc_network_sigma.yml index be4d31f0..2d6c02cb 100644 --- a/detections/sigma/tightvnc_network_sigma.yml +++ b/detections/sigma/tightvnc_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - tightvnc.com condition: selection -id: d0e7dc0a-688b-4489-9d6e-39dbc233091a +id: d46f2e01-18f7-4d3f-8d6e-1aa0a920897c status: experimental description: Detects potential network activity of TightVNC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/tightvnc_processes_sigma.yml b/detections/sigma/tightvnc_processes_sigma.yml index b3d5d1a7..9369ff30 100644 --- a/detections/sigma/tightvnc_processes_sigma.yml +++ b/detections/sigma/tightvnc_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - TightVNCViewerPortable*.exe - tvnserver.exe condition: selection -id: 37177860-9c8c-4b90-acc2-140f14c27ab9 +id: 0ec0cc81-6194-47b2-82bc-ae497dec7baa status: experimental description: Detects potential processes activity of TightVNC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/todesk_network_sigma.yml b/detections/sigma/todesk_network_sigma.yml index 91f3cdde..5bda2ba6 100644 --- a/detections/sigma/todesk_network_sigma.yml +++ b/detections/sigma/todesk_network_sigma.yml @@ -10,11 +10,11 @@ detection: - '*.todesk.com' - todesktop.com condition: selection -id: f60eb5d0-bedf-4fb9-8d7b-fb999f625ddf +id: c50ae6aa-3864-4654-bce8-4b9a24a962a6 status: experimental description: Detects potential network activity of ToDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/todesk_processes_sigma.yml b/detections/sigma/todesk_processes_sigma.yml index 67b22ce9..f1820544 100644 --- a/detections/sigma/todesk_processes_sigma.yml +++ b/detections/sigma/todesk_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - ToDesk_Service.exe - ToDesk_Setup.exe condition: selection -id: 97dc9b3b-1f96-468f-8794-f7430ff65aa5 +id: a7014b31-abf1-41ae-aeff-0bed5bf0062e status: experimental description: Detects potential processes activity of ToDesk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/total_software_deployment_processes_sigma.yml b/detections/sigma/total_software_deployment_processes_sigma.yml index 27cbd193..c81ed643 100644 --- a/detections/sigma/total_software_deployment_processes_sigma.yml +++ b/detections/sigma/total_software_deployment_processes_sigma.yml @@ -8,12 +8,12 @@ detection: - '*\tniwinagent.exe' - '*\Tsdservice.exe' condition: selection -id: 53c79c8c-a3fa-42ee-9617-b62fb23d540c +id: 3d985eb7-b4be-432b-be5c-7fe376d06b40 status: experimental description: Detects potential processes activity of Total Software Deployment RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/turbomeeting_network_sigma.yml b/detections/sigma/turbomeeting_network_sigma.yml index dbcf61e3..68198dfc 100644 --- a/detections/sigma/turbomeeting_network_sigma.yml +++ b/detections/sigma/turbomeeting_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - acceo.com/turbomeeting/ condition: selection -id: 808eab4f-4a46-4b56-99e2-0f7ce46afb06 +id: f1d46c89-a357-4a9c-9dee-e5d35dcb683a status: experimental description: Detects potential network activity of TurboMeeting RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/turbomeeting_processes_sigma.yml b/detections/sigma/turbomeeting_processes_sigma.yml index 04b3b8be..aa44c5f3 100644 --- a/detections/sigma/turbomeeting_processes_sigma.yml +++ b/detections/sigma/turbomeeting_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - turbomeeting.exe - turbomeetingstarter.exe condition: selection -id: 087dc368-3c7f-41cd-808f-91f092ce09e6 +id: 65fa645d-2346-4959-b096-ce2c0c8910c2 status: experimental description: Detects potential processes activity of TurboMeeting RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ultra_vnc_processes_sigma.yml b/detections/sigma/ultra_vnc_processes_sigma.yml index 1f652050..07ddb52b 100644 --- a/detections/sigma/ultra_vnc_processes_sigma.yml +++ b/detections/sigma/ultra_vnc_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - '*\winvnc.exe' - '*\vncviewer.exe' condition: selection -id: 85e32981-9dba-4bd7-b18f-51b73a84431e +id: dd1b2f4a-644e-4794-b261-917ac7e3046b status: experimental description: Detects potential processes activity of Ultra VNC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ultraviewer_network_sigma.yml b/detections/sigma/ultraviewer_network_sigma.yml index c422f487..26b03171 100644 --- a/detections/sigma/ultraviewer_network_sigma.yml +++ b/detections/sigma/ultraviewer_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '* .ultraviewer.net' - ultraviewer.net condition: selection -id: 485257d5-92ab-4899-9c0e-9c06cdfc9c01 +id: c0e39e37-f563-46a1-90a7-2a1736c1165c status: experimental description: Detects potential network activity of UltraViewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ultraviewer_processes_sigma.yml b/detections/sigma/ultraviewer_processes_sigma.yml index e105786b..0c356ffd 100644 --- a/detections/sigma/ultraviewer_processes_sigma.yml +++ b/detections/sigma/ultraviewer_processes_sigma.yml @@ -15,11 +15,11 @@ detection: - UltraViewer_Desktop.exe - UltraViewer_Service.exe condition: selection -id: e128c500-3bdc-4d74-be0b-6ea0ae06c266 +id: 71b5a484-76c9-4341-9267-f4b7eb8fd8a3 status: experimental description: Detects potential processes activity of UltraViewer RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ultravnc_network_sigma.yml b/detections/sigma/ultravnc_network_sigma.yml index fa602590..a5ec06e5 100644 --- a/detections/sigma/ultravnc_network_sigma.yml +++ b/detections/sigma/ultravnc_network_sigma.yml @@ -8,11 +8,11 @@ detection: - ultravnc.com - user_managed condition: selection -id: 610d606a-9b3b-43c2-a4cd-933edd355eae +id: 45678de7-dcbb-42b5-80d7-f21b399a1250 status: experimental description: Detects potential network activity of UltraVNC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/ultravnc_processes_sigma.yml b/detections/sigma/ultravnc_processes_sigma.yml index d29a7082..9c98a49c 100644 --- a/detections/sigma/ultravnc_processes_sigma.yml +++ b/detections/sigma/ultravnc_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - UltraVNC*.exe condition: selection -id: fcb92823-5e3c-4acb-a02f-7af32793a651 +id: c956baf8-4414-4b19-97cc-edfe477cec0f status: experimental description: Detects potential processes activity of UltraVNC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml b/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml index e4d81cd0..e097aecd 100644 --- a/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml +++ b/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml @@ -9,11 +9,11 @@ detection: - '*.rel.tunnels.api.visualstudio.com' - '*.devtunnels.ms' condition: selection -id: 2a41349a-a161-4752-a7df-6668d6c0a6d1 +id: 96ab593b-1829-4d12-b5e3-ec7b8d36ce31 status: experimental description: Detects potential network activity of Visual Studio Dev Tunnel RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/vnc_network_sigma.yml b/detections/sigma/vnc_network_sigma.yml index b6821996..bb079fcf 100644 --- a/detections/sigma/vnc_network_sigma.yml +++ b/detections/sigma/vnc_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - realvnc.com/en/connect/download/vnc condition: selection -id: ceffb2e4-253d-412e-9c5a-d35e00e92cbd +id: 9cad51cf-fb13-479a-a44f-3a847a04e882 status: experimental description: Detects potential network activity of VNC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/vnc_processes_sigma.yml b/detections/sigma/vnc_processes_sigma.yml index 077c4f3a..ff6b1246 100644 --- a/detections/sigma/vnc_processes_sigma.yml +++ b/detections/sigma/vnc_processes_sigma.yml @@ -13,11 +13,11 @@ detection: - vncviewer.exe - winvnc.exe condition: selection -id: 4bbe598e-7148-4fa6-beb1-d03512c9b72d +id: 3a2aba3d-58ca-43c5-b15c-9b7bc17d3257 status: experimental description: Detects potential processes activity of VNC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/webrdp_network_sigma.yml b/detections/sigma/webrdp_network_sigma.yml index 313a618e..9689f085 100644 --- a/detections/sigma/webrdp_network_sigma.yml +++ b/detections/sigma/webrdp_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - github.com/Mikej81/WebRDP condition: selection -id: 6f3e2cf2-c423-494f-8a59-a45b7322c56b +id: f7766337-77b5-417b-be10-f051c4b65acd status: experimental description: Detects potential network activity of WebRDP RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/webrdp_processes_sigma.yml b/detections/sigma/webrdp_processes_sigma.yml index 77a4795d..9a37767d 100644 --- a/detections/sigma/webrdp_processes_sigma.yml +++ b/detections/sigma/webrdp_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - webrdp.exe condition: selection -id: c3410ec9-8599-4c23-b7de-39fa8b1fc225 +id: a873659f-031a-47ee-80ea-972bbcd23e36 status: experimental description: Detects potential processes activity of WebRDP RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/weezo_network_sigma.yml b/detections/sigma/weezo_network_sigma.yml index 9c5185ac..0a32e758 100644 --- a/detections/sigma/weezo_network_sigma.yml +++ b/detections/sigma/weezo_network_sigma.yml @@ -10,11 +10,11 @@ detection: - '*.weezo.net' - weezo.en.softonic.com condition: selection -id: deded87f-0eff-49e7-b538-962ce9af125f +id: 4ccf2652-03ea-4740-aa03-8f7c57f904e1 status: experimental description: Detects potential network activity of Weezo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/weezo_processes_sigma.yml b/detections/sigma/weezo_processes_sigma.yml index 3651f1b1..44c5f618 100644 --- a/detections/sigma/weezo_processes_sigma.yml +++ b/detections/sigma/weezo_processes_sigma.yml @@ -9,11 +9,11 @@ detection: - weezo.exe - weezo setup*.exe condition: selection -id: 935c2e8f-86e0-4cf8-9336-72211826dde5 +id: cbcbaca5-c8f9-425e-a44e-f2ab24b474bb status: experimental description: Detects potential processes activity of Weezo RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/winscp_processes_sigma.yml b/detections/sigma/winscp_processes_sigma.yml index c6ddbf7b..f2dfec90 100644 --- a/detections/sigma/winscp_processes_sigma.yml +++ b/detections/sigma/winscp_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\WinSCP.exe' condition: selection -id: 109a85ac-382a-4e07-932b-08a9a3049f8d +id: efbd211f-a10d-499c-b395-cc60cc49ba3e status: experimental description: Detects potential processes activity of WinSCP RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/xeox_network_sigma.yml b/detections/sigma/xeox_network_sigma.yml index 0cd218d4..2888780f 100644 --- a/detections/sigma/xeox_network_sigma.yml +++ b/detections/sigma/xeox_network_sigma.yml @@ -8,11 +8,11 @@ detection: - '*.xeox.com' - xeox.com condition: selection -id: effa0e01-efd4-4d5b-91a9-4061c5e17ffc +id: 1ff42714-efb3-4550-81af-748ae2d1c526 status: experimental description: Detects potential network activity of Xeox RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/xeox_processes_sigma.yml b/detections/sigma/xeox_processes_sigma.yml index 6a4dddf9..c692e3df 100644 --- a/detections/sigma/xeox_processes_sigma.yml +++ b/detections/sigma/xeox_processes_sigma.yml @@ -10,11 +10,11 @@ detection: - xeox-agent_*.exe - xeox-agent_x86.exe condition: selection -id: 6ed8da66-0176-4a33-8d71-7d589aced3b7 +id: 9063ed28-7fb7-4ea6-af24-e51e6d0cbb09 status: experimental description: Detects potential processes activity of Xeox RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/xpra_processes_sigma.yml b/detections/sigma/xpra_processes_sigma.yml index 70f4815d..a540f28c 100644 --- a/detections/sigma/xpra_processes_sigma.yml +++ b/detections/sigma/xpra_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - '*\Xpra-Launcher.exe' - '*\Xpra-x86_64_Setup.exe' condition: selection -id: e06551f8-da37-404b-b67b-f107e0ad030a +id: 01788429-3310-48f4-852e-6bc26f0747c0 status: experimental description: Detects potential processes activity of Xpra RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/xshell_processes_sigma.yml b/detections/sigma/xshell_processes_sigma.yml index 627b172a..859ae142 100644 --- a/detections/sigma/xshell_processes_sigma.yml +++ b/detections/sigma/xshell_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\xShell.exe' condition: selection -id: b4abcd70-dc12-437c-bac0-82ce21684bb8 +id: 95fe2bf1-0c97-4c3c-b42b-c88eb93c1ead status: experimental description: Detects potential processes activity of Xshell RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/yandex.disk_processes_sigma.yml b/detections/sigma/yandex.disk_processes_sigma.yml index 2ec8bbd2..7a68f193 100644 --- a/detections/sigma/yandex.disk_processes_sigma.yml +++ b/detections/sigma/yandex.disk_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\YandexDisk2.exe' condition: selection -id: 4ca61292-0477-43bf-b614-e1701a8ebe03 +id: 198f38c5-5460-4c14-9675-f4af8672be6e status: experimental description: Detects potential processes activity of Yandex.Disk RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/zabbix_agent_network_sigma.yml b/detections/sigma/zabbix_agent_network_sigma.yml index fec9428e..e18049ee 100644 --- a/detections/sigma/zabbix_agent_network_sigma.yml +++ b/detections/sigma/zabbix_agent_network_sigma.yml @@ -8,11 +8,11 @@ detection: - user_managed - zabbix.com condition: selection -id: 94caa352-9ffe-4a70-8a7d-be85e19986ab +id: dbb6ae92-593f-475a-a64e-8f100154096c status: experimental description: Detects potential network activity of Zabbix Agent RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/zabbix_agent_processes_sigma.yml b/detections/sigma/zabbix_agent_processes_sigma.yml index fb3291b1..c0e46f57 100644 --- a/detections/sigma/zabbix_agent_processes_sigma.yml +++ b/detections/sigma/zabbix_agent_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - zabbix_agent*.exe condition: selection -id: c43a960d-1b4c-4e24-87d8-449464ba1b27 +id: 415d6e06-ca39-4cbf-9a23-c14d720f92e4 status: experimental description: Detects potential processes activity of Zabbix Agent RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/zerotier_network_sigma.yml b/detections/sigma/zerotier_network_sigma.yml index c3dfbef0..e7f3267a 100644 --- a/detections/sigma/zerotier_network_sigma.yml +++ b/detections/sigma/zerotier_network_sigma.yml @@ -8,11 +8,11 @@ detection: - zerotier.com - '*.zerotier.com' condition: selection -id: c026b849-24e1-46cd-aa06-b625928ab78d +id: cfc057e5-e86c-46c8-b261-d459149305f7 status: experimental description: Detects potential network activity of ZeroTier RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/zerotier_processes_sigma.yml b/detections/sigma/zerotier_processes_sigma.yml index c109e05d..9146eb26 100644 --- a/detections/sigma/zerotier_processes_sigma.yml +++ b/detections/sigma/zerotier_processes_sigma.yml @@ -8,11 +8,11 @@ detection: - zerotier*.exe - zero-powershell.exe condition: selection -id: 028f4c15-5379-489b-9621-f9cf16f7829a +id: 3bb23fe4-d277-4cb0-ad3c-3ca22b56ba46 status: experimental description: Detects potential processes activity of ZeroTier RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/zoc_processes_sigma.yml b/detections/sigma/zoc_processes_sigma.yml index e84f87f0..3fe69251 100644 --- a/detections/sigma/zoc_processes_sigma.yml +++ b/detections/sigma/zoc_processes_sigma.yml @@ -7,11 +7,11 @@ detection: ParentImage|endswith: - '*\zoc.exe' condition: selection -id: 60ebad9d-046d-4342-b1fb-0477e52ad052 +id: 6ecbaa7a-6684-4262-9870-058cc85ca350 status: experimental description: Detects potential processes activity of ZOC RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/zoho_assist_network_sigma.yml b/detections/sigma/zoho_assist_network_sigma.yml index f61f595c..fc32a31b 100644 --- a/detections/sigma/zoho_assist_network_sigma.yml +++ b/detections/sigma/zoho_assist_network_sigma.yml @@ -19,11 +19,11 @@ detection: - '*.zoho.com' - '*.zoho.eu' condition: selection -id: ca90a415-2385-4c50-a295-5e58e4ab3117 +id: f0241638-0572-451d-be6a-ae0a0ab84b72 status: experimental description: Detects potential network activity of Zoho Assist RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/detections/sigma/zoho_assist_processes_sigma.yml b/detections/sigma/zoho_assist_processes_sigma.yml index d111b68b..eebcc422 100644 --- a/detections/sigma/zoho_assist_processes_sigma.yml +++ b/detections/sigma/zoho_assist_processes_sigma.yml @@ -16,11 +16,11 @@ detection: - Zaservice.exe - za_connect.exe condition: selection -id: 8154c1ac-a2e2-44bc-9464-600b51ea369a +id: 4d4a089c-d901-4d5d-8252-869a87d8a4d7 status: experimental description: Detects potential processes activity of Zoho Assist RMM tool author: LOLRMM Project -date: 2024/08/05 +date: 2024/08/07 tags: - attack.execution - attack.t1219 diff --git a/lolrmm.com/content/api/rmm_tools.csv b/lolrmm.com/content/api/rmm_tools.csv index fa4afccb..1414cd7a 100644 --- a/lolrmm.com/content/api/rmm_tools.csv +++ b/lolrmm.com/content/api/rmm_tools.csv @@ -1,340 +1,340 @@ Name,Category,Description,Author,Created,LastModified,Website,Filename,OriginalFileName,PEDescription,Product,Privileges,Free,Verification,SupportedOS,Capabilities,Vulnerabilities,InstallationPaths,Artifacts,Detections,References,Acknowledgement -Rapid7,,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"ir_agent.exe, rapid7_agent_core.exe, rapid7_endpoint_broker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.analytics.insight.rapid7.com"", ""*.endpoint.ingress.rapid7.com""], ""Ports"": []}]}",[],https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,[] -SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}",[],https://sunlogin.oray.com/en/embed/software.html,[] +Rapid7,,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"ir_agent.exe, rapid7_agent_core.exe, rapid7_endpoint_broker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.analytics.insight.rapid7.com"", ""*.endpoint.ingress.rapid7.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Rapid7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rapid7 RMM tool""}]",https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,[] +SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml"", ""Description"": ""Detects potential network activity of SunLogin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SunLogin RMM tool""}]",https://sunlogin.oray.com/en/embed/software.html,[] CloudFuze,,CloudFuze is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Box,,Box is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Box\Box\*, *\Box\Box\*, *\Box.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Box,,Box is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Box\Box\*, *\Box\Box\*, *\Box.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Box RMM tool""}]",,[] GoToAssist Agent Desktop Console,,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\G2RDesktopConsole-x64.msi, *\G2RDesktopConsole-x64.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] Kaseya (VSA),,"Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}",[],"https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] -PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Azure Storage Explorer,,Azure Storage Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Microsoft Azure Storage Explorer\*, *\Microsoft Azure Storage Explorer\*, *\StorageExplorer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}",[],https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml"", ""Description"": ""Detects potential network activity of Kaseya (VSA) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml"", ""Description"": ""Detects potential files activity of Kaseya (VSA) RMM tool""}]","https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] +PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PuTTY Tray RMM tool""}]",,[] +Azure Storage Explorer,,Azure Storage Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Microsoft Azure Storage Explorer\*, *\Microsoft Azure Storage Explorer\*, *\StorageExplorer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/azure_storage_explorer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Azure Storage Explorer RMM tool""}]",,[] +SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SysAid RMM tool""}]",,[] +Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Domotz RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Domotz RMM tool""}]",https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] BeyondTrust,,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Netop Remote Control (aka Impero Connect),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com/impero-connect/""], ""Ports"": []}]}",[],,[] +Netop Remote Control (aka Impero Connect),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com/impero-connect/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool""}]",,[] Bomgar - Now BeyondTrust,,Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,termsrv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] -Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}",[],https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] -IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}",[],intelliadmin.com/remote-control,[] +Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,termsrv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] +Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Jump Desktop RMM tool""}]",https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] +IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of IntelliAdmin Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of IntelliAdmin Remote Control RMM tool""}]",intelliadmin.com/remote-control,[] Chrome SSH Extension,,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*, *Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}",[],https://my.zerotier.com/,[] -Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}",[],https://www.ericom.com/connect-accessnow/,[] +ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml"", ""Description"": ""Detects potential network activity of ZeroTier RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZeroTier RMM tool""}]",https://my.zerotier.com/,[] +Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom AccessNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom AccessNow RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] RealVNC,,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Pcnow,,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mwcliun.exe, pcnmgr.exe, webexpcnow.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""au.pcmag.com/utilities/21470/webex-pcnow""], ""Ports"": []}]}",[],http://pcnow.webex.com/ - DOA as of 2024,[] -DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}",[],https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] -Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}",[],https://pulse.soti.net/support/soti-xsight/help/,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}",[],https://instanthousecall.com/features/,[] -CentraStage (Now Datto),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"CagService.exe, AEMAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rmm.datto.com"", ""*cc.centrastage.net"", ""datto.com/au/products/rmm/""], ""Ports"": []}]}",[],https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm,[] -Core FTP,,Core FTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\coreftplite.exe, *\coreftplite.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] -LogMeIn rescue,,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.logmeinrescue.com"", ""*.logmeinrescue.eu"", ""logmeinrescue.com""], ""Ports"": []}]}",[],https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,[] +Pcnow,,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mwcliun.exe, pcnmgr.exe, webexpcnow.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""au.pcmag.com/utilities/21470/webex-pcnow""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcnow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcnow RMM tool""}]",http://pcnow.webex.com/ - DOA as of 2024,[] +DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of DesktopNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DesktopNow RMM tool""}]",https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] +Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool""}]",https://pulse.soti.net/support/soti-xsight/help/,[] +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +CentraStage (Now Datto),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"CagService.exe, AEMAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rmm.datto.com"", ""*cc.centrastage.net"", ""datto.com/au/products/rmm/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml"", ""Description"": ""Detects potential network activity of CentraStage (Now Datto) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CentraStage (Now Datto) RMM tool""}]",https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm,[] +Core FTP,,Core FTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\coreftplite.exe, *\coreftplite.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Core FTP RMM tool""}]",,[] +Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Insync RMM tool""}]",,[] +Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] +LogMeIn rescue,,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.logmeinrescue.com"", ""*.logmeinrescue.eu"", ""logmeinrescue.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn rescue RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LogMeIn rescue RMM tool""}]",https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,[] Electric AI (Kaseya),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,[] -Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}",[],https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] -CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}",[],cloudflare.com/products/tunnel/,[] -DriveMaker,,DriveMaker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\DriveMaker.exe, *\DriveMaker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -mstsc,,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Windows\System32\mstsc.exe, *Windows\System32\mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}",[],https://kb.parallels.com/en/129097,[] -ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com""], ""Ports"": []}]}",[],,[] +Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Adobe Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Adobe Connect RMM tool""}]",https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] +CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of CloudFlare Tunnel RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudFlare Tunnel RMM tool""}]",cloudflare.com/products/tunnel/,[] +DriveMaker,,DriveMaker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\DriveMaker.exe, *\DriveMaker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/drivemaker_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DriveMaker RMM tool""}]",,[] +mstsc,,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Windows\System32\mstsc.exe, *Windows\System32\mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mstsc RMM tool""}]",,[] +Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml"", ""Description"": ""Detects potential network activity of Parallels Access RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Parallels Access RMM tool""}]",https://kb.parallels.com/en/129097,[] +ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] Devolutions Remote Desktop Manager,,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -TigerVNC,,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"tigervnc*.exe, winvnc4.exe, C:\Program Files\TightVNC\*, *\TightVNC\*, *\tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}",[],https://github.com/TigerVNC/tigervnc/releases,[] -Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Bomgar,,Bomgar is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,bomgar-scc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beyondtrust.com/brand/bomgar""], ""Ports"": []}]}",[],,[] -pCloud,,pCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\pCloud Drive\, *\pCloud Drive\, *\pCloud.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}",[],https://helpu.co.kr/,[] -Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}",[],https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] +TigerVNC,,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"tigervnc*.exe, winvnc4.exe, C:\Program Files\TightVNC\*, *\TightVNC\*, *\tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TigerVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TigerVNC RMM tool""}]",https://github.com/TigerVNC/tigervnc/releases,[] +Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rocket Remote Desktop RMM tool""}]",,[] +NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoteOn-desktop sharing RMM tool""}]",,[] +Bomgar,,Bomgar is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,bomgar-scc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beyondtrust.com/brand/bomgar""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_network_sigma.yml"", ""Description"": ""Detects potential network activity of Bomgar RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bomgar RMM tool""}]",,[] +pCloud,,pCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\pCloud Drive\, *\pCloud Drive\, *\pCloud.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pCloud RMM tool""}]",,[] +HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpU RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpU RMM tool""}]",https://helpu.co.kr/,[] +Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop Remote RMM tool""}]",https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] X2Go,,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}",[],,[] -Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}",[],,[] -Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}",[],https://rmansys.ru/files/,[] -Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}",[],https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,[] -Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}",[],https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] -Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}",[],basecamp.com - No specific RMM tool listed,[] +Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller RMM tool""}]",,[] +Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xshell RMM tool""}]",,[] +Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Client RMM tool""}]",,[] +Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Server RMM tool""}]",,[] +Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Manipulator System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Manipulator System RMM tool""}]",https://rmansys.ru/files/,[] +Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml"", ""Description"": ""Detects potential network activity of Manage Engine (Desktop Central) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Manage Engine (Desktop Central) RMM tool""}]",https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,[] +Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml"", ""Description"": ""Detects potential network activity of Auvik RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Auvik RMM tool""}]",https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] +Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml"", ""Description"": ""Detects potential network activity of Basecamp RMM tool""}]",basecamp.com - No specific RMM tool listed,[] Free Tools Launcher,,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\*, *\ManageEngine\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -aws-cli,,aws-cli is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Amazon\AWSCLI\*, *\Amazon\AWSCLI\*, *\AWSCLIV*.msi, *\AWSCLISetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +aws-cli,,aws-cli is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Amazon\AWSCLI\*, *\Amazon\AWSCLI\*, *\AWSCLIV*.msi, *\AWSCLISetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aws-cli_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of aws-cli RMM tool""}]",,[] AnyDesk,RMM,"AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams. -","Ali Alwashali, Nasreddine Bencherchali",2023-09-29,2024-08-02,https://anydesk.com/en,anydesk.exe,AnyDesk.exe,AnyDesk,AnyDesk,User,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows","File Transfer, File System Access, Remote Control, GUI Support, Command line Support",https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html,"C:\Program Files (x86)\AnyDesk\*, C:\Program Files\AnyDesk\*","{""Disk"": [{""File"": ""%programdata%\\AnyDesk\\ad_svc.trace"", ""Description"": ""AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established."", ""OS"": ""Windows"", ""Example"": [""info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798""]}, {""File"": ""%programdata%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\ad.trace"", ""Description"": ""AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant."", ""OS"": ""Windows"", ""Example"": [""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30)."", ""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0.""]}, {""File"": ""%APPDATA%\\AnyDesk\\chat\\*.txt"", ""Description"": ""If the chat functionality is used, its entries will be printed in a text file in this folder."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\user.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\service.conf"", ""Description"": ""Password can be set to auto-validate the session. The password will be saved in a salted hash format."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\service.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""~/Library/Application Support/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Mac""}, {""File"": ""~/.config/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Linux""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""During setup the boot.net.anydesk.com domain is request over port 443"", ""Domains"": [""boot.net.anydesk.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""relay-[a-f0-9]{8}.net.anydesk.com:443""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.anydesk.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""User-Agent"", ""Value"": ""AnyDesk/*""}, {""Type"": ""NamedPipe"", ""Value"": ""adprinterpipe""}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml"", ""Description"": ""Anydesk Remote Access Software Service Installation""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"", ""Description"": ""Remote Access Tool - AnyDesk Silent Installation""}]","https://support.anydesk.com/knowledge/firewall, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk, https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Ali Alwashali"", ""Handle"": ""@ali_alwashali""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +","Ali Alwashali, Nasreddine Bencherchali",2023-09-29,2024-08-02,https://anydesk.com/en,anydesk.exe,AnyDesk.exe,AnyDesk,AnyDesk,User,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows","File Transfer, File System Access, Remote Control, GUI Support, Command line Support",https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html,"C:\Program Files (x86)\AnyDesk\*, C:\Program Files\AnyDesk\*","{""Disk"": [{""File"": ""%programdata%\\AnyDesk\\ad_svc.trace"", ""Description"": ""AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established."", ""OS"": ""Windows"", ""Example"": [""info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798""]}, {""File"": ""%programdata%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\ad.trace"", ""Description"": ""AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant."", ""OS"": ""Windows"", ""Example"": [""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30)."", ""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0.""]}, {""File"": ""%APPDATA%\\AnyDesk\\chat\\*.txt"", ""Description"": ""If the chat functionality is used, its entries will be printed in a text file in this folder."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\user.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\service.conf"", ""Description"": ""Password can be set to auto-validate the session. The password will be saved in a salted hash format."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\service.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""~/Library/Application Support/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Mac""}, {""File"": ""~/.config/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Linux""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""During setup the boot.net.anydesk.com domain is request over port 443"", ""Domains"": [""boot.net.anydesk.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""relay-[a-f0-9]{8}.net.anydesk.com:443""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.anydesk.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""User-Agent"", ""Value"": ""AnyDesk/*""}, {""Type"": ""NamedPipe"", ""Value"": ""adprinterpipe""}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml"", ""Description"": ""Anydesk Remote Access Software Service Installation""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"", ""Description"": ""Remote Access Tool - AnyDesk Silent Installation""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml"", ""Description"": ""Detects potential files activity of AnyDesk RMM tool""}]","https://support.anydesk.com/knowledge/firewall, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk, https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Ali Alwashali"", ""Handle"": ""@ali_alwashali""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" AnyViewer,,"AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}",[],https://news.dwservice.net/dwservice-security-infrastructure/,[] -Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}",[],,[] -Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}",[],https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] +",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyViewer RMM tool""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] +Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level RMM tool""}]",,[] +Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] Cloudsfer,,Cloudsfer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-08-03,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}",[],https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,[] +ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-08-03,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]",https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,[] SmartFTP,,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\SmartFTP Client\en-US\, *\SmartFTP Client\*, *\SfShellTools.dll.mui","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}",[],https://www.spyanywhere.com/support.shtml,[] -NinjaRMM,,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ninjarmmagent.exe, NinjaRMMAgent.exe, NinjaRMMAgenPatcher.exe, ninjarmm-cli.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ninjarmm.com"", ""*.ninjaone.com"", ""resources.ninjarmm.com"", ""ninjaone.com""], ""Ports"": []}]}",[],https://www.ninjaone.com/faq/,[] -CloudXplorer,,CloudXplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ClumsyLeaf Software\CloudXplorer\*, *\ClumsyLeaf Software\CloudXplorer\*, *\clumsyleaf.cloudxplorer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of SpyAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SpyAnywhere RMM tool""}]",https://www.spyanywhere.com/support.shtml,[] +NinjaRMM,,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ninjarmmagent.exe, NinjaRMMAgent.exe, NinjaRMMAgenPatcher.exe, ninjarmm-cli.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ninjarmm.com"", ""*.ninjaone.com"", ""resources.ninjarmm.com"", ""ninjaone.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of NinjaRMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NinjaRMM RMM tool""}]",https://www.ninjaone.com/faq/,[] +CloudXplorer,,CloudXplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ClumsyLeaf Software\CloudXplorer\*, *\ClumsyLeaf Software\CloudXplorer\*, *\clumsyleaf.cloudxplorer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudXplorer RMM tool""}]",,[] CruzControl,,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://resources.doradosoftware.com/cruz-rmm,[] -SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}",[],https://simple-help.com/remote-support,[] -EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}",[],,[] -ngrok,,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ngrok.exe, C:\*\ngrok.zip, *\ngrok*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ngrok.com""], ""Ports"": []}]}",[],https://ngrok.com/docs/guides/running-behind-firewalls/,[] -Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}",[],https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] -Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] -NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}",[],https://kb.nomachine.com/AR04S01122,[] -MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] -Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}",[],https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of SimpleHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SimpleHelp RMM tool""}]",https://simple-help.com/remote-support,[] +EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml"", ""Description"": ""Detects potential network activity of EMCO Remote Console RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of EMCO Remote Console RMM tool""}]",,[] +ngrok,,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ngrok.exe, C:\*\ngrok.zip, *\ngrok*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ngrok.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml"", ""Description"": ""Detects potential network activity of ngrok RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ngrok RMM tool""}]",https://ngrok.com/docs/guides/running-behind-firewalls/,[] +Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Apple Remote Desktop RMM tool""}]",https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] +Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer (GoToMeet) RMM tool""}]",Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] +NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml"", ""Description"": ""Detects potential network activity of NoMachine RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoMachine RMM tool""}]",https://kb.nomachine.com/AR04S01122,[] +MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool""}]",https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] +Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml"", ""Description"": ""Detects potential files activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop RMM tool""}]",https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" RAdmin,,"RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}",[],https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] -SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}",[],https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml"", ""Description"": ""Detects potential files activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RAdmin RMM tool""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of LANDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LANDesk RMM tool""}]",https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] +SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml"", ""Description"": ""Detects potential network activity of SuperOps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperOps RMM tool""}]",https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] Lite Manager,,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\LiteManager Pro – Viewer\*, *\LiteManager Pro – Viewer\*, *\LMNoIpServer.exe.","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] Raidrive,,Raidrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\OpenBoxLab\RaiDrive\*, *\OpenBoxLab\RaiDrive\*, service = raidrive_*, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenBoxLab\RaiDrive\Drives","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Datto,,Datto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""datto.com""], ""Ports"": []}]}",[],,[] -Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}",[],https://www.supremocontrol.com/frequently-asked-questions/,[] +Datto,,Datto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""datto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Datto RMM tool""}]",,[] +Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Supremo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Supremo RMM tool""}]",https://www.supremocontrol.com/frequently-asked-questions/,[] Chicken (of the VNC),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}",[],https://www.khelpdesk.com.br/en-us,[] -TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}",[],http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] -RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}",[],https://kb.rport.io/using-the-remote-access,[] +Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] +KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of KHelpDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KHelpDesk RMM tool""}]",https://www.khelpdesk.com.br/en-us,[] +TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml"", ""Description"": ""Detects potential network activity of TurboMeeting RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TurboMeeting RMM tool""}]",http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] +RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml"", ""Description"": ""Detects potential network activity of RPort RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RPort RMM tool""}]",https://kb.rport.io/using-the-remote-access,[] CloudBerry Explorer,,CloudBerry Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\CloudBerryLab\CloudBerry Drive\*, *\CloudBerryLab\CloudBerry Drive\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ExpanDrive,,ExpanDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExpanDrive.exe, *\ExpanDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}",[],https://ocsinventory-ng.org/?page_id=878&lang=en,[] -RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}",[],https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] -Air Explorer,,Air Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\airexplorer\*, *\airexplorer\*, *\airexplorer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ExpanDrive,,ExpanDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExpanDrive.exe, *\ExpanDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/expandrive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExpanDrive RMM tool""}]",,[] +MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool""}]",,[] +OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml"", ""Description"": ""Detects potential network activity of OCS inventory RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OCS inventory RMM tool""}]",https://ocsinventory-ng.org/?page_id=878&lang=en,[] +RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePass RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePass RMM tool""}]",https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] +Air Explorer,,Air Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\airexplorer\*, *\airexplorer\*, *\airexplorer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_explorer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Air Explorer RMM tool""}]",,[] GoToAssist (GoTo Resolve),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramFiles*\GoTo Machine Installer\*, *\GoTo Machine Installer\*, *\GoTo\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}",[],"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}",[],https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] -ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}",[],https://www.todesk.com/,[] -RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}",[],,[] +Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Comodo RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Comodo RMM RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of ShowMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ShowMyPC RMM tool""}]",https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] +ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of ToDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ToDesk RMM tool""}]",https://www.todesk.com/,[] +RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml"", ""Description"": ""Detects potential network activity of RunSmart RMM tool""}]",,[] VNC Connect,,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\RealVNC\VNC Server\*, *\RealVNC\VNC Server\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Echoware RMM tool""}]",,[] Alpemix,,"Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}",[],https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}",[],,[] -DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}",[],https://www.pcvisit.de/,[] -Connectwise Automate (LabTech),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.hostedrmm.com""], ""Ports"": []}]}",[],https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,[] +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml"", ""Description"": ""Detects potential network activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml"", ""Description"": ""Detects potential files activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Alpemix RMM tool""}]",https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal TS RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal TS RMM tool""}]",,[] +DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DragonDisk RMM tool""}]",,[] +Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcvisit RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcvisit RMM tool""}]",https://www.pcvisit.de/,[] +Connectwise Automate (LabTech),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.hostedrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml"", ""Description"": ""Detects potential network activity of Connectwise Automate (LabTech) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Connectwise Automate (LabTech) RMM tool""}]",https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,[] DameWare,,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"SolarWinds-Dameware-DRS*.exe, DameWare Mini Remote Control*.exe, C:\Windows\dwrcs\* - c:\Program File\SolarWinds\Dameware Mini Remote Control\*, dwrcs.exe, *\dwrcs\*, *\dwrcst.exe, DameWare Remote Support.exe, SolarWinds-Dameware-MRC*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,[] -Onionshare,,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\OnionShare\*, *\OnionShare\*, *\onionshare*.exe, OnionShare-win*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}",[],https://tailscale.com/kb/1023/troubleshooting,[] -Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}",[],https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] + c:\Program File\SolarWinds\Dameware Mini Remote Control\*, dwrcs.exe, *\dwrcs\*, *\dwrcst.exe, DameWare Remote Support.exe, SolarWinds-Dameware-MRC*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DameWare RMM tool""}]",https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,[] +Onionshare,,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\OnionShare\*, *\OnionShare\*, *\onionshare*.exe, OnionShare-win*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Onionshare RMM tool""}]",,[] +Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tailscale RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tailscale RMM tool""}]",https://tailscale.com/kb/1023/troubleshooting,[] +Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Senso.cloud RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Senso.cloud RMM tool""}]",https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] Proton Drive,,Proton Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}",[],https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] -KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}",[],https://www.kickidler.com/for-it/faq/,[] +UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraViewer RMM tool""}]",https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] +KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml"", ""Description"": ""Detects potential network activity of KickIdler RMM tool""}]",https://www.kickidler.com/for-it/faq/,[] Remmina,,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}",[],,[] -Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}",[],,[] -N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}",[],https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] -KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -AweRay (AweSun),,AweRay (AweSun) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi-us.aweray.net"", ""asapi.aweray.net""], ""Ports"": []}]}",[],,[] -FleetDeck,,FleetDeck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,fleetdeck_agent_svc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fleetdeck.io""], ""Ports"": []}]}",[],,[] -TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}",[],http://potomacsoft.com/ - DOA as of 2024,[] -Remote Utilities,,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rutview.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru""], ""Ports"": []}]}",[],https://www.remoteutilities.com/download/,[] +eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml"", ""Description"": ""Detects potential network activity of eHorus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of eHorus RMM tool""}]",,[] +Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] +N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KiTTY RMM tool""}]",,[] +AweRay (AweSun),,AweRay (AweSun) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi-us.aweray.net"", ""asapi.aweray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay (AweSun) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay (AweSun) RMM tool""}]",,[] +FleetDeck,,FleetDeck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,fleetdeck_agent_svc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDeck RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDeck RMM tool""}]",,[] +TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeleDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeleDesktop RMM tool""}]",http://potomacsoft.com/ - DOA as of 2024,[] +Remote Utilities,,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rutview.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Utilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Utilities RMM tool""}]",https://www.remoteutilities.com/download/,[] Cloud Explorer,,Cloud Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}",[],https://www.netsupportmanager.com/resources/,[] -GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}",[],https://gotohttp.com/goto/help.12x,[] -RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}",[],,[] +NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml"", ""Description"": ""Detects potential network activity of GotoHTTP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GotoHTTP RMM tool""}]",https://gotohttp.com/goto/help.12x,[] +RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteUtilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteUtilities RMM tool""}]",,[] GoToMyPC,,"GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}",[],"https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml"", ""Description"": ""Detects potential files activity of GoToMyPC RMM tool""}]","https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" SmartCode Web VNC,,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\TightVNC\*, *\TightVNC\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}",[],http://www.seetrol.com/en/features/features3.php,[] -RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}",[],systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] -Zoho Assist,,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zaservice.exe, ZMAgent.exe, C:\*\ZA_Access.exe, ZohoMeeting.exe, Zohours.exe, zohotray.exe, ZohoURSService.exe, *\ZA_Access.exe, Zaservice.exe, za_connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.zoho.com.au"", ""*.zohoassist.jp"", ""assist.zoho.com"", ""zoho.com/assist/"", ""*.zoho.in"", ""downloads.zohodl.com.cn"", ""*.zohoassist.com"", ""downloads.zohocdn.com"", ""gateway.zohoassist.com"", ""*.zohoassist.com.cn"", ""*.zoho.com.cn"", ""*.zoho.com"", ""*.zoho.eu""], ""Ports"": []}]}",[],https://www.zoho.com/assist/kb/firewall-configuration.html,[] -Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -CloudBuckIt,,CloudBuckIt is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\CloudBuckIt\*, *\CloudBuckIt\*, *\CloudBuckIt*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Seetrol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Seetrol RMM tool""}]",http://www.seetrol.com/en/features/features3.php,[] +RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RDPView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RDPView RMM tool""}]",systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] +Zoho Assist,,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zaservice.exe, ZMAgent.exe, C:\*\ZA_Access.exe, ZohoMeeting.exe, Zohours.exe, zohotray.exe, ZohoURSService.exe, *\ZA_Access.exe, Zaservice.exe, za_connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.zoho.com.au"", ""*.zohoassist.jp"", ""assist.zoho.com"", ""zoho.com/assist/"", ""*.zoho.in"", ""downloads.zohodl.com.cn"", ""*.zohoassist.com"", ""downloads.zohocdn.com"", ""gateway.zohoassist.com"", ""*.zohoassist.com.cn"", ""*.zoho.com.cn"", ""*.zoho.com"", ""*.zoho.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zoho Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zoho Assist RMM tool""}]",https://www.zoho.com/assist/kb/firewall-configuration.html,[] +Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xpra RMM tool""}]",,[] +CloudBuckIt,,CloudBuckIt is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\CloudBuckIt\*, *\CloudBuckIt\*, *\CloudBuckIt*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudbuckit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudBuckIt RMM tool""}]",,[] DeskNets,,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://www.desknets.com/en/download.html,[] -ODrive,,ODrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\current\, *Users\*\.odrive, *\Odriveapp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ODrive,,ODrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\current\, *Users\*\.odrive, *\Odriveapp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/odrive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ODrive RMM tool""}]",,[] XRDP,,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}",[],,[] -Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}",[],https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] +ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ManageEngine RMM tool""}]",,[] +Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Impero Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Impero Connect RMM tool""}]",,[] +Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remcos RMM tool""}]",,[] +PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of PDQ Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PDQ Connect RMM tool""}]",https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] Terminals,,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Air Live Drive,,Air Live Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\AirLiveDrive\*, *\AirLiveDrive\*, *\AirLiveDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}",[],https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] -247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}",[],Similar / replaced by ScreenConnect,[] -Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}",[],,[] -Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}",[],https://www.syspectr.com/en/installation-in-a-network,[] -I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}",[],https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] -aria2,,aria2 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\CentraStage\AEMAgent\*, *ProgramData\CentraStage\AEMAgent\*, *\Steinberg\Download Assistant\3rd Party\optional\aria2\*, *\aria2c.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}",[],,[] +Air Live Drive,,Air Live Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\AirLiveDrive\*, *\AirLiveDrive\*, *\AirLiveDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_live_drive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Air Live Drive RMM tool""}]",,[] +Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syncro RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncro RMM tool""}]",https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] +247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool""}]",Similar / replaced by ScreenConnect,[] +Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netviewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer RMM tool""}]",,[] +Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syspectr RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syspectr RMM tool""}]",https://www.syspectr.com/en/installation-in-a-network,[] +I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml"", ""Description"": ""Detects potential network activity of I'm InTouch RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of I'm InTouch RMM tool""}]",https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] +aria2,,aria2 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\CentraStage\AEMAgent\*, *ProgramData\CentraStage\AEMAgent\*, *\Steinberg\Download Assistant\3rd Party\optional\aria2\*, *\aria2c.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of aria2 RMM tool""}]",,[] +ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Light RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Light RMM tool""}]",,[] Mocha VNC Lite,,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"This installs a modified VNC and cannot be blocked by path separate from VNC, This installs a modified VNC and cannot be blocked by path separate from VNC, *\RealVNC\VNC4\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}",[],https://www.ericom.com/connect-accessnow/,[] -Yandex.Disk,,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Yandex\*, *\Yandex\*, *\YandexDisk2.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}",[],https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] -BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}",[],https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] -Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}",[],https://jumpcloud.com/support/understand-remote-assist-agent,[] +Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom Connect RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] +Yandex.Disk,,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Yandex\*, *\Yandex\*, *\YandexDisk2.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Yandex.Disk RMM tool""}]",,[] +LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml"", ""Description"": ""Detects potential network activity of LiteManager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LiteManager RMM tool""}]",https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] +BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeAnyWhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeAnyWhere RMM tool""}]",https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] +Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Cloud RMM tool""}]",https://jumpcloud.com/support/understand-remote-assist-agent,[] Remote Desktop Manager (Devolutions),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}",[],https://sun.aweray.com/help,[] -Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}",[],https://www.remobo.com - DOA as of 2024,[] -ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"era.exe, einstaller.exe, ezhelp*.exe, eratool.exe, ERAAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}",[],eset.com/me/business/remote-management/remote-administrator/,[] -BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc.exe, bomgar-rdp.exe, bomgar-scc-*.exe, bomgar-pac-*.exe, bomgar-pac.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""bomgarcloud.com"", ""*.bomgarcloud.com"", ""*.beyondtrustcloud.com""], ""Ports"": []}]}",[],https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] -Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}",[],https://en.wikipedia.org/wiki/PcAnywhere,[] -Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}",[],https://docs.remote.it/introduction/get-started,[] -Cruz,,Cruz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""resources.doradosoftware.com/cruz-rmm""], ""Ports"": []}]}",[],,[] -Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}",[],guacamole.apache.org,[] -Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}",[],https://addigy.com/,[] -AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}",[],https://support.aeroadmin.com/kb/faq.php?id=58,[] -FleetDesk.io,,FleetDesk.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_agent.exe, fleetdeck_commander_launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}",[],https://fleetdeck.io/faq/,[] -Dameware-mini remote control Protocol,,Dameware-mini remote control Protocol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"dntus*.exe, dwrcs.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""dameware.com""], ""Ports"": []}]}",[],,[] -Access Remote PC,,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"rpcgrab.exe, rpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Acronic Cyber Protect (Remotix),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}",[],https://kb.acronis.com/content/47189,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}",[],https://instanthousecall.com/features/,[] -SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}",[],https://skyfex.com/,[] -PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}",[],https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] -MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}",[],https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] -SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -VNC,,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"winvnc*.exe, vncserver.exe, winwvc.exe, winvncsc.exe, vncserverui.exe, vncviewer.exe, winvnc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""realvnc.com/en/connect/download/vnc""], ""Ports"": []}]}",[],https://realvnc.com/en/connect/download/vnc,[] -Panorama9,,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,p9agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""trusted.panorama9.com"", ""changes.panorama9.com"", ""panorama9.com""], ""Ports"": []}]}",[],https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with,[] -FixMe,,FixMe is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fixme.it""], ""Ports"": []}]}",[],,[] -ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}",[],https://help.islonline.com/19818/165940,[] -RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}",[],https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] -rclone,,rclone is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"portable tool. No install path, portable tool. No install path, rclone*.zip, *\rclone.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay RMM tool""}]",https://sun.aweray.com/help,[] +Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remobo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remobo RMM tool""}]",https://www.remobo.com - DOA as of 2024,[] +ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"era.exe, einstaller.exe, ezhelp*.exe, eratool.exe, ERAAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] +BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc.exe, bomgar-rdp.exe, bomgar-scc-*.exe, bomgar-pac-*.exe, bomgar-pac.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""bomgarcloud.com"", ""*.bomgarcloud.com"", ""*.beyondtrustcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] +Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ultra VNC RMM tool""}]",,[] +pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of pcAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pcAnywhere RMM tool""}]",https://en.wikipedia.org/wiki/PcAnywhere,[] +Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote.it RMM tool""}]",https://docs.remote.it/introduction/get-started,[] +Cruz,,Cruz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""resources.doradosoftware.com/cruz-rmm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Cruz RMM tool""}]",,[] +Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml"", ""Description"": ""Detects potential network activity of Guacamole RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Guacamole RMM tool""}]",guacamole.apache.org,[] +Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Addigy RMM tool""}]",https://addigy.com/,[] +AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of AeroAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AeroAdmin RMM tool""}]",https://support.aeroadmin.com/kb/faq.php?id=58,[] +FleetDesk.io,,FleetDesk.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_agent.exe, fleetdeck_commander_launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDesk.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDesk.io RMM tool""}]",https://fleetdeck.io/faq/,[] +Dameware-mini remote control Protocol,,Dameware-mini remote control Protocol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"dntus*.exe, dwrcs.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""dameware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Dameware-mini remote control Protocol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Dameware-mini remote control Protocol RMM tool""}]",,[] +Access Remote PC,,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"rpcgrab.exe, rpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Access Remote PC RMM tool""}]",,[] +Acronic Cyber Protect (Remotix),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml"", ""Description"": ""Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool""}]",https://kb.acronis.com/content/47189,[] +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml"", ""Description"": ""Detects potential network activity of SkyFex RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SkyFex RMM tool""}]",https://skyfex.com/,[] +PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC RMM tool""}]",https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] +MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] +SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SecureCRT RMM tool""}]",,[] +VNC,,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"winvnc*.exe, vncserver.exe, winwvc.exe, winvncsc.exe, vncserverui.exe, vncviewer.exe, winvnc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""realvnc.com/en/connect/download/vnc""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of VNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of VNC RMM tool""}]",https://realvnc.com/en/connect/download/vnc,[] +Panorama9,,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,p9agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""trusted.panorama9.com"", ""changes.panorama9.com"", ""panorama9.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml"", ""Description"": ""Detects potential network activity of Panorama9 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Panorama9 RMM tool""}]",https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with,[] +FixMe,,FixMe is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fixme.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe RMM tool""}]",,[] +ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] +RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of RES Automation Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RES Automation Manager RMM tool""}]",https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] +rclone,,rclone is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"portable tool. No install path, portable tool. No install path, rclone*.zip, *\rclone.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rclone_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rclone RMM tool""}]",,[] Atera,,"Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement. -",,2024/08/03,,https://www.atera.com/,AteraAgent.exe,AteraAgent.exe,AteraAgent,,SYSTEM,30 day trial,None,"Windows, MacOS, Linux","Integrated remote access with Splashtop and AnyDesk, Remote monitoring and management, Patch management, Network discovery, Backup and disaster recovery, Helpdesk and ticketing, Reporting and analytics, Billing and invoicing, Customer portal, Mobile app","CVE-2023-26078, CVE-2023-26077","*\AgentPackageNetworkDiscovery.exe, *\AgentPackageTaskScheduler.exe, *\ATERA Networks\AteraAgent\*, *\AteraAgent.exe, atera_agent.exe, atera_agent.exe, ateraagent.exe, C:\Program Files\ATERA Networks\AteraAgent\*, C:\Program Files\Atera Networks, C:\Program Files (x86)\Atera Networks, syncrosetup.exe","{""Disk"": [{""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Atera Networks\\AlphaAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AteraAgent"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"""", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""WinRing0_1_2_0"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"""", ""Description"": ""Service installation event as result of Atera pakcage manager installation.""}, {""EventID"": 11707, ""ProviderName"": ""MsiInstaller"", ""LogFile"": ""Application.evtx"", ""Data"": ""Product: AteraAgent -- Installation completed successfully."", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]"", ""Description"": ""Service installation event as result of AteraAgent installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent"", ""Description"": null}, {""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc."", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\*"", ""Description"": null}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""pubsub.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""pubsub.pubnub.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreporting.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""getalphacontrol.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""app.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agenthb.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""packagesstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.pndsn.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agent-api.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""cacerts.thawte.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreportingstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera-agent-heartbeat.servicebus.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera.pubnubapi.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""appcdn.atera.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml"", ""Name"": ""AteraAgent malicious installations"", ""Description"": ""Detects AteraAgent installations with suspicious command line arguments.""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml"", ""Name"": ""Atera Agent Installation"", ""Description"": ""Detects Atera Agent installation.""}]","https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations, https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent, https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018, https://thedfirreport.com/?s=ateraagent","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}, {""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -CrossLoop,,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"crossloopservice.exe, CrossLoopConnect.exe, WinVNCStub.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.crossloop.com"", ""crossloop.en.softonic.com""], ""Ports"": []}]}",[],www.CrossLoop.com -> redirects to avast.com,[] -Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}",[],https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] -Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}",[],docs.tacticalrmm.com,[] -Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}",[],https://www.fortra.com - No free/cloud RMM softwars listed,[] -Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}",[],https://sorillus.com/,[] -RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}",[],https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] -Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}",[],https://everywhere.laplink.com/docs,[] -MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Neturo,,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"neturo*.exe, ntrntservice.exe, neturo.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""neturo.uplus.co.kr""], ""Ports"": []}]}",[],"Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",[] -Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"distant-desktop.exe, dd.exe, ddsystem.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}",[],https://www.distantdesktop.com/manual/first-start.htm,[] +",,2024/08/03,,https://www.atera.com/,AteraAgent.exe,AteraAgent.exe,AteraAgent,,SYSTEM,30 day trial,None,"Windows, MacOS, Linux","Integrated remote access with Splashtop and AnyDesk, Remote monitoring and management, Patch management, Network discovery, Backup and disaster recovery, Helpdesk and ticketing, Reporting and analytics, Billing and invoicing, Customer portal, Mobile app","CVE-2023-26078, CVE-2023-26077","*\AgentPackageNetworkDiscovery.exe, *\AgentPackageTaskScheduler.exe, *\ATERA Networks\AteraAgent\*, *\AteraAgent.exe, atera_agent.exe, atera_agent.exe, ateraagent.exe, C:\Program Files\ATERA Networks\AteraAgent\*, C:\Program Files\Atera Networks, C:\Program Files (x86)\Atera Networks, syncrosetup.exe","{""Disk"": [{""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Atera Networks\\AlphaAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AteraAgent"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"""", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""WinRing0_1_2_0"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"""", ""Description"": ""Service installation event as result of Atera pakcage manager installation.""}, {""EventID"": 11707, ""ProviderName"": ""MsiInstaller"", ""LogFile"": ""Application.evtx"", ""Data"": ""Product: AteraAgent -- Installation completed successfully."", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]"", ""Description"": ""Service installation event as result of AteraAgent installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent"", ""Description"": null}, {""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc."", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\*"", ""Description"": null}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""pubsub.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""pubsub.pubnub.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreporting.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""getalphacontrol.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""app.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agenthb.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""packagesstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.pndsn.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agent-api.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""cacerts.thawte.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreportingstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera-agent-heartbeat.servicebus.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera.pubnubapi.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""appcdn.atera.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml"", ""Name"": ""AteraAgent malicious installations"", ""Description"": ""Detects AteraAgent installations with suspicious command line arguments.""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml"", ""Name"": ""Atera Agent Installation"", ""Description"": ""Detects Atera Agent installation.""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml"", ""Description"": ""Detects potential network activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml"", ""Description"": ""Detects potential files activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Atera RMM tool""}]","https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations, https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent, https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018, https://thedfirreport.com/?s=ateraagent","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}, {""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +CrossLoop,,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"crossloopservice.exe, CrossLoopConnect.exe, WinVNCStub.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.crossloop.com"", ""crossloop.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossLoop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossLoop RMM tool""}]",www.CrossLoop.com -> redirects to avast.com,[] +Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] +Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tactical RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tactical RMM RMM tool""}]",docs.tacticalrmm.com,[] +Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml"", ""Description"": ""Detects potential network activity of Fortra RMM tool""}]",https://www.fortra.com - No free/cloud RMM softwars listed,[] +Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sorillus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sorillus RMM tool""}]",https://sorillus.com/,[] +RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteCall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteCall RMM tool""}]",https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] +Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Everywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Everywhere RMM tool""}]",https://everywhere.laplink.com/docs,[] +MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MEGAsync RMM tool""}]",,[] +Neturo,,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"neturo*.exe, ntrntservice.exe, neturo.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""neturo.uplus.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Neturo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Neturo RMM tool""}]","Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",[] +Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"distant-desktop.exe, dd.exe, ddsystem.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] rsync,,rsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}",[],http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] +Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Anyplace Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Anyplace Control RMM tool""}]",http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] JollysFastVNC,,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ExtraPuTTY,,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *\ExtraPuTTY-0.30-2016-01-28-installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}",[],github.com/stascorp/rdpwrap,[] -N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}",[],,[] -Google Drive,,Google Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Google\Drive File Stream\*, *\Google\Drive File Stream\*, *Users\*\AppData\*\Google\DriveFS*, G:\My Drive*, *\GoogleDriveFS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ExtraPuTTY,,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *\ExtraPuTTY-0.30-2016-01-28-installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExtraPuTTY RMM tool""}]",,[] +rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdpwrap RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdpwrap RMM tool""}]",github.com/stascorp/rdpwrap,[] +N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-ABLE Remote Access Software RMM tool""}]",,[] +Google Drive,,Google Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Google\Drive File Stream\*, *\Google\Drive File Stream\*, *Users\*\AppData\*\Google\DriveFS*, G:\My Drive*, *\GoogleDriveFS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/google_drive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Google Drive RMM tool""}]",,[] +Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Solar-PuTTY RMM tool""}]",,[] TeamViewer,,"TeamViewer is a remote monitoring and management (RMM) tool. -","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}",[],"https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" -Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}",[],"https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}",[],https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}",[],https://control.itsupport247.net/,[] +","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml"", ""Description"": ""Detects potential files activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeamViewer RMM tool""}]","https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml"", ""Description"": ""Detects potential network activity of Itarian RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Itarian RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of Visual Studio Dev Tunnel RMM tool""}]",https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] LogMeIn,,"LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -Cyberduck,,Cyberduck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Cyberduck\*, *\Cyberduck\*, *\Cyberduck.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Electric,,Electric is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}",[],,[] +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn RMM tool""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +Cyberduck,,Cyberduck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Cyberduck\*, *\Cyberduck\*, *\Cyberduck.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cyberduck_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Cyberduck RMM tool""}]",,[] +Electric,,Electric is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",,[] PuTTY,,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -TeraCLOUD,,TeraCLOUD is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\*\TeraCloud.Client*, *\TeraCloud.Client*, *\Livedrive-Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}",[],https://solutions.netreo.com/docs/firewall-requirements,[] -Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}",[],https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] -Splashtop (Beta),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"SRServer.exe, SplashtopSOS.exe, Splashtop_Streamer_Windows*.exe, SRManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com""], ""Ports"": []}]}",[],,[] -FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}",[],https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] -RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}",[],https://rustdesk.com/docs/en/,[] +TeraCLOUD,,TeraCLOUD is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\*\TeraCloud.Client*, *\TeraCloud.Client*, *\Livedrive-Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teracloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeraCLOUD RMM tool""}]",,[] +Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netreo RMM tool""}]",https://solutions.netreo.com/docs/firewall-requirements,[] +Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool""}]",https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] +Splashtop (Beta),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"SRServer.exe, SplashtopSOS.exe, Splashtop_Streamer_Windows*.exe, SRManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop (Beta) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop (Beta) RMM tool""}]",,[] +FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of FastViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FastViewer RMM tool""}]",https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] +RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of RustDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RustDesk RMM tool""}]",https://rustdesk.com/docs/en/,[] MobaXterm,,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\MobaXterm_installer_12.1.msi, *\MobaXterm_installer_*.msi, *\Mobatek\MobaXterm\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}",[],https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] +GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToAssist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoToAssist RMM tool""}]",https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] Free Ping Tool,,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"can't find this one, can't find this one","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -HelpBeam,,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,helpbeam*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpbeam.software.informer.com""], ""Ports"": []}]}",[],https://www.helpbeam.com domain for sale in 2024,[] -NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}",[],DOA as of 2024,[] -ServerEye,,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"servereye*.exe, ServiceProxyLocalSys.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.server-eye.de""], ""Ports"": []}]}",[],https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,[] -WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}",[],github.com/Mikej81/WebRDP,[] +HelpBeam,,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,helpbeam*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpbeam.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpBeam RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpBeam RMM tool""}]",https://www.helpbeam.com domain for sale in 2024,[] +NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of NTR Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NTR Remote RMM tool""}]",DOA as of 2024,[] +ServerEye,,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"servereye*.exe, ServiceProxyLocalSys.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.server-eye.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml"", ""Description"": ""Detects potential network activity of ServerEye RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ServerEye RMM tool""}]",https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,[] +WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml"", ""Description"": ""Detects potential network activity of WebRDP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WebRDP RMM tool""}]",github.com/Mikej81/WebRDP,[] GoTo Opener,,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\GoTo Opener, *\GoTo Opener","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}",[],https://www.anysupport.net/introduce_howto.php,[] -BeamYourScreen,,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"beamyourscreen.exe, beamyourscreen-host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beamyourscreen.com"", ""*.beamyourscreen.com""], ""Ports"": []}]}",[],beamyourscreen redirects to https://www.mikogo.com/,[] -Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}",[],community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] -Amazon (Cloud) Drive,,Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Amazon\Cloud Drive\*, *\AppData\Local\Amazon\Cloud Drive\*, *\AmazonCloudDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Desktop Central,,Desktop Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,dcagentservice.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com""], ""Ports"": []}]}",[],,[] -PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}",[],https://www.poweradmin.com/paexec/,[] -GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}",[],https://docs.getscreen.me/self-hosted/system-requirements/,[] -RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}",[],https://www.remotedesktop.com/helpdesk/faq-firewall,[] -Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}",[],https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] -GoodSync,,GoodSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"installation requires paid version of GoodSync Server, installation requires paid version of GoodSync Server, GoodSync-vsub-Setup.exe, A40B81B36CDC2D24910FC58816E50DCDE21BD1A9","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}",[],https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] -UltraVNC,,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,UltraVNC*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ultravnc.com"", ""user_managed""], ""Ports"": []}]}",[],https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,[] -SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}",[],https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] -Quest KACE Agent (formerly Dell KACE),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,konea.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kace.com"", ""www.quest.com/kace/""], ""Ports"": []}]}",[],https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function,[] -DeskShare,,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"TeamTaskManager.exe, DSGuest.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}",[],https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx,[] -Pocket Cloud (Wyse),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcloud*.exe, pocketcloudservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://wyse-pocketcloud.informer.com/2.1/,[] -ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"einstaller.exe, era.exe, ERAAgent.exe, ezhelp*.exe, eratool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}",[],eset.com/me/business/remote-management/remote-administrator/,[] -Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}",[],https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] -CloudMounter,,CloudMounter is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\CloudMounter\*, *\CloudMounter\*, *\CloudMounter\*, *\cloudmounter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}",[],https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] +S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of S3 Browser RMM tool""}]",,[] +Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml"", ""Description"": ""Detects potential network activity of Any Support RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Any Support RMM tool""}]",https://www.anysupport.net/introduce_howto.php,[] +BeamYourScreen,,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"beamyourscreen.exe, beamyourscreen-host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beamyourscreen.com"", ""*.beamyourscreen.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeamYourScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeamYourScreen RMM tool""}]",beamyourscreen redirects to https://www.mikogo.com/,[] +Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sophos-Remote Management System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sophos-Remote Management System RMM tool""}]",community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] +Amazon (Cloud) Drive,,Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Amazon\Cloud Drive\*, *\AppData\Local\Amazon\Cloud Drive\*, *\AmazonCloudDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/amazon__cloud__drive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Amazon (Cloud) Drive RMM tool""}]",,[] +Desktop Central,,Desktop Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,dcagentservice.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of Desktop Central RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Desktop Central RMM tool""}]",,[] +PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC (Clone) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC (Clone) RMM tool""}]",https://www.poweradmin.com/paexec/,[] +GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of GetScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GetScreen RMM tool""}]",https://docs.getscreen.me/self-hosted/system-requirements/,[] +RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePC RMM tool""}]",https://www.remotedesktop.com/helpdesk/faq-firewall,[] +Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tanium RMM tool""}]",https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] +GoodSync,,GoodSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"installation requires paid version of GoodSync Server, installation requires paid version of GoodSync Server, GoodSync-vsub-Setup.exe, A40B81B36CDC2D24910FC58816E50DCDE21BD1A9","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goodsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoodSync RMM tool""}]",,[] +LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool""}]",,[] +RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteView RMM tool""}]",https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] +UltraVNC,,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,UltraVNC*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ultravnc.com"", ""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraVNC RMM tool""}]",https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,[] +SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SmarTTY RMM tool""}]",,[] +Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Absolute (Computrace) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Absolute (Computrace) RMM tool""}]",https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] +Quest KACE Agent (formerly Dell KACE),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,konea.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kace.com"", ""www.quest.com/kace/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}]",https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function,[] +DeskShare,,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"TeamTaskManager.exe, DSGuest.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskShare RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskShare RMM tool""}]",https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx,[] +Pocket Cloud (Wyse),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcloud*.exe, pocketcloudservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Cloud (Wyse) RMM tool""}]",https://wyse-pocketcloud.informer.com/2.1/,[] +ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"einstaller.exe, era.exe, ERAAgent.exe, ezhelp*.exe, eratool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] +Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pilixo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pilixo RMM tool""}]",https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] +CloudMounter,,CloudMounter is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\CloudMounter\*, *\CloudMounter\*, *\CloudMounter\*, *\cloudmounter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudMounter RMM tool""}]",,[] +Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Mikogo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Mikogo RMM tool""}]",https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] WebEx (Remote Access),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,[] Koofr,,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}",[],,[] -WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -GatherPlace-desktop sharing,,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gp3.exe, gp4.exe, gp5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gatherplace.com"", ""*.gatherplace.net"", ""gatherplace.com""], ""Ports"": []}]}",[],https://www.gatherplace.com/kb?id=136377,[] -Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}",[],wen.laplink.com/product/laplink-gold,[] -Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}",[],https://data443.atlassian.net/servicedesk/customer/portal/20,[] -Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}",[],https://rc1.ivanticloud.com/,[] +Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Duplicati RMM tool""}]",,[] +ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of ManageEngine RMM Central RMM tool""}]",,[] +WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WinSCP RMM tool""}]",,[] +GatherPlace-desktop sharing,,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gp3.exe, gp4.exe, gp5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gatherplace.com"", ""*.gatherplace.net"", ""gatherplace.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of GatherPlace-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GatherPlace-desktop sharing RMM tool""}]",https://www.gatherplace.com/kb?id=136377,[] +Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Gold RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Gold RMM tool""}]",wen.laplink.com/product/laplink-gold,[] +Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml"", ""Description"": ""Detects potential network activity of Centurion RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Centurion RMM tool""}]",https://data443.atlassian.net/servicedesk/customer/portal/20,[] +Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ivanti Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ivanti Remote Control RMM tool""}]",https://rc1.ivanticloud.com/,[] NordLocker,,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] Cloud Turtle,,Cloud Turtle is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Genie9\*, *\Genie9\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] CloudExplorer,,CloudExplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] CloudHQ,,CloudHQ is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}",[],https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] -ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}",[],https://www.exhelp.co.kr,[] -Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}",[],https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] +Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml"", ""Description"": ""Detects potential network activity of Xeox RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xeox RMM tool""}]",https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] +ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of ezHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ezHelp RMM tool""}]",https://www.exhelp.co.kr,[] +Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] MultCloud,,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"requires sign up, requires sign up","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] CloudGopher,,CloudGopher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}",[],https://symless.com/synergy,[] -ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"screenconnect.clientservice.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe, connectwisechat-customer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}",[],,[] -OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}",[],https://www.bravurasoftware.com/optitune/support/faq.aspx,[] +Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Synergy RMM tool""}]",https://symless.com/synergy,[] +ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"screenconnect.clientservice.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe, connectwisechat-customer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] +OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml"", ""Description"": ""Detects potential network activity of OptiTune RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OptiTune RMM tool""}]",https://www.bravurasoftware.com/optitune/support/faq.aspx,[] Netop,,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Danware Data\NetOp Packn Deploy\*, *\Danware Data\NetOp Packn Deploy\*, *\Netop Remote Control\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] ConnectWise,,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect*Client*\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}",[],https://www.encapto.com - used to manage Cisco services,[] +Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Encapto RMM tool""}]",https://www.encapto.com - used to manage Cisco services,[] Action1,,"Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. -",@kostastsale,2024-08-03,2024-08-03,https://www.action1.com/,action1_connector.exe,,,,SYSTEM,Yes,Corporate email required although temporary email services are accepted,Windows,"Backup and disaster recovery, Billing and invoicing, Customer portal, HelpDesk and ticketing, Mobile app, Network discovery, Patch management, Remote monitoring and management, Reporting and analytics",,C:\Windows\Action1\*,"{""Disk"": [{""File"": ""C:\\Windows\\Action1\\action1_agent.exe"", ""Description"": ""Action1 service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\*"", ""Description"": ""Multiple files and binaries related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\scripts\\*"", ""Description"": ""Multiple scripts related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\rule_data\\*"", ""Description"": ""Files related to Action1 rules"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\action1_log_*.log"", ""Description"": ""Contains history, errors, system notifications. Incoming and outgoing connections."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Action1 Agent"", ""ImagePath"": ""\""C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"""", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe service"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe loggedonuser"", ""Description"": ""Executing command to get logged on user.""}], ""Registry"": [{""Path"": ""HKLM\\System\\CurrentControlSet\\Services\\A1Agent"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe"", ""Description"": ""Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Action1"", ""Description"": ""Storing its configuration settings and other relevant information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.action1.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""a1-backend-packages.s3.amazonaws.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml""}]","https://www.action1.com/documentation/firewall-configuration/, https://www.action1.com/documentation/, https://twitter.com/Kostastsale/status/1646256901506605063?s=20, https://ruler-project.github.io/ruler-project/RULER/remote/Action1/","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fleetdeck.io""], ""Ports"": []}]}",[],,[] -SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}",[],https://www.royalapps.com/ts/win/download,[] -Tanium Deploy,,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""tanium.com/products/tanium-deploy""], ""Ports"": []}]}",[],,[] -Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}",[],https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] -Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}",[],weezo.en.softonic.com,[] -BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}",[],https://en.wikipedia.org/wiki/Phoenix_Technologies,[] -ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}",[],https://docs.screenmeet.com/docs/firewall-white-list,[] -MyIVO,,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"myivomgr.exe, myivomanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""myivo-server.software.informer.com""], ""Ports"": []}]}",[],myivo.com - DOA as of 2024,[] -LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}",[],,[] -Kabuto,,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Kabuto.App.Runner.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kabuto.io"", ""repairtechsolutions.com/kabuto/""], ""Ports"": []}]}",[],https://www.repairtechsolutions.com/documentation/kabuto/,[] +",@kostastsale,2024-08-03,2024-08-03,https://www.action1.com/,action1_connector.exe,,,,SYSTEM,Yes,Corporate email required although temporary email services are accepted,Windows,"Backup and disaster recovery, Billing and invoicing, Customer portal, HelpDesk and ticketing, Mobile app, Network discovery, Patch management, Remote monitoring and management, Reporting and analytics",,C:\Windows\Action1\*,"{""Disk"": [{""File"": ""C:\\Windows\\Action1\\action1_agent.exe"", ""Description"": ""Action1 service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\*"", ""Description"": ""Multiple files and binaries related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\scripts\\*"", ""Description"": ""Multiple scripts related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\rule_data\\*"", ""Description"": ""Files related to Action1 rules"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\action1_log_*.log"", ""Description"": ""Contains history, errors, system notifications. Incoming and outgoing connections."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Action1 Agent"", ""ImagePath"": ""\""C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"""", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe service"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe loggedonuser"", ""Description"": ""Executing command to get logged on user.""}], ""Registry"": [{""Path"": ""HKLM\\System\\CurrentControlSet\\Services\\A1Agent"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe"", ""Description"": ""Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Action1"", ""Description"": ""Storing its configuration settings and other relevant information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.action1.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""a1-backend-packages.s3.amazonaws.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml"", ""Description"": ""Detects potential network activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml"", ""Description"": ""Detects potential files activity of Action1 RMM tool""}]","https://www.action1.com/documentation/firewall-configuration/, https://www.action1.com/documentation/, https://twitter.com/Kostastsale/status/1646256901506605063?s=20, https://ruler-project.github.io/ruler-project/RULER/remote/Action1/","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDeck.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDeck.io RMM tool""}]",,[] +SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperPuTTY RMM tool""}]",,[] +Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Apps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal Apps RMM tool""}]",https://www.royalapps.com/ts/win/download,[] +Tanium Deploy,,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""tanium.com/products/tanium-deploy""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium Deploy RMM tool""}]",,[] +Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zabbix Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zabbix Agent RMM tool""}]",https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] +Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Weezo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Weezo RMM tool""}]",weezo.en.softonic.com,[] +BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeInSync RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeInSync RMM tool""}]",https://en.wikipedia.org/wiki/Phoenix_Technologies,[] +ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenMeet RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenMeet RMM tool""}]",https://docs.screenmeet.com/docs/firewall-white-list,[] +MyIVO,,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"myivomgr.exe, myivomanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""myivo-server.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyIVO RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyIVO RMM tool""}]",myivo.com - DOA as of 2024,[] +LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml"", ""Description"": ""Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}]",,[] +Kabuto,,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Kabuto.App.Runner.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kabuto.io"", ""repairtechsolutions.com/kabuto/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Kabuto RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Kabuto RMM tool""}]",https://www.repairtechsolutions.com/documentation/kabuto/,[] FreeRDP,,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -AliWangWang-remote-control,,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,alitask.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""wangwang.taobao.com""], ""Ports"": []}]}",[],https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,[] -Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}",[],https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] -Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}",[],https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] -N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"BASupSrvc.exe, winagent.exe, BASupApp.exe, BASupTSHelper.exe, Agent_*_RW.exe, BASEClient.exe, BASupSrvcCnfg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beanywhere.com "", ""systemmonitor.co.uk"", ""*system-monitor.com"", ""cloudbackup.management"", ""*systemmonitor.co.uk"", ""n-able.com"", ""systemmonitor.us"", ""*systemmonitor.eu.com"", ""*.logicnow.com"", ""*.swi-tc.com"", ""*remote.management"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""remote.management"", ""logicnow.com"", ""system-monitor.com"", ""*systemmonitor.us"", ""systemmonitor.eu.com"", ""*.n-able.com""], ""Ports"": []}]}",[],https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZOC RMM tool""}]",,[] +AliWangWang-remote-control,,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,alitask.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""wangwang.taobao.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml"", ""Description"": ""Detects potential network activity of AliWangWang-remote-control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AliWangWang-remote-control RMM tool""}]",https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,[] +Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml"", ""Description"": ""Detects potential network activity of Goverlan RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Goverlan RMM tool""}]",https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] +Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Microsoft Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft Quick Assist RMM tool""}]",https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] +N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"BASupSrvc.exe, winagent.exe, BASupApp.exe, BASupTSHelper.exe, Agent_*_RW.exe, BASEClient.exe, BASupSrvcCnfg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beanywhere.com "", ""systemmonitor.co.uk"", ""*system-monitor.com"", ""cloudbackup.management"", ""*systemmonitor.co.uk"", ""n-able.com"", ""systemmonitor.us"", ""*systemmonitor.eu.com"", ""*.logicnow.com"", ""*.swi-tc.com"", ""*remote.management"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""remote.management"", ""logicnow.com"", ""system-monitor.com"", ""*systemmonitor.us"", ""systemmonitor.eu.com"", ""*.n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] Ocamlfuse,,Ocamlfuse is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -MyGreenPC,,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,mygreenpc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*mygreenpc.com""], ""Ports"": []}]}",[],http://www.mygreenpc.com/,[] -Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}",[],https://support.google.com/chrome/a/answer/2799701?hl=en,[] -Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] -Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop-pa.googleapis.com"", ""*remotedesktop.google.com"", ""remotedesktop.google.com""], ""Ports"": []}]}",[],https://support.google.com/chrome/a/answer/2799701?hl=en,[] -Remote Desktop Plus,,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""donkz.nl""], ""Ports"": []}]}",[],https://www.donkz.nl/,[] -NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}",[],http://rsupport.nate.com/rview/r8/main/index.aspx,[] -Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}",[],https://help.islonline.com/19799/166125,[] -Dropbox,,Dropbox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Dropbox\Client\*, *\Dropbox\Client\*, *\Dropbox.exe, *Users\*\Dropbox\bin\","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}",[],www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] -DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}",[],https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] -mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}",[],https://github.com/mRemoteNG/mRemoteNG,[] -FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, client32.exe, pcicfgui.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""geo.netsupportsoftware.com"", ""netsupportmanager.com"", ""*.netsupportmanager.com""], ""Ports"": []}]}",[],https://www.netsupportmanager.com/resources/,[] -rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}",[],github.com/V-E-O/rdp2tcp,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}",[],https://control.itsupport247.net/,[] -Pulseway,,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"PCMonitorManager.exe, pcmonitorsrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pulseway.com""], ""Ports"": []}]}",[],https://intercom.help/pulseway/en/,[] -Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}",[],http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] -Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, *\ISLLight.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}",[],https://help.islonline.com/19818/165940,[] +MyGreenPC,,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,mygreenpc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*mygreenpc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyGreenPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyGreenPC RMM tool""}]",http://www.mygreenpc.com/,[] +Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncthing RMM tool""}]",,[] +Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] +Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] +Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop-pa.googleapis.com"", ""*remotedesktop.google.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] +Remote Desktop Plus,,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""donkz.nl""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Desktop Plus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Desktop Plus RMM tool""}]",https://www.donkz.nl/,[] +NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of NateOn-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NateOn-desktop sharing RMM tool""}]",http://rsupport.nate.com/rview/r8/main/index.aspx,[] +Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml"", ""Description"": ""Detects potential network activity of Barracuda RMM tool""}]",https://help.islonline.com/19799/166125,[] +Dropbox,,Dropbox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Dropbox\Client\*, *\Dropbox\Client\*, *\Dropbox.exe, *Users\*\Dropbox\bin\","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Dropbox RMM tool""}]",,[] +CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossTec Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossTec Remote Control RMM tool""}]",www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] +DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskDay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskDay RMM tool""}]",https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] +mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml"", ""Description"": ""Detects potential network activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml"", ""Description"": ""Detects potential files activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mRemoteNG RMM tool""}]",https://github.com/mRemoteNG/mRemoteNG,[] +FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeNX RMM tool""}]",,[] +NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, client32.exe, pcicfgui.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""geo.netsupportsoftware.com"", ""netsupportmanager.com"", ""*.netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdp2tcp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdp2tcp RMM tool""}]",github.com/V-E-O/rdp2tcp,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +Pulseway,,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"PCMonitorManager.exe, pcmonitorsrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pulseway.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pulseway RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pulseway RMM tool""}]",https://intercom.help/pulseway/en/,[] +Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml"", ""Description"": ""Detects potential network activity of Naverisk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Naverisk RMM tool""}]",http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] +Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Total Software Deployment RMM tool""}]",,[] +ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, *\ISLLight.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] NinjaOne (formerly NinjaRMM),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,*ProgramData\NinjaRMMAgent\*,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] Microsoft OneDrive,,Microsoft OneDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}",[],https://en.wikipedia.org/wiki/Tencent_QQ,[] -Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ddsystem.exe, dd.exe, distant-desktop.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}",[],https://www.distantdesktop.com/manual/first-start.htm,[] -FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Unattended Access Setup.exe, TiExpertStandalone.exe, FixMeitClient*.exe, FixMeit Client.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, no installation required | recommend blocking fixme[.]it SaaS portal, no installation required | recommend blocking fixme[.]it SaaS portal, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}",[],https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,[] -FileZilla,,FileZilla is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\FileZilla FTP Client\*, *\FileZilla FTP Client\*, *\FileZilla.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,mstsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] -RuDesktop,,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rd.exe, rudesktop*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rudesktop.ru"", ""rudesktop.ru""], ""Ports"": []}]}",[],https://rudesktop.ru,[] -BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}",[],https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] -FreeFileSync,,FreeFileSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\FreeFileSync\*, *\FreeFileSync\*, *\FreeFileSync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}",[],https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] -MeshCentral,,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"meshcentral*.exe, mesh*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}",[],https://ylianst.github.io/MeshCentral/meshcentral/,[] -CuteFTP,,CuteFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Globalscape\CuteFTP\*, *\Globalscape\CuteFTP\*, *\cuteftppro.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}",[],,[] -CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Bitvise SSH Server,,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Bitvise SSH Server\*, *\Bitvise SSH Server\*, *\BvSshServer-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}",[],https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] -DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}",[],https://news.dwservice.net/dwservice-security-infrastructure/,[] -Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}",[],https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] +QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml"", ""Description"": ""Detects potential network activity of QQ IM-remote assistance RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of QQ IM-remote assistance RMM tool""}]",https://en.wikipedia.org/wiki/Tencent_QQ,[] +Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ddsystem.exe, dd.exe, distant-desktop.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] +FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Unattended Access Setup.exe, TiExpertStandalone.exe, FixMeitClient*.exe, FixMeit Client.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, no installation required | recommend blocking fixme[.]it SaaS portal, no installation required | recommend blocking fixme[.]it SaaS portal, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe.it RMM tool""}]",https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,[] +FileZilla,,FileZilla is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\FileZilla FTP Client\*, *\FileZilla FTP Client\*, *\FileZilla.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/filezilla_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FileZilla RMM tool""}]",,[] +Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,mstsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] +RuDesktop,,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rd.exe, rudesktop*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rudesktop.ru"", ""rudesktop.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of RuDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RuDesktop RMM tool""}]",https://rudesktop.ru,[] +BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] +FreeFileSync,,FreeFileSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\FreeFileSync\*, *\FreeFileSync\*, *\FreeFileSync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freefilesync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeFileSync RMM tool""}]",,[] +TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TightVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TightVNC RMM tool""}]",https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] +MeshCentral,,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"meshcentral*.exe, mesh*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}]",https://ylianst.github.io/MeshCentral/meshcentral/,[] +CuteFTP,,CuteFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Globalscape\CuteFTP\*, *\Globalscape\CuteFTP\*, *\cuteftppro.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CuteFTP RMM tool""}]",,[] +Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml"", ""Description"": ""Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool""}]",,[] +CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CarotDAV RMM tool""}]",,[] +Bitvise SSH Server,,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Bitvise SSH Server\*, *\Bitvise SSH Server\*, *\BvSshServer-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Server RMM tool""}]",,[] +Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pandora RC (eHorus) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pandora RC (eHorus) RMM tool""}]",https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] +DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] +Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Iperius Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Iperius Remote RMM tool""}]",https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] diff --git a/lolrmm.com/content/api/rmm_tools.json b/lolrmm.com/content/api/rmm_tools.json index ce2392c2..6f14e0f3 100644 --- a/lolrmm.com/content/api/rmm_tools.json +++ b/lolrmm.com/content/api/rmm_tools.json @@ -39,7 +39,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml", + "Description": "Detects potential network activity of Rapid7 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml", + "Description": "Detects potential processes activity of Rapid7 RMM tool" + } + ], "References": [ "https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/" ], @@ -85,7 +94,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml", + "Description": "Detects potential network activity of SunLogin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml", + "Description": "Detects potential processes activity of SunLogin RMM tool" + } + ], "References": [ "https://sunlogin.oray.com/en/embed/software.html" ], @@ -153,7 +171,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml", + "Description": "Detects potential processes activity of Box RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -320,7 +343,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml", + "Description": "Detects potential network activity of Kaseya (VSA) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml", + "Description": "Detects potential files activity of Kaseya (VSA) RMM tool" + } + ], "References": [ "https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements", "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations", @@ -359,7 +391,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml", + "Description": "Detects potential processes activity of PuTTY Tray RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -394,7 +431,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/azure_storage_explorer_processes_sigma.yml", + "Description": "Detects potential processes activity of Azure Storage Explorer RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -430,7 +472,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml", + "Description": "Detects potential processes activity of SysAid RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -478,7 +525,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml", + "Description": "Detects potential network activity of Domotz RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml", + "Description": "Detects potential processes activity of Domotz RMM tool" + } + ], "References": [ "https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/" ], @@ -555,7 +611,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -619,7 +684,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft TSC RMM tool" + } + ], "References": [ "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" ], @@ -669,7 +739,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Jump Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Jump Desktop RMM tool" + } + ], "References": [ "https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect" ], @@ -718,7 +797,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool" + } + ], "References": [ "intelliadmin.com/remote-control" ], @@ -798,7 +886,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml", + "Description": "Detects potential network activity of ZeroTier RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml", + "Description": "Detects potential processes activity of ZeroTier RMM tool" + } + ], "References": [ "https://my.zerotier.com/" ], @@ -843,7 +940,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml", + "Description": "Detects potential network activity of Ericom AccessNow RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom AccessNow RMM tool" + } + ], "References": [ "https://www.ericom.com/connect-accessnow/" ], @@ -919,7 +1025,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml", + "Description": "Detects potential network activity of Pcnow RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcnow RMM tool" + } + ], "References": [ "http://pcnow.webex.com/ - DOA as of 2024" ], @@ -962,7 +1077,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml", + "Description": "Detects potential network activity of DesktopNow RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml", + "Description": "Detects potential processes activity of DesktopNow RMM tool" + } + ], "References": [ "https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US" ], @@ -1007,7 +1131,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool" + } + ], "References": [ "https://pulse.soti.net/support/soti-xsight/help/" ], @@ -1056,7 +1189,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" + } + ], "References": [ "https://instanthousecall.com/features/" ], @@ -1102,7 +1244,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml", + "Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml", + "Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool" + } + ], "References": [ "https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm" ], @@ -1138,7 +1289,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml", + "Description": "Detects potential processes activity of Core FTP RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1173,7 +1329,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml", + "Description": "Detects potential processes activity of Insync RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1207,7 +1368,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft TSC RMM tool" + } + ], "References": [ "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" ], @@ -1254,7 +1420,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn rescue RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml", + "Description": "Detects potential processes activity of LogMeIn rescue RMM tool" + } + ], "References": [ "https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue" ], @@ -1333,7 +1508,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml", + "Description": "Detects potential network activity of Adobe Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Adobe Connect RMM tool" + } + ], "References": [ "https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html" ], @@ -1376,7 +1560,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of CloudFlare Tunnel RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool" + } + ], "References": [ "cloudflare.com/products/tunnel/" ], @@ -1412,7 +1605,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/drivemaker_processes_sigma.yml", + "Description": "Detects potential processes activity of DriveMaker RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1446,7 +1644,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml", + "Description": "Detects potential processes activity of mstsc RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1492,7 +1695,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml", + "Description": "Detects potential network activity of Parallels Access RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml", + "Description": "Detects potential processes activity of Parallels Access RMM tool" + } + ], "References": [ "https://kb.parallels.com/en/129097" ], @@ -1536,7 +1748,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", + "Description": "Detects potential network activity of ConnectWise Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", + "Description": "Detects potential processes activity of ConnectWise Control RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1612,7 +1833,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml", + "Description": "Detects potential network activity of TigerVNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TigerVNC RMM tool" + } + ], "References": [ "https://github.com/TigerVNC/tigervnc/releases" ], @@ -1648,7 +1878,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1683,7 +1918,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1724,7 +1964,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_network_sigma.yml", + "Description": "Detects potential network activity of Bomgar RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_processes_sigma.yml", + "Description": "Detects potential processes activity of Bomgar RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1759,7 +2008,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcloud_processes_sigma.yml", + "Description": "Detects potential processes activity of pCloud RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1803,7 +2057,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml", + "Description": "Detects potential network activity of HelpU RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpU RMM tool" + } + ], "References": [ "https://helpu.co.kr/" ], @@ -1855,7 +2118,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop Remote RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop Remote RMM tool" + } + ], "References": [ "https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services" ], @@ -1931,7 +2203,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -1966,7 +2247,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml", + "Description": "Detects potential processes activity of Xshell RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -2001,7 +2287,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Client RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -2040,7 +2331,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml", + "Description": "Detects potential network activity of Royal Server RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -2083,7 +2379,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml", + "Description": "Detects potential network activity of Remote Manipulator System RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Manipulator System RMM tool" + } + ], "References": [ "https://rmansys.ru/files/" ], @@ -2132,7 +2437,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml", + "Description": "Detects potential network activity of Manage Engine (Desktop Central) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml", + "Description": "Detects potential processes activity of Manage Engine (Desktop Central) RMM tool" + } + ], "References": [ "https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html" ], @@ -2178,7 +2492,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml", + "Description": "Detects potential network activity of Auvik RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml", + "Description": "Detects potential processes activity of Auvik RMM tool" + } + ], "References": [ "https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use" ], @@ -2219,7 +2542,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml", + "Description": "Detects potential network activity of Basecamp RMM tool" + } + ], "References": [ "basecamp.com - No specific RMM tool listed" ], @@ -2291,7 +2619,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aws-cli_processes_sigma.yml", + "Description": "Detects potential processes activity of aws-cli RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -2536,6 +2869,18 @@ { "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml", "Description": "Remote Access Tool - AnyDesk Silent Installation" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml", + "Description": "Detects potential registry activity of AnyDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml", + "Description": "Detects potential network activity of AnyDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml", + "Description": "Detects potential files activity of AnyDesk RMM tool" } ], "References": [ @@ -2653,6 +2998,10 @@ "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", "author": "@kostastsale", "Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml", + "Description": "Detects potential network activity of AnyViewer RMM tool" } ], "References": [ @@ -2704,7 +3053,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", + "Description": "Detects potential network activity of DW Service RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", + "Description": "Detects potential processes activity of DW Service RMM tool" + } + ], "References": [ "https://news.dwservice.net/dwservice-security-infrastructure/" ], @@ -2745,7 +3103,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml", + "Description": "Detects potential network activity of Level RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -2794,7 +3157,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml", + "Description": "Detects potential network activity of Site24x7 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml", + "Description": "Detects potential processes activity of Site24x7 RMM tool" + } + ], "References": [ "https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent" ], @@ -2917,7 +3289,20 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml", + "Description": "Detects potential network activity of ScreenConnect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml", + "Description": "Detects potential files activity of ScreenConnect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenConnect RMM tool" + } + ], "References": [ "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/" ], @@ -2996,7 +3381,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml", + "Description": "Detects potential network activity of SpyAnywhere RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of SpyAnywhere RMM tool" + } + ], "References": [ "https://www.spyanywhere.com/support.shtml" ], @@ -3045,7 +3439,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml", + "Description": "Detects potential network activity of NinjaRMM RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml", + "Description": "Detects potential processes activity of NinjaRMM RMM tool" + } + ], "References": [ "https://www.ninjaone.com/faq/" ], @@ -3082,7 +3485,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudXplorer RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -3161,7 +3569,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml", + "Description": "Detects potential network activity of SimpleHelp RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml", + "Description": "Detects potential processes activity of SimpleHelp RMM tool" + } + ], "References": [ "https://simple-help.com/remote-support" ], @@ -3205,7 +3622,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml", + "Description": "Detects potential network activity of EMCO Remote Console RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml", + "Description": "Detects potential processes activity of EMCO Remote Console RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -3249,7 +3675,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml", + "Description": "Detects potential network activity of ngrok RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml", + "Description": "Detects potential processes activity of ngrok RMM tool" + } + ], "References": [ "https://ngrok.com/docs/guides/running-behind-firewalls/" ], @@ -3292,7 +3727,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Apple Remote Desktop RMM tool" + } + ], "References": [ "https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac" ], @@ -3328,7 +3768,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool" + } + ], "References": [ "Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html" ], @@ -3374,7 +3819,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml", + "Description": "Detects potential network activity of NoMachine RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml", + "Description": "Detects potential processes activity of NoMachine RMM tool" + } + ], "References": [ "https://kb.nomachine.com/AR04S01122" ], @@ -3410,7 +3864,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool" + } + ], "References": [ "https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016" ], @@ -3593,7 +4052,24 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml", + "Description": "Detects potential registry activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml", + "Description": "Detects potential files activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop RMM tool" + } + ], "References": [ "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html" ], @@ -3695,6 +4171,22 @@ { "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml", "Description": "Enumeration for 3rd Party Creds From CLI" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml", + "Description": "Detects potential registry activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml", + "Description": "Detects potential network activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml", + "Description": "Detects potential files activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml", + "Description": "Detects potential processes activity of RAdmin RMM tool" } ], "References": [ @@ -3758,7 +4250,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml", + "Description": "Detects potential network activity of LANDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml", + "Description": "Detects potential processes activity of LANDesk RMM tool" + } + ], "References": [ "https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US" ], @@ -3806,7 +4307,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml", + "Description": "Detects potential network activity of SuperOps RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperOps RMM tool" + } + ], "References": [ "https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent" ], @@ -3918,7 +4428,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml", + "Description": "Detects potential network activity of Datto RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -3964,7 +4479,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml", + "Description": "Detects potential network activity of Supremo RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml", + "Description": "Detects potential processes activity of Supremo RMM tool" + } + ], "References": [ "https://www.supremocontrol.com/frequently-asked-questions/" ], @@ -4030,7 +4554,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Quick Assist RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -4071,7 +4600,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml", + "Description": "Detects potential network activity of KHelpDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of KHelpDesk RMM tool" + } + ], "References": [ "https://www.khelpdesk.com.br/en-us" ], @@ -4117,7 +4655,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml", + "Description": "Detects potential network activity of TurboMeeting RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml", + "Description": "Detects potential processes activity of TurboMeeting RMM tool" + } + ], "References": [ "http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv" ], @@ -4161,7 +4708,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml", + "Description": "Detects potential network activity of RPort RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml", + "Description": "Detects potential processes activity of RPort RMM tool" + } + ], "References": [ "https://kb.rport.io/using-the-remote-access" ], @@ -4231,7 +4787,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/expandrive_processes_sigma.yml", + "Description": "Detects potential processes activity of ExpanDrive RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -4265,7 +4826,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -4308,7 +4874,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml", + "Description": "Detects potential network activity of OCS inventory RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml", + "Description": "Detects potential processes activity of OCS inventory RMM tool" + } + ], "References": [ "https://ocsinventory-ng.org/?page_id=878&lang=en" ], @@ -4353,7 +4928,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml", + "Description": "Detects potential network activity of RemotePass RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePass RMM tool" + } + ], "References": [ "https://www.remotepass.com/rpaccess.html - DOA as of 2024" ], @@ -4390,7 +4974,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_explorer_processes_sigma.yml", + "Description": "Detects potential processes activity of Air Explorer RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -4469,7 +5058,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Comodo RMM RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Comodo RMM RMM tool" + } + ], "References": [ "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" ], @@ -4516,7 +5114,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml", + "Description": "Detects potential network activity of ShowMyPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml", + "Description": "Detects potential processes activity of ShowMyPC RMM tool" + } + ], "References": [ "https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf" ], @@ -4564,7 +5171,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml", + "Description": "Detects potential network activity of ToDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml", + "Description": "Detects potential processes activity of ToDesk RMM tool" + } + ], "References": [ "https://www.todesk.com/" ], @@ -4605,7 +5221,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml", + "Description": "Detects potential network activity of RunSmart RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -4673,7 +5294,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml", + "Description": "Detects potential processes activity of Echoware RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -4785,10 +5411,27 @@ } ] }, - "Detections": [], - "References": [ - "https://www.alpemix.com/en/remote-access" - ], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml", + "Description": "Detects potential registry activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml", + "Description": "Detects potential network activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml", + "Description": "Detects potential files activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml", + "Description": "Detects potential processes activity of Alpemix RMM tool" + } + ], + "References": [ + "https://www.alpemix.com/en/remote-access" + ], "Acknowledgement": [ { "Person": "Nasreddine Bencherchali", @@ -4833,7 +5476,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml", + "Description": "Detects potential network activity of Royal TS RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal TS RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -4868,7 +5520,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml", + "Description": "Detects potential processes activity of DragonDisk RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -4913,7 +5570,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml", + "Description": "Detects potential network activity of Pcvisit RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcvisit RMM tool" + } + ], "References": [ "https://www.pcvisit.de/" ], @@ -4958,7 +5624,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml", + "Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml", + "Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool" + } + ], "References": [ "https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate" ], @@ -5000,7 +5675,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml", + "Description": "Detects potential processes activity of DameWare RMM tool" + } + ], "References": [ "https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm" ], @@ -5038,7 +5718,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml", + "Description": "Detects potential processes activity of Onionshare RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -5083,7 +5768,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml", + "Description": "Detects potential network activity of Tailscale RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml", + "Description": "Detects potential processes activity of Tailscale RMM tool" + } + ], "References": [ "https://tailscale.com/kb/1023/troubleshooting" ], @@ -5129,7 +5823,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml", + "Description": "Detects potential network activity of Senso.cloud RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml", + "Description": "Detects potential processes activity of Senso.cloud RMM tool" + } + ], "References": [ "https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration" ], @@ -5215,7 +5918,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml", + "Description": "Detects potential network activity of UltraViewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraViewer RMM tool" + } + ], "References": [ "https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html" ], @@ -5260,7 +5972,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml", + "Description": "Detects potential network activity of KickIdler RMM tool" + } + ], "References": [ "https://www.kickidler.com/for-it/faq/" ], @@ -5334,7 +6051,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml", + "Description": "Detects potential network activity of eHorus RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml", + "Description": "Detects potential processes activity of eHorus RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -5375,7 +6101,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Quick Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Quick Assist RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -5431,7 +6166,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + } + ], "References": [ "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" ], @@ -5467,7 +6211,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml", + "Description": "Detects potential processes activity of KiTTY RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -5510,7 +6259,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__network_sigma.yml", + "Description": "Detects potential network activity of AweRay (AweSun) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__processes_sigma.yml", + "Description": "Detects potential processes activity of AweRay (AweSun) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -5551,7 +6309,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml", + "Description": "Detects potential network activity of FleetDeck RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml", + "Description": "Detects potential processes activity of FleetDeck RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -5595,7 +6362,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml", + "Description": "Detects potential network activity of TeleDesktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of TeleDesktop RMM tool" + } + ], "References": [ "http://potomacsoft.com/ - DOA as of 2024" ], @@ -5639,7 +6415,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml", + "Description": "Detects potential network activity of Remote Utilities RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Utilities RMM tool" + } + ], "References": [ "https://www.remoteutilities.com/download/" ], @@ -5716,7 +6501,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", + "Description": "Detects potential network activity of NetSupport Manager RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of NetSupport Manager RMM tool" + } + ], "References": [ "https://www.netsupportmanager.com/resources/" ], @@ -5762,7 +6556,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml", + "Description": "Detects potential network activity of GotoHTTP RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml", + "Description": "Detects potential processes activity of GotoHTTP RMM tool" + } + ], "References": [ "https://gotohttp.com/goto/help.12x" ], @@ -5810,7 +6613,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml", + "Description": "Detects potential network activity of RemoteUtilities RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteUtilities RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -5992,7 +6804,20 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml", + "Description": "Detects potential registry activity of GoToMyPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml", + "Description": "Detects potential network activity of GoToMyPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml", + "Description": "Detects potential files activity of GoToMyPC RMM tool" + } + ], "References": [ "https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#", "https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls", @@ -6080,7 +6905,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml", + "Description": "Detects potential network activity of Seetrol RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml", + "Description": "Detects potential processes activity of Seetrol RMM tool" + } + ], "References": [ "http://www.seetrol.com/en/features/features3.php" ], @@ -6124,7 +6958,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml", + "Description": "Detects potential network activity of RDPView RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml", + "Description": "Detects potential processes activity of RDPView RMM tool" + } + ], "References": [ "systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware" ], @@ -6188,7 +7031,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml", + "Description": "Detects potential network activity of Zoho Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Zoho Assist RMM tool" + } + ], "References": [ "https://www.zoho.com/assist/kb/firewall-configuration.html" ], @@ -6226,7 +7078,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml", + "Description": "Detects potential processes activity of Xpra RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6261,7 +7118,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudbuckit_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudBuckIt RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6329,7 +7191,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/odrive_processes_sigma.yml", + "Description": "Detects potential processes activity of ODrive RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6397,7 +7264,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml", + "Description": "Detects potential processes activity of ManageEngine RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6438,7 +7310,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml", + "Description": "Detects potential network activity of Impero Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Impero Connect RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6471,7 +7352,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml", + "Description": "Detects potential processes activity of Remcos RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6513,7 +7399,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml", + "Description": "Detects potential network activity of PDQ Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of PDQ Connect RMM tool" + } + ], "References": [ "https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements" ], @@ -6581,7 +7476,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_live_drive_processes_sigma.yml", + "Description": "Detects potential processes activity of Air Live Drive RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6641,7 +7541,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml", + "Description": "Detects potential network activity of Syncro RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncro RMM tool" + } + ], "References": [ "https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004" ], @@ -6684,7 +7593,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool" + } + ], "References": [ "Similar / replaced by ScreenConnect" ], @@ -6728,7 +7646,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml", + "Description": "Detects potential network activity of Netviewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6771,7 +7698,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml", + "Description": "Detects potential network activity of Syspectr RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml", + "Description": "Detects potential processes activity of Syspectr RMM tool" + } + ], "References": [ "https://www.syspectr.com/en/installation-in-a-network" ], @@ -6817,10 +7753,19 @@ } ] }, - "Detections": [], - "References": [ - "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" - ], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml", + "Description": "Detects potential network activity of I'm InTouch RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml", + "Description": "Detects potential processes activity of I'm InTouch RMM tool" + } + ], + "References": [ + "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" + ], "Acknowledgement": [] }, { @@ -6855,7 +7800,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml", + "Description": "Detects potential processes activity of aria2 RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6898,7 +7848,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml", + "Description": "Detects potential network activity of ISL Light RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Light RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -6976,7 +7935,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml", + "Description": "Detects potential network activity of Ericom Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom Connect RMM tool" + } + ], "References": [ "https://www.ericom.com/connect-accessnow/" ], @@ -7013,7 +7981,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml", + "Description": "Detects potential processes activity of Yandex.Disk RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -7061,7 +8034,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml", + "Description": "Detects potential network activity of LiteManager RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml", + "Description": "Detects potential processes activity of LiteManager RMM tool" + } + ], "References": [ "https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/" ], @@ -7112,7 +8094,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml", + "Description": "Detects potential network activity of BeAnyWhere RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of BeAnyWhere RMM tool" + } + ], "References": [ "https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx" ], @@ -7156,7 +8147,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml", + "Description": "Detects potential network activity of Jump Cloud RMM tool" + } + ], "References": [ "https://jumpcloud.com/support/understand-remote-assist-agent" ], @@ -7232,7 +8228,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml", + "Description": "Detects potential network activity of AweRay RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml", + "Description": "Detects potential processes activity of AweRay RMM tool" + } + ], "References": [ "https://sun.aweray.com/help" ], @@ -7278,7 +8283,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml", + "Description": "Detects potential network activity of Remobo RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml", + "Description": "Detects potential processes activity of Remobo RMM tool" + } + ], "References": [ "https://www.remobo.com - DOA as of 2024" ], @@ -7326,7 +8340,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", + "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", + "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" + } + ], "References": [ "eset.com/me/business/remote-management/remote-administrator/" ], @@ -7375,7 +8398,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", + "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", + "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" + } + ], "References": [ "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" ], @@ -7414,7 +8446,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of Ultra VNC RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -7458,7 +8495,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml", + "Description": "Detects potential network activity of pcAnywhere RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of pcAnywhere RMM tool" + } + ], "References": [ "https://en.wikipedia.org/wiki/PcAnywhere" ], @@ -7505,7 +8551,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml", + "Description": "Detects potential network activity of Remote.it RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote.it RMM tool" + } + ], "References": [ "https://docs.remote.it/introduction/get-started" ], @@ -7546,7 +8601,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml", + "Description": "Detects potential network activity of Cruz RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -7588,7 +8648,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml", + "Description": "Detects potential network activity of Guacamole RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml", + "Description": "Detects potential processes activity of Guacamole RMM tool" + } + ], "References": [ "guacamole.apache.org" ], @@ -7633,7 +8702,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml", + "Description": "Detects potential network activity of Addigy RMM tool" + } + ], "References": [ "https://addigy.com/" ], @@ -7678,7 +8752,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml", + "Description": "Detects potential network activity of AeroAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml", + "Description": "Detects potential processes activity of AeroAdmin RMM tool" + } + ], "References": [ "https://support.aeroadmin.com/kb/faq.php?id=58" ], @@ -7727,7 +8810,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml", + "Description": "Detects potential network activity of FleetDesk.io RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml", + "Description": "Detects potential processes activity of FleetDesk.io RMM tool" + } + ], "References": [ "https://fleetdeck.io/faq/" ], @@ -7771,7 +8863,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml", + "Description": "Detects potential network activity of Dameware-mini remote control Protocol RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml", + "Description": "Detects potential processes activity of Dameware-mini remote control Protocol RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -7805,7 +8906,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml", + "Description": "Detects potential processes activity of Access Remote PC RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -7850,7 +8956,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml", + "Description": "Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml", + "Description": "Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool" + } + ], "References": [ "https://kb.acronis.com/content/47189" ], @@ -7899,7 +9014,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" + } + ], "References": [ "https://instanthousecall.com/features/" ], @@ -7945,7 +9069,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml", + "Description": "Detects potential network activity of SkyFex RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml", + "Description": "Detects potential processes activity of SkyFex RMM tool" + } + ], "References": [ "https://skyfex.com/" ], @@ -7989,7 +9122,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC RMM tool" + } + ], "References": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" ], @@ -8045,7 +9187,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml", + "Description": "Detects potential network activity of MSP360 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml", + "Description": "Detects potential processes activity of MSP360 RMM tool" + } + ], "References": [ "https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#" ], @@ -8082,7 +9233,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml", + "Description": "Detects potential processes activity of SecureCRT RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -8130,7 +9286,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml", + "Description": "Detects potential network activity of VNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of VNC RMM tool" + } + ], "References": [ "https://realvnc.com/en/connect/download/vnc" ], @@ -8175,7 +9340,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml", + "Description": "Detects potential network activity of Panorama9 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml", + "Description": "Detects potential processes activity of Panorama9 RMM tool" + } + ], "References": [ "https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with" ], @@ -8223,7 +9397,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml", + "Description": "Detects potential network activity of FixMe RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml", + "Description": "Detects potential processes activity of FixMe RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -8272,7 +9455,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" + } + ], "References": [ "https://help.islonline.com/19818/165940" ], @@ -8319,7 +9511,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml", + "Description": "Detects potential network activity of RES Automation Manager RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of RES Automation Manager RMM tool" + } + ], "References": [ "https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1" ], @@ -8357,7 +9558,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rclone_processes_sigma.yml", + "Description": "Detects potential processes activity of rclone RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -8679,6 +9885,22 @@ "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml", "Name": "Atera Agent Installation", "Description": "Detects Atera Agent installation." + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml", + "Description": "Detects potential registry activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml", + "Description": "Detects potential network activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml", + "Description": "Detects potential files activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml", + "Description": "Detects potential processes activity of Atera RMM tool" } ], "References": [ @@ -8742,7 +9964,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml", + "Description": "Detects potential network activity of CrossLoop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml", + "Description": "Detects potential processes activity of CrossLoop RMM tool" + } + ], "References": [ "www.CrossLoop.com -> redirects to avast.com" ], @@ -8788,7 +10019,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" + } + ], "References": [ "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" ], @@ -8834,7 +10074,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Tactical RMM RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Tactical RMM RMM tool" + } + ], "References": [ "docs.tacticalrmm.com" ], @@ -8875,7 +10124,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml", + "Description": "Detects potential network activity of Fortra RMM tool" + } + ], "References": [ "https://www.fortra.com - No free/cloud RMM softwars listed" ], @@ -8920,7 +10174,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml", + "Description": "Detects potential network activity of Sorillus RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml", + "Description": "Detects potential processes activity of Sorillus RMM tool" + } + ], "References": [ "https://sorillus.com/" ], @@ -8971,7 +10234,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml", + "Description": "Detects potential network activity of RemoteCall RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteCall RMM tool" + } + ], "References": [ "https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall" ], @@ -9021,7 +10293,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Everywhere RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Everywhere RMM tool" + } + ], "References": [ "https://everywhere.laplink.com/docs" ], @@ -9061,7 +10342,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml", + "Description": "Detects potential processes activity of MEGAsync RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -9104,7 +10390,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml", + "Description": "Detects potential network activity of Neturo RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml", + "Description": "Detects potential processes activity of Neturo RMM tool" + } + ], "References": [ "Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2" ], @@ -9150,7 +10445,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Distant Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Distant Desktop RMM tool" + } + ], "References": [ "https://www.distantdesktop.com/manual/first-start.htm" ], @@ -9224,7 +10528,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml", + "Description": "Detects potential network activity of Anyplace Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Anyplace Control RMM tool" + } + ], "References": [ "http://www.anyplace-control.com/anyplace-control/help/faq.htm" ], @@ -9292,7 +10605,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml", + "Description": "Detects potential processes activity of ExtraPuTTY RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -9336,7 +10654,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml", + "Description": "Detects potential network activity of rdpwrap RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml", + "Description": "Detects potential processes activity of rdpwrap RMM tool" + } + ], "References": [ "github.com/stascorp/rdpwrap" ], @@ -9377,7 +10704,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml", + "Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -9414,7 +10746,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/google_drive_processes_sigma.yml", + "Description": "Detects potential processes activity of Google Drive RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -9449,7 +10786,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml", + "Description": "Detects potential processes activity of Solar-PuTTY RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -9708,7 +11050,24 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml", + "Description": "Detects potential registry activity of TeamViewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml", + "Description": "Detects potential network activity of TeamViewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml", + "Description": "Detects potential files activity of TeamViewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of TeamViewer RMM tool" + } + ], "References": [ "https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer", "https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#", @@ -9773,7 +11132,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml", + "Description": "Detects potential network activity of Itarian RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml", + "Description": "Detects potential processes activity of Itarian RMM tool" + } + ], "References": [ "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" ], @@ -9816,7 +11184,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool" + } + ], "References": [ "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security" ], @@ -9859,7 +11232,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" + } + ], "References": [ "https://control.itsupport247.net/" ], @@ -9959,6 +11341,10 @@ { "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml", "Description": "Remote Access Tool - LogMeIn Execution" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn RMM tool" } ], "References": [ @@ -10002,7 +11388,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cyberduck_processes_sigma.yml", + "Description": "Detects potential processes activity of Cyberduck RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -10041,7 +11432,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml", + "Description": "Detects potential network activity of Electric RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -10107,7 +11503,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teracloud_processes_sigma.yml", + "Description": "Detects potential processes activity of TeraCLOUD RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -10149,7 +11550,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml", + "Description": "Detects potential network activity of Netreo RMM tool" + } + ], "References": [ "https://solutions.netreo.com/docs/firewall-requirements" ], @@ -10201,7 +11607,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool" + } + ], "References": [ "https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html" ], @@ -10247,7 +11662,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml", + "Description": "Detects potential network activity of Splashtop (Beta) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop (Beta) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -10291,7 +11715,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml", + "Description": "Detects potential network activity of FastViewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of FastViewer RMM tool" + } + ], "References": [ "https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf" ], @@ -10337,7 +11770,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml", + "Description": "Detects potential network activity of RustDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of RustDesk RMM tool" + } + ], "References": [ "https://rustdesk.com/docs/en/" ], @@ -10424,7 +11866,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml", + "Description": "Detects potential network activity of GoToAssist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml", + "Description": "Detects potential processes activity of GoToAssist RMM tool" + } + ], "References": [ "https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5" ], @@ -10501,7 +11952,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml", + "Description": "Detects potential network activity of HelpBeam RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpBeam RMM tool" + } + ], "References": [ "https://www.helpbeam.com domain for sale in 2024" ], @@ -10544,7 +12004,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml", + "Description": "Detects potential network activity of NTR Remote RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of NTR Remote RMM tool" + } + ], "References": [ "DOA as of 2024" ], @@ -10588,7 +12057,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml", + "Description": "Detects potential network activity of ServerEye RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml", + "Description": "Detects potential processes activity of ServerEye RMM tool" + } + ], "References": [ "https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf" ], @@ -10632,7 +12110,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml", + "Description": "Detects potential network activity of WebRDP RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml", + "Description": "Detects potential processes activity of WebRDP RMM tool" + } + ], "References": [ "github.com/Mikej81/WebRDP" ], @@ -10703,7 +12190,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml", + "Description": "Detects potential processes activity of S3 Browser RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -10744,7 +12236,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml", + "Description": "Detects potential network activity of Any Support RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml", + "Description": "Detects potential processes activity of Any Support RMM tool" + } + ], "References": [ "https://www.anysupport.net/introduce_howto.php" ], @@ -10789,7 +12290,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml", + "Description": "Detects potential network activity of BeamYourScreen RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of BeamYourScreen RMM tool" + } + ], "References": [ "beamyourscreen redirects to https://www.mikogo.com/" ], @@ -10837,7 +12347,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml", + "Description": "Detects potential network activity of Sophos-Remote Management System RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool" + } + ], "References": [ "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" ], @@ -10874,7 +12393,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/amazon__cloud__drive_processes_sigma.yml", + "Description": "Detects potential processes activity of Amazon (Cloud) Drive RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -10915,7 +12439,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml", + "Description": "Detects potential network activity of Desktop Central RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml", + "Description": "Detects potential processes activity of Desktop Central RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -10962,7 +12495,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC (Clone) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool" + } + ], "References": [ "https://www.poweradmin.com/paexec/" ], @@ -11008,7 +12550,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml", + "Description": "Detects potential network activity of GetScreen RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of GetScreen RMM tool" + } + ], "References": [ "https://docs.getscreen.me/self-hosted/system-requirements/" ], @@ -11063,7 +12614,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml", + "Description": "Detects potential network activity of RemotePC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePC RMM tool" + } + ], "References": [ "https://www.remotedesktop.com/helpdesk/faq-firewall" ], @@ -11111,7 +12671,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml", + "Description": "Detects potential network activity of Tanium RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml", + "Description": "Detects potential processes activity of Tanium RMM tool" + } + ], "References": [ "https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html" ], @@ -11149,7 +12718,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goodsync_processes_sigma.yml", + "Description": "Detects potential processes activity of GoodSync RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -11182,7 +12756,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -11228,7 +12807,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml", + "Description": "Detects potential network activity of RemoteView RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteView RMM tool" + } + ], "References": [ "https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall" ], @@ -11272,7 +12860,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml", + "Description": "Detects potential network activity of UltraVNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraVNC RMM tool" + } + ], "References": [ "https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html" ], @@ -11309,7 +12906,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml", + "Description": "Detects potential processes activity of SmarTTY RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -11355,7 +12957,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml", + "Description": "Detects potential network activity of Absolute (Computrace) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml", + "Description": "Detects potential processes activity of Absolute (Computrace) RMM tool" + } + ], "References": [ "https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com" ], @@ -11399,7 +13010,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml", + "Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml", + "Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + } + ], "References": [ "https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function" ], @@ -11443,7 +13063,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml", + "Description": "Detects potential network activity of DeskShare RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskShare RMM tool" + } + ], "References": [ "https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx" ], @@ -11479,7 +13108,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool" + } + ], "References": [ "https://wyse-pocketcloud.informer.com/2.1/" ], @@ -11527,7 +13161,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", + "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", + "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" + } + ], "References": [ "eset.com/me/business/remote-management/remote-administrator/" ], @@ -11573,7 +13216,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml", + "Description": "Detects potential network activity of Pilixo RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml", + "Description": "Detects potential processes activity of Pilixo RMM tool" + } + ], "References": [ "https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls" ], @@ -11611,7 +13263,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudMounter RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -11662,7 +13319,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml", + "Description": "Detects potential network activity of Mikogo RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml", + "Description": "Detects potential processes activity of Mikogo RMM tool" + } + ], "References": [ "https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services" ], @@ -11762,7 +13428,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml", + "Description": "Detects potential processes activity of Duplicati RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -11801,7 +13472,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml", + "Description": "Detects potential network activity of ManageEngine RMM Central RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -11837,7 +13513,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml", + "Description": "Detects potential processes activity of WinSCP RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -11882,7 +13563,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool" + } + ], "References": [ "https://www.gatherplace.com/kb?id=136377" ], @@ -11927,7 +13617,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Gold RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Gold RMM tool" + } + ], "References": [ "wen.laplink.com/product/laplink-gold" ], @@ -11970,7 +13669,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml", + "Description": "Detects potential network activity of Centurion RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml", + "Description": "Detects potential processes activity of Centurion RMM tool" + } + ], "References": [ "https://data443.atlassian.net/servicedesk/customer/portal/20" ], @@ -12015,7 +13723,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of Ivanti Remote Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Ivanti Remote Control RMM tool" + } + ], "References": [ "https://rc1.ivanticloud.com/" ], @@ -12189,7 +13906,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml", + "Description": "Detects potential network activity of Xeox RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml", + "Description": "Detects potential processes activity of Xeox RMM tool" + } + ], "References": [ "https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW" ], @@ -12235,7 +13961,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml", + "Description": "Detects potential network activity of ezHelp RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml", + "Description": "Detects potential processes activity of ezHelp RMM tool" + } + ], "References": [ "https://www.exhelp.co.kr" ], @@ -12281,7 +14016,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" + } + ], "References": [ "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" ], @@ -12387,7 +14131,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml", + "Description": "Detects potential network activity of Synergy RMM tool" + } + ], "References": [ "https://symless.com/synergy" ], @@ -12434,7 +14183,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", + "Description": "Detects potential network activity of ConnectWise Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", + "Description": "Detects potential processes activity of ConnectWise Control RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -12477,7 +14235,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml", + "Description": "Detects potential network activity of OptiTune RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml", + "Description": "Detects potential processes activity of OptiTune RMM tool" + } + ], "References": [ "https://www.bravurasoftware.com/optitune/support/faq.aspx" ], @@ -12587,7 +14354,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml", + "Description": "Detects potential network activity of Encapto RMM tool" + } + ], "References": [ "https://www.encapto.com - used to manage Cisco services" ], @@ -12732,6 +14504,18 @@ "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", "author": "@kostastsale", "Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml", + "Description": "Detects potential registry activity of Action1 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml", + "Description": "Detects potential network activity of Action1 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml", + "Description": "Detects potential files activity of Action1 RMM tool" } ], "References": [ @@ -12788,7 +14572,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml", + "Description": "Detects potential network activity of FleetDeck.io RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml", + "Description": "Detects potential processes activity of FleetDeck.io RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -12824,7 +14617,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperPuTTY RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -12866,7 +14664,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml", + "Description": "Detects potential network activity of Royal Apps RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal Apps RMM tool" + } + ], "References": [ "https://www.royalapps.com/ts/win/download" ], @@ -12907,7 +14714,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml", + "Description": "Detects potential network activity of Tanium Deploy RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -12949,7 +14761,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml", + "Description": "Detects potential network activity of Zabbix Agent RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of Zabbix Agent RMM tool" + } + ], "References": [ "https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent" ], @@ -12997,7 +14818,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml", + "Description": "Detects potential network activity of Weezo RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml", + "Description": "Detects potential processes activity of Weezo RMM tool" + } + ], "References": [ "weezo.en.softonic.com" ], @@ -13041,7 +14871,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml", + "Description": "Detects potential network activity of BeInSync RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml", + "Description": "Detects potential processes activity of BeInSync RMM tool" + } + ], "References": [ "https://en.wikipedia.org/wiki/Phoenix_Technologies" ], @@ -13086,7 +14925,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml", + "Description": "Detects potential network activity of ScreenMeet RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenMeet RMM tool" + } + ], "References": [ "https://docs.screenmeet.com/docs/firewall-white-list" ], @@ -13130,7 +14978,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml", + "Description": "Detects potential network activity of MyIVO RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml", + "Description": "Detects potential processes activity of MyIVO RMM tool" + } + ], "References": [ "myivo.com - DOA as of 2024" ], @@ -13175,7 +15032,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml", + "Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -13217,7 +15083,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml", + "Description": "Detects potential network activity of Kabuto RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml", + "Description": "Detects potential processes activity of Kabuto RMM tool" + } + ], "References": [ "https://www.repairtechsolutions.com/documentation/kabuto/" ], @@ -13285,7 +15160,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml", + "Description": "Detects potential processes activity of ZOC RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -13326,10 +15206,19 @@ } ] }, - "Detections": [], - "References": [ - "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" - ], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml", + "Description": "Detects potential network activity of AliWangWang-remote-control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml", + "Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool" + } + ], + "References": [ + "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" + ], "Acknowledgement": [] }, { @@ -13377,7 +15266,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml", + "Description": "Detects potential network activity of Goverlan RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml", + "Description": "Detects potential processes activity of Goverlan RMM tool" + } + ], "References": [ "https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf" ], @@ -13420,7 +15318,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Microsoft Quick Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool" + } + ], "References": [ "https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca" ], @@ -13487,7 +15394,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + } + ], "References": [ "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" ], @@ -13561,7 +15477,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml", + "Description": "Detects potential network activity of MyGreenPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml", + "Description": "Detects potential processes activity of MyGreenPC RMM tool" + } + ], "References": [ "http://www.mygreenpc.com/" ], @@ -13598,7 +15523,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncthing RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -13645,7 +15575,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" + } + ], "References": [ "https://support.google.com/chrome/a/answer/2799701?hl=en" ], @@ -13682,7 +15621,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft RDP RMM tool" + } + ], "References": [ "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" ], @@ -13731,7 +15675,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" + } + ], "References": [ "https://support.google.com/chrome/a/answer/2799701?hl=en" ], @@ -13774,7 +15727,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml", + "Description": "Detects potential network activity of Remote Desktop Plus RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Desktop Plus RMM tool" + } + ], "References": [ "https://www.donkz.nl/" ], @@ -13819,7 +15781,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of NateOn-desktop sharing RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NateOn-desktop sharing RMM tool" + } + ], "References": [ "http://rsupport.nate.com/rview/r8/main/index.aspx" ], @@ -13862,7 +15833,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml", + "Description": "Detects potential network activity of Barracuda RMM tool" + } + ], "References": [ "https://help.islonline.com/19799/166125" ], @@ -13900,7 +15876,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml", + "Description": "Detects potential processes activity of Dropbox RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -13943,7 +15924,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of CrossTec Remote Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of CrossTec Remote Control RMM tool" + } + ], "References": [ "www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024" ], @@ -13987,7 +15977,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml", + "Description": "Detects potential network activity of DeskDay RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskDay RMM tool" + } + ], "References": [ "https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate" ], @@ -14054,7 +16053,20 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml", + "Description": "Detects potential network activity of mRemoteNG RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml", + "Description": "Detects potential files activity of mRemoteNG RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml", + "Description": "Detects potential processes activity of mRemoteNG RMM tool" + } + ], "References": [ "https://github.com/mRemoteNG/mRemoteNG" ], @@ -14090,7 +16102,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml", + "Description": "Detects potential processes activity of FreeNX RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -14135,7 +16152,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", + "Description": "Detects potential network activity of NetSupport Manager RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of NetSupport Manager RMM tool" + } + ], "References": [ "https://www.netsupportmanager.com/resources/" ], @@ -14180,7 +16206,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml", + "Description": "Detects potential network activity of rdp2tcp RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml", + "Description": "Detects potential processes activity of rdp2tcp RMM tool" + } + ], "References": [ "github.com/V-E-O/rdp2tcp" ], @@ -14224,7 +16259,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" + } + ], "References": [ "https://control.itsupport247.net/" ], @@ -14268,7 +16312,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml", + "Description": "Detects potential network activity of Pulseway RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml", + "Description": "Detects potential processes activity of Pulseway RMM tool" + } + ], "References": [ "https://intercom.help/pulseway/en/" ], @@ -14312,7 +16365,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml", + "Description": "Detects potential network activity of Naverisk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml", + "Description": "Detects potential processes activity of Naverisk RMM tool" + } + ], "References": [ "http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents" ], @@ -14350,7 +16412,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml", + "Description": "Detects potential processes activity of Total Software Deployment RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -14398,7 +16465,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" + } + ], "References": [ "https://help.islonline.com/19818/165940" ], @@ -14510,7 +16586,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml", + "Description": "Detects potential network activity of QQ IM-remote assistance RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml", + "Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool" + } + ], "References": [ "https://en.wikipedia.org/wiki/Tencent_QQ" ], @@ -14556,7 +16641,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Distant Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Distant Desktop RMM tool" + } + ], "References": [ "https://www.distantdesktop.com/manual/first-start.htm" ], @@ -14614,7 +16708,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml", + "Description": "Detects potential network activity of FixMe.it RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml", + "Description": "Detects potential processes activity of FixMe.it RMM tool" + } + ], "References": [ "https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use" ], @@ -14651,7 +16754,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/filezilla_processes_sigma.yml", + "Description": "Detects potential processes activity of FileZilla RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -14684,7 +16792,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft RDP RMM tool" + } + ], "References": [ "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" ], @@ -14729,7 +16842,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml", + "Description": "Detects potential network activity of RuDesktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of RuDesktop RMM tool" + } + ], "References": [ "https://rudesktop.ru" ], @@ -14778,7 +16900,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", + "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", + "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" + } + ], "References": [ "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" ], @@ -14815,7 +16946,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freefilesync_processes_sigma.yml", + "Description": "Detects potential processes activity of FreeFileSync RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -14859,7 +16995,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml", + "Description": "Detects potential network activity of TightVNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TightVNC RMM tool" + } + ], "References": [ "https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf" ], @@ -14904,7 +17049,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml", + "Description": "Detects potential network activity of MeshCentral RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", + "Description": "Detects potential processes activity of MeshCentral RMM tool" + } + ], "References": [ "https://ylianst.github.io/MeshCentral/meshcentral/" ], @@ -14941,7 +17095,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml", + "Description": "Detects potential processes activity of CuteFTP RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -14980,7 +17139,12 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml", + "Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -15015,7 +17179,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml", + "Description": "Detects potential processes activity of CarotDAV RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -15050,7 +17219,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Server RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -15092,7 +17266,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml", + "Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml", + "Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool" + } + ], "References": [ "https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction" ], @@ -15137,7 +17320,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", + "Description": "Detects potential network activity of DW Service RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", + "Description": "Detects potential processes activity of DW Service RMM tool" + } + ], "References": [ "https://news.dwservice.net/dwservice-security-infrastructure/" ], @@ -15184,7 +17376,16 @@ } ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml", + "Description": "Detects potential network activity of Iperius Remote RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Iperius Remote RMM tool" + } + ], "References": [ "https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx" ], diff --git a/lolrmm.com/content/rmm_tools/247ithelp.com__connectwise_.md b/lolrmm.com/content/rmm_tools/247ithelp.com__connectwise_.md index 5a2ebeeb..3675b196 100644 --- a/lolrmm.com/content/rmm_tools/247ithelp.com__connectwise_.md +++ b/lolrmm.com/content/rmm_tools/247ithelp.com__connectwise_.md @@ -24,6 +24,9 @@ displayTitle = "247ithelp.com (ConnectWise)" #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ displayTitle = "247ithelp.com (ConnectWise)" #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.247ithelp.com` - - +### Detections +- Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml) +- Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml) ### References - [Similar / replaced by ScreenConnect](Similar / replaced by ScreenConnect) diff --git a/lolrmm.com/content/rmm_tools/absolute__computrace_.md b/lolrmm.com/content/rmm_tools/absolute__computrace_.md index e3f31a97..e4b8b414 100644 --- a/lolrmm.com/content/rmm_tools/absolute__computrace_.md +++ b/lolrmm.com/content/rmm_tools/absolute__computrace_.md @@ -24,6 +24,9 @@ Absolute (Computrace) is a remote monitoring and management (RMM) tool. More inf #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,16 +49,16 @@ Absolute (Computrace) is a remote monitoring and management (RMM) tool. More inf #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*search.namequery.com` - `*server.absolute.com` - - +### Detections +- Detects potential network activity of Absolute (Computrace) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml) +- Detects potential processes activity of Absolute (Computrace) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml) ### References - [https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com](https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com) diff --git a/lolrmm.com/content/rmm_tools/access_remote_pc.md b/lolrmm.com/content/rmm_tools/access_remote_pc.md index 72870943..bdb81a73 100644 --- a/lolrmm.com/content/rmm_tools/access_remote_pc.md +++ b/lolrmm.com/content/rmm_tools/access_remote_pc.md @@ -24,6 +24,9 @@ Access Remote PC is a remote monitoring and management (RMM) tool. More informat #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Access Remote PC is a remote monitoring and management (RMM) tool. More informat +### Detections +- Detects potential processes activity of Access Remote PC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/acronic_cyber_protect__remotix_.md b/lolrmm.com/content/rmm_tools/acronic_cyber_protect__remotix_.md index fd9acae1..15c02cd1 100644 --- a/lolrmm.com/content/rmm_tools/acronic_cyber_protect__remotix_.md +++ b/lolrmm.com/content/rmm_tools/acronic_cyber_protect__remotix_.md @@ -24,6 +24,9 @@ Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,18 +46,18 @@ Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `cloud.acronis.com` - `agents*-cloud.acronis.com` - `gw.remotix.com` - `connect.acronis.com` - - +### Detections +- Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml) +- Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml) ### References - [https://kb.acronis.com/content/47189](https://kb.acronis.com/content/47189) diff --git a/lolrmm.com/content/rmm_tools/action1.md b/lolrmm.com/content/rmm_tools/action1.md index b2040148..a4e24657 100644 --- a/lolrmm.com/content/rmm_tools/action1.md +++ b/lolrmm.com/content/rmm_tools/action1.md @@ -33,7 +33,7 @@ Through the web interface of action1, the administrator must create a new policy - **Filename**: action1_remote.exe - **Filename**: action1_update.exe - **Filename**: action1_agent.exe -- **Original File Name**: action1_agent.exe +- **OriginalFileName**: action1_agent.exe - **Description**: Endpoint Agent - **Privileges**: SYSTEM @@ -63,104 +63,73 @@ Through the web interface of action1, the administrator must create a new policy ### Forensic Artifacts #### Disk Artifacts - - **File**: `C:\Windows\Action1\action1_agent.exe` - **Description**: Action1 service binary - - **OS**: Windows - - **File**: `C:\Windows\Action1\*` - **Description**: Multiple files and binaries related to Action1 installation - - **OS**: Windows - - **File**: `C:\Windows\Action1\scripts\*` - **Description**: Multiple scripts related to Action1 installation - - **OS**: Windows - - **File**: `C:\Windows\Action1\rule_data\*` - **Description**: Files related to Action1 rules - - **OS**: Windows - - **File**: `C:\Windows\Action1\action1_log_*.log` - **Description**: Contains history, errors, system notifications. Incoming and outgoing connections. - - **OS**: Windows - #### Event Log Artifacts - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: Action1 Agent - - **Image Path**: "C:\\Windows\\Action1\\action1_agent.exe" + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: Action1 Agent + - **ImagePath**: "C:\\Windows\\Action1\\action1_agent.exe" - **Description**: Service installation event as result of Action1 installation. - Event Details: - - **Event ID**: 4688 - - **Provider Name**: Microsoft-Security-Auditing - - **Log File**: Security.evtx + - **EventID**: 4688 + - **ProviderName**: Microsoft-Security-Auditing + - **LogFile**: Security.evtx + - **CommandLine**: C:\Windows\Action1\action1_agent.exe service - **Description**: Service installation event as result of Action1 installation. - - **Command Line**: C:\Windows\Action1\action1_agent.exe service - Event Details: - - **Event ID**: 4688 - - **Provider Name**: Microsoft-Security-Auditing - - **Log File**: Security.evtx + - **EventID**: 4688 + - **ProviderName**: Microsoft-Security-Auditing + - **LogFile**: Security.evtx + - **CommandLine**: C:\Windows\Action1\action1_agent.exe loggedonuser - **Description**: Executing command to get logged on user. - - **Command Line**: C:\Windows\Action1\action1_agent.exe loggedonuser #### Registry Artifacts - **Path**: `HKLM\System\CurrentControlSet\Services\A1Agent` **Description**: Service installation event as result of Action1 installation. - - **Path**: `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe` **Description**: Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software. - - **Path**: `HKLM\SOFTWARE\WOW6432Node\Action1` **Description**: Storing its configuration settings and other relevant information - #### Network Artifacts - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.action1.com` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `a1-backend-packages.s3.amazonaws.com` - **Ports**: - `443` - ### Detections -- **Arbitrary code execution and remote sessions via Action1 RMM** - - Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM - - (Author: @kostastsale) - - [Link](https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml) - +- Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM + - **Arbitrary code execution and remote sessions via Action1 RMM** + - Author: @kostastsale + - [Additional Information](https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml) +- Detects potential registry activity of Action1 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml) +- Detects potential network activity of Action1 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml) +- Detects potential files activity of Action1 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml) ### References - [https://www.action1.com/documentation/firewall-configuration/](https://www.action1.com/documentation/firewall-configuration/) diff --git a/lolrmm.com/content/rmm_tools/addigy.md b/lolrmm.com/content/rmm_tools/addigy.md index ea0f58a5..186e8fdd 100644 --- a/lolrmm.com/content/rmm_tools/addigy.md +++ b/lolrmm.com/content/rmm_tools/addigy.md @@ -24,6 +24,9 @@ Addigy is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,17 +45,15 @@ Addigy is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `prod.addigy.com` - `grtmprod.addigy.com` - `agents.addigy.com` - - +### Detections +- Detects potential network activity of Addigy RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml) ### References - [https://addigy.com/](https://addigy.com/) diff --git a/lolrmm.com/content/rmm_tools/adobe_connect.md b/lolrmm.com/content/rmm_tools/adobe_connect.md index 97ccbc22..f269a6ce 100644 --- a/lolrmm.com/content/rmm_tools/adobe_connect.md +++ b/lolrmm.com/content/rmm_tools/adobe_connect.md @@ -24,6 +24,9 @@ Adobe Connect is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,15 +48,15 @@ Adobe Connect is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.adobeconnect.com` - - +### Detections +- Detects potential network activity of Adobe Connect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml) +- Detects potential processes activity of Adobe Connect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml) ### References - [https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html](https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html) diff --git a/lolrmm.com/content/rmm_tools/aeroadmin.md b/lolrmm.com/content/rmm_tools/aeroadmin.md index 481b6909..9524cdf1 100644 --- a/lolrmm.com/content/rmm_tools/aeroadmin.md +++ b/lolrmm.com/content/rmm_tools/aeroadmin.md @@ -24,6 +24,9 @@ AeroAdmin is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ AeroAdmin is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `auth*.aeroadmin.com` - `aeroadmin.com` - - +### Detections +- Detects potential network activity of AeroAdmin RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml) +- Detects potential processes activity of AeroAdmin RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml) ### References - [https://support.aeroadmin.com/kb/faq.php?id=58](https://support.aeroadmin.com/kb/faq.php?id=58) diff --git a/lolrmm.com/content/rmm_tools/air_explorer.md b/lolrmm.com/content/rmm_tools/air_explorer.md index 8e543253..01d197ae 100644 --- a/lolrmm.com/content/rmm_tools/air_explorer.md +++ b/lolrmm.com/content/rmm_tools/air_explorer.md @@ -23,6 +23,9 @@ Air Explorer is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Air Explorer is a remote monitoring and management (RMM) tool. More information +### Detections +- Detects potential processes activity of Air Explorer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_explorer_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/air_live_drive.md b/lolrmm.com/content/rmm_tools/air_live_drive.md index b40e8f6e..c87b7e1c 100644 --- a/lolrmm.com/content/rmm_tools/air_live_drive.md +++ b/lolrmm.com/content/rmm_tools/air_live_drive.md @@ -23,6 +23,9 @@ Air Live Drive is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Air Live Drive is a remote monitoring and management (RMM) tool. More informatio +### Detections +- Detects potential processes activity of Air Live Drive RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_live_drive_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/aliwangwang-remote-control.md b/lolrmm.com/content/rmm_tools/aliwangwang-remote-control.md index b5589d9f..5189cecb 100644 --- a/lolrmm.com/content/rmm_tools/aliwangwang-remote-control.md +++ b/lolrmm.com/content/rmm_tools/aliwangwang-remote-control.md @@ -24,6 +24,9 @@ AliWangWang-remote-control is a remote monitoring and management (RMM) tool. Mor #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ AliWangWang-remote-control is a remote monitoring and management (RMM) tool. Mor #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `wangwang.taobao.com` - - +### Detections +- Detects potential network activity of AliWangWang-remote-control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml) +- Detects potential processes activity of AliWangWang-remote-control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml) ### References - [https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale](https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale) diff --git a/lolrmm.com/content/rmm_tools/alpemix.md b/lolrmm.com/content/rmm_tools/alpemix.md index 3aa26c7b..95c18c57 100644 --- a/lolrmm.com/content/rmm_tools/alpemix.md +++ b/lolrmm.com/content/rmm_tools/alpemix.md @@ -29,9 +29,10 @@ Alpemix is a remote monitoring and management (RMM) tool. More information will #### PE Metadata - **Filename**: Alpemix.exe -- **Original File Name**: Alpemix +- **OriginalFileName**: Alpemix - **Description**: Alpemix - **Product**: Alpemix +- **InternalName**: Alpemix - **Free**: No @@ -83,49 +84,43 @@ Alpemix is a remote monitoring and management (RMM) tool. More information will ### Forensic Artifacts #### Disk Artifacts - - **File**: `%localappdata%\Alpemix\Alpemix.ini` - **Description**: N/A - - **OS**: Windows - #### Event Log Artifacts - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: AlpemixSrvc - - **Image Path**: *\Alpemix.exe servicestartxxx + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: AlpemixSrvc + - **ImagePath**: *\Alpemix.exe servicestartxxx - **Description**: Service installation event as result of Alpemix installation. #### Registry Artifacts - **Path**: `HKLM\SYSTEM\CurrentControlSet\Services\AlpemixSrvcx` **Description**: N/A - #### Network Artifacts - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.alpemix.com` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.teknopars.com` - **Ports**: - `80` - +### Detections +- Detects potential registry activity of Alpemix RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml) +- Detects potential network activity of Alpemix RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml) +- Detects potential files activity of Alpemix RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml) +- Detects potential processes activity of Alpemix RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml) ### References - [https://www.alpemix.com/en/remote-access](https://www.alpemix.com/en/remote-access) diff --git a/lolrmm.com/content/rmm_tools/amazon__cloud__drive.md b/lolrmm.com/content/rmm_tools/amazon__cloud__drive.md index f9731eb5..50a55074 100644 --- a/lolrmm.com/content/rmm_tools/amazon__cloud__drive.md +++ b/lolrmm.com/content/rmm_tools/amazon__cloud__drive.md @@ -23,6 +23,9 @@ Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More info #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More info +### Detections +- Detects potential processes activity of Amazon (Cloud) Drive RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/amazon__cloud__drive_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/any_support.md b/lolrmm.com/content/rmm_tools/any_support.md index c60729c2..e84f357d 100644 --- a/lolrmm.com/content/rmm_tools/any_support.md +++ b/lolrmm.com/content/rmm_tools/any_support.md @@ -24,6 +24,9 @@ Any Support is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ Any Support is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.anysupport.net` - - +### Detections +- Detects potential network activity of Any Support RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml) +- Detects potential processes activity of Any Support RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml) ### References - [https://www.anysupport.net/introduce_howto.php](https://www.anysupport.net/introduce_howto.php) diff --git a/lolrmm.com/content/rmm_tools/anydesk.md b/lolrmm.com/content/rmm_tools/anydesk.md index 89b320e1..8e605952 100644 --- a/lolrmm.com/content/rmm_tools/anydesk.md +++ b/lolrmm.com/content/rmm_tools/anydesk.md @@ -30,7 +30,7 @@ AnyDesk is a popular remote desktop software that enables users to access and co #### PE Metadata - **Filename**: anydesk.exe -- **Original File Name**: AnyDesk.exe +- **OriginalFileName**: AnyDesk.exe - **Description**: AnyDesk - **Product**: AnyDesk @@ -65,231 +65,131 @@ AnyDesk is a popular remote desktop software that enables users to access and co ### Forensic Artifacts #### Disk Artifacts - - **File**: `%programdata%\AnyDesk\ad_svc.trace` - **Description**: AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established. - **Example**: ``` ['info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798'] ``` - **OS**: Windows - - **File**: `%programdata%\AnyDesk\connection_trace.txt` - **Description**: Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used) - **Example**: ``` ['Incoming 2022-08-23, 10:23 Passwd 547911884 547911884', 'Incoming 2022-09-28, 12:39 User 442226597 442226597'] ``` - **OS**: Windows - - **File**: `%APPDATA%\AnyDesk\connection_trace.txt` - **Description**: Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used) - **Example**: ``` ['Incoming 2022-08-23, 10:23 Passwd 547911884 547911884', 'Incoming 2022-09-28, 12:39 User 442226597 442226597'] ``` - **OS**: Windows - - **File**: `%APPDATA%\AnyDesk\ad.trace` - **Description**: AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant. - **Example**: ``` ['info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).', 'info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0.'] ``` - **OS**: Windows - - **File**: `%APPDATA%\AnyDesk\chat\*.txt` - **Description**: If the chat functionality is used, its entries will be printed in a text file in this folder. - - **OS**: Windows - - **File**: `%APPDATA%\AnyDesk\user.conf` - **Description**: N/A - - **OS**: Windows - - **File**: `%PROGRAMDATA%\AnyDesk\service.conf` - **Description**: Password can be set to auto-validate the session. The password will be saved in a salted hash format. - - **OS**: Windows - - **File**: `%APPDATA%\AnyDesk\service.conf` - **Description**: N/A - - **OS**: Windows - - **File**: `%APPDATA%\AnyDesk\system.conf` - **Description**: N/A - - **OS**: Windows - - **File**: `%PROGRAMDATA%\AnyDesk\system.conf` - **Description**: N/A - - **OS**: Windows - - **File**: `%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\AnyDesk.lnk` - **Description**: N/A - - **OS**: Windows - - **File**: `%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\AnyDesk\Uninstall AnyDesk.lnk` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Users\*\Videos\AnyDesk\*.anydesk` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\*` - **Description**: N/A - - **OS**: Windows - - **File**: `~/Library/Application Support/AnyDesk/Logs/` - **Description**: N/A - - **OS**: Mac - - **File**: `~/.config/AnyDesk/Logs/` - **Description**: N/A - - **OS**: Linux - #### Event Log Artifacts - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: AnyDesk Service - - **Image Path**: "C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe" --service + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: AnyDesk Service + - **ImagePath**: "C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe" --service - **Description**: Service installation event as result of AnyDesk installation. #### Registry Artifacts - **Path**: `HKLM\SOFTWARE\Clients\Media\AnyDesk` **Description**: N/A - - **Path**: `HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk` **Description**: N/A - - **Path**: `HKLM\SOFTWARE\Classes\.anydesk\shell\open\command` **Description**: N/A - - **Path**: `HKLM\SOFTWARE\Classes\AnyDesk\shell\open\command` **Description**: N/A - - **Path**: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\AnyDesk Printer\*` **Description**: N/A - - **Path**: `HKLM\DRIVERS\DriverDatabase\DeviceIds\USBPRINT\AnyDesk` **Description**: N/A - - **Path**: `HKLM\DRIVERS\DriverDatabase\DeviceIds\WSDPRINT\AnyDesk` **Description**: N/A - - **Path**: `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk` **Description**: N/A - #### Network Artifacts - -- **Description**: During setup the boot.net.anydesk.com domain is request over port 443 - - **Domains**: +- **Description**: During setup the boot.net.anydesk.com domain is request over port 443 **Domains**: - `boot.net.anydesk.com` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `relay-[a-f0-9]{8}.net.anydesk.com:443` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.anydesk.com` - **Ports**: - `443` - #### Other Artifacts -- **Type**: User-Agent - - **Value**: AnyDesk/* -- **Type**: NamedPipe - - **Value**: adprinterpipe +- **Type**: User-Agent **Value**: AnyDesk/* +- **Type**: NamedPipe **Value**: adprinterpipe ### Detections -- [Sigma rule](https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml) - - Anydesk Remote Access Software Service Installation - - - -- [Sigma rule](https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml) - - N/A - - - -- [Sigma rule](https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml) - - N/A - - - -- [Sigma rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml) - - Remote Access Tool - AnyDesk Silent Installation - - - +- Anydesk Remote Access Software Service Installation + - [Sigma Rule](https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml) +- N/A + - [Sigma Rule](https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml) +- N/A + - [Sigma Rule](https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml) +- Remote Access Tool - AnyDesk Silent Installation + - [Sigma Rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml) +- Detects potential registry activity of AnyDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml) +- Detects potential network activity of AnyDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml) +- Detects potential files activity of AnyDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml) ### References - [https://support.anydesk.com/knowledge/firewall](https://support.anydesk.com/knowledge/firewall) diff --git a/lolrmm.com/content/rmm_tools/anyplace_control.md b/lolrmm.com/content/rmm_tools/anyplace_control.md index 39aa383e..aa835d9b 100644 --- a/lolrmm.com/content/rmm_tools/anyplace_control.md +++ b/lolrmm.com/content/rmm_tools/anyplace_control.md @@ -24,6 +24,9 @@ Anyplace Control is a remote monitoring and management (RMM) tool. More informat #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ Anyplace Control is a remote monitoring and management (RMM) tool. More informat #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `anyplace-control.com` - - +### Detections +- Detects potential network activity of Anyplace Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml) +- Detects potential processes activity of Anyplace Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml) ### References - [http://www.anyplace-control.com/anyplace-control/help/faq.htm](http://www.anyplace-control.com/anyplace-control/help/faq.htm) diff --git a/lolrmm.com/content/rmm_tools/anyviewer.md b/lolrmm.com/content/rmm_tools/anyviewer.md index 856cbdbb..535ad80e 100644 --- a/lolrmm.com/content/rmm_tools/anyviewer.md +++ b/lolrmm.com/content/rmm_tools/anyviewer.md @@ -29,10 +29,10 @@ AnyViewer is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata - **Filename**: AnyViewer.exe -- **Original File Name**: AnyViewer +- **OriginalFileName**: AnyViewer - **Description**: Splash Window - **Filename**: RCClient.exe -- **Original File Name**: RCClient.exe +- **OriginalFileName**: RCClient.exe - **Description**: AnyViewer Core - **Filename**: ScreanCap.exe - **Description**: Screan capture @@ -63,49 +63,38 @@ AnyViewer is a remote monitoring and management (RMM) tool. More information wil #### Event Log Artifacts - Event Details: - - **Event ID**: 4688 - - **Provider Name**: Microsoft-Security-Auditing - - **Log File**: Security.evtx + - **EventID**: 4688 + - **ProviderName**: Microsoft-Security-Auditing + - **LogFile**: Security.evtx + - **CommandLine**: "C:\\Program Files (x86)\\AnyViewer\\AVCore.exe" -d - **Description**: Taking actions on the remote machine such as opening a command prompt. - - **Command Line**: "C:\\Program Files (x86)\\AnyViewer\\AVCore.exe" -d - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: RCService - - **Image Path**: C:\\Program Files (x86)\\AnyViewer\\RCService.exe + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: RCService + - **ImagePath**: C:\\Program Files (x86)\\AnyViewer\\RCService.exe - **Description**: AnyViewer service installation service. #### Network Artifacts - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.anyviewer.com` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.aomeisoftware.com` - **Ports**: - `443` - ### Detections -- **Arbitrary code execution and remote sessions via Action1 RMM** - - Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM - - (Author: @kostastsale) - - [Link](https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml) - +- Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM + - **Arbitrary code execution and remote sessions via Action1 RMM** + - Author: @kostastsale + - [Additional Information](https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml) +- Detects potential network activity of AnyViewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml) ### References - [https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html](https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html) diff --git a/lolrmm.com/content/rmm_tools/apple_remote_desktop.md b/lolrmm.com/content/rmm_tools/apple_remote_desktop.md index 0ecedfd8..c36a1f30 100644 --- a/lolrmm.com/content/rmm_tools/apple_remote_desktop.md +++ b/lolrmm.com/content/rmm_tools/apple_remote_desktop.md @@ -24,6 +24,9 @@ Apple Remote Desktop is a remote monitoring and management (RMM) tool. More info #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,13 @@ Apple Remote Desktop is a remote monitoring and management (RMM) tool. More info #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - - +### Detections +- Detects potential network activity of Apple Remote Desktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml) ### References - [https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac](https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac) diff --git a/lolrmm.com/content/rmm_tools/aria2.md b/lolrmm.com/content/rmm_tools/aria2.md index 591d2311..e92c8a8a 100644 --- a/lolrmm.com/content/rmm_tools/aria2.md +++ b/lolrmm.com/content/rmm_tools/aria2.md @@ -23,6 +23,9 @@ aria2 is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ aria2 is a remote monitoring and management (RMM) tool. More information will be +### Detections +- Detects potential processes activity of aria2 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/atera.md b/lolrmm.com/content/rmm_tools/atera.md index e8790fda..158d13b3 100644 --- a/lolrmm.com/content/rmm_tools/atera.md +++ b/lolrmm.com/content/rmm_tools/atera.md @@ -27,7 +27,7 @@ Atera is a remote monitoring and management (RMM) tool. It is used by threat act #### PE Metadata - **Filename**: AteraAgent.exe -- **Original File Name**: AteraAgent.exe +- **OriginalFileName**: AteraAgent.exe - **Description**: AteraAgent - **Privileges**: SYSTEM @@ -73,255 +73,151 @@ Atera is a remote monitoring and management (RMM) tool. It is used by threat act ### Forensic Artifacts #### Disk Artifacts - - **File**: `C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\log.txt` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files\ATERA Networks\AteraAgent\Packages\*` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe` - **Description**: Atera service binary - - **OS**: Windows - - **File**: `C:\Program Files\Atera Networks\AlphaAgent.exe` - **Description**: Atera service binary - - **OS**: Windows - - **File**: `C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageFileExplorer\AgentPackageFileExplorer.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\AgentPackageRunCommandInteractive.exe` - **Description**: N/A - - **OS**: Windows - #### Event Log Artifacts - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: AteraAgent - - **Image Path**: "C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\AteraAgent.exe" + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: AteraAgent + - **ImagePath**: "C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\AteraAgent.exe" - **Description**: Service installation event as result of AteraAgent installation. - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: WinRing0_1_2_0 - - **Image Path**: "C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\OpenHardwareMonitorLib.sys" + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: WinRing0_1_2_0 + - **ImagePath**: "C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\OpenHardwareMonitorLib.sys" - **Description**: Service installation event as result of Atera pakcage manager installation. - Event Details: - - **Event ID**: 11707 - - **Provider Name**: MsiInstaller - - **Log File**: Application.evtx + - **EventID**: 11707 + - **ProviderName**: MsiInstaller + - **LogFile**: Application.evtx + - **Data**: Product: AteraAgent -- Installation completed successfully. - **Description**: Service installation event as result of AteraAgent installation. - Event Details: - - **Event ID**: 4688 - - **Provider Name**: Microsoft-Security-Auditing - - **Log File**: Security.evtx + - **EventID**: 4688 + - **ProviderName**: Microsoft-Security-Auditing + - **LogFile**: Security.evtx + - **CommandLine**: C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB] - **Description**: Service installation event as result of AteraAgent installation. - - **Command Line**: C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB] #### Registry Artifacts - **Path**: `HKLM\SOFTWARE\ATERA Networks\AlphaAgent` - - **Path**: `HKLM\SYSTEM\CurrentControlSet\Services\AteraAgent` - - **Path**: `KLM\SOFTWARE\WOW6432Node\Splashtop Inc.` - - **Path**: `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater` - - **Path**: `HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AlphaAgent` - - **Path**: `HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AteraAgent` - - **Path**: `HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASAPI32` - - **Path**: `HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASMANCS` - - **Path**: `HKLM\SOFTWARE\ATERA Networks\*` - #### Network Artifacts - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `pubsub.atera.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `pubsub.pubnub.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `agentreporting.atera.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `getalphacontrol.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `app.atera.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `agenthb.atera.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `packagesstore.blob.core.windows.net` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `ps.pndsn.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `agent-api.atera.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `cacerts.thawte.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `agentreportingstore.blob.core.windows.net` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `atera-agent-heartbeat.servicebus.windows.net` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `ps.atera.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `atera.pubnubapi.com` - **Ports**: - `N/A` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `appcdn.atera.com` - **Ports**: - `N/A` - ### Detections -- [Sigma rule](https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml) - - Detects AteraAgent installations with suspicious command line arguments. - - - -- [Sigma rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml) - - Detects Atera Agent installation. - - - +- Detects AteraAgent installations with suspicious command line arguments. + - [Sigma Rule](https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml) + - **AteraAgent malicious installations** +- Detects Atera Agent installation. + - [Sigma Rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml) + - **Atera Agent Installation** +- Detects potential registry activity of Atera RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml) +- Detects potential network activity of Atera RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml) +- Detects potential files activity of Atera RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml) +- Detects potential processes activity of Atera RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml) ### References - [https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations](https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations) diff --git a/lolrmm.com/content/rmm_tools/auvik.md b/lolrmm.com/content/rmm_tools/auvik.md index fc70ebcb..d291d7f7 100644 --- a/lolrmm.com/content/rmm_tools/auvik.md +++ b/lolrmm.com/content/rmm_tools/auvik.md @@ -24,6 +24,9 @@ Auvik is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,17 +46,17 @@ Auvik is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.my.auvik.com` - `*.auvik.com` - `auvik.com` - - +### Detections +- Detects potential network activity of Auvik RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml) +- Detects potential processes activity of Auvik RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml) ### References - [https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use](https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use) diff --git a/lolrmm.com/content/rmm_tools/aweray.md b/lolrmm.com/content/rmm_tools/aweray.md index 69dfb441..7761555c 100644 --- a/lolrmm.com/content/rmm_tools/aweray.md +++ b/lolrmm.com/content/rmm_tools/aweray.md @@ -24,6 +24,9 @@ AweRay is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ AweRay is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `asapi*.aweray.net` - `client-api.aweray.com` - - +### Detections +- Detects potential network activity of AweRay RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml) +- Detects potential processes activity of AweRay RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml) ### References - [https://sun.aweray.com/help](https://sun.aweray.com/help) diff --git a/lolrmm.com/content/rmm_tools/aweray__awesun_.md b/lolrmm.com/content/rmm_tools/aweray__awesun_.md index 9c1f8f3f..d4644966 100644 --- a/lolrmm.com/content/rmm_tools/aweray__awesun_.md +++ b/lolrmm.com/content/rmm_tools/aweray__awesun_.md @@ -23,6 +23,9 @@ AweRay (AweSun) is a remote monitoring and management (RMM) tool. More informati #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ AweRay (AweSun) is a remote monitoring and management (RMM) tool. More informati #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `asapi-us.aweray.net` - `asapi.aweray.net` - - +### Detections +- Detects potential network activity of AweRay (AweSun) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__network_sigma.yml) +- Detects potential processes activity of AweRay (AweSun) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/aws-cli.md b/lolrmm.com/content/rmm_tools/aws-cli.md index a237c640..b6cd5e32 100644 --- a/lolrmm.com/content/rmm_tools/aws-cli.md +++ b/lolrmm.com/content/rmm_tools/aws-cli.md @@ -23,6 +23,9 @@ aws-cli is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ aws-cli is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of aws-cli RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aws-cli_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/azure_storage_explorer.md b/lolrmm.com/content/rmm_tools/azure_storage_explorer.md index 02c939df..0f129b42 100644 --- a/lolrmm.com/content/rmm_tools/azure_storage_explorer.md +++ b/lolrmm.com/content/rmm_tools/azure_storage_explorer.md @@ -23,6 +23,9 @@ Azure Storage Explorer is a remote monitoring and management (RMM) tool. More in #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Azure Storage Explorer is a remote monitoring and management (RMM) tool. More in +### Detections +- Detects potential processes activity of Azure Storage Explorer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/azure_storage_explorer_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/barracuda.md b/lolrmm.com/content/rmm_tools/barracuda.md index b9a1252e..80f076a0 100644 --- a/lolrmm.com/content/rmm_tools/barracuda.md +++ b/lolrmm.com/content/rmm_tools/barracuda.md @@ -24,6 +24,9 @@ Barracuda is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -40,17 +43,15 @@ Barracuda is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.islonline.net` - `rmm.barracudamsp.com` - `barracudamsp.com` - - +### Detections +- Detects potential network activity of Barracuda RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml) ### References - [https://help.islonline.com/19799/166125](https://help.islonline.com/19799/166125) diff --git a/lolrmm.com/content/rmm_tools/basecamp.md b/lolrmm.com/content/rmm_tools/basecamp.md index 8028f159..e85c74d5 100644 --- a/lolrmm.com/content/rmm_tools/basecamp.md +++ b/lolrmm.com/content/rmm_tools/basecamp.md @@ -24,6 +24,9 @@ Basecamp is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -40,15 +43,13 @@ Basecamp is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `basecamp.com` - - +### Detections +- Detects potential network activity of Basecamp RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml) ### References - [basecamp.com - No specific RMM tool listed](basecamp.com - No specific RMM tool listed) diff --git a/lolrmm.com/content/rmm_tools/beamyourscreen.md b/lolrmm.com/content/rmm_tools/beamyourscreen.md index cf8d005c..fb9e537d 100644 --- a/lolrmm.com/content/rmm_tools/beamyourscreen.md +++ b/lolrmm.com/content/rmm_tools/beamyourscreen.md @@ -24,6 +24,9 @@ BeamYourScreen is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ BeamYourScreen is a remote monitoring and management (RMM) tool. More informatio #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `beamyourscreen.com` - `*.beamyourscreen.com` - - +### Detections +- Detects potential network activity of BeamYourScreen RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml) +- Detects potential processes activity of BeamYourScreen RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml) ### References - [beamyourscreen redirects to https://www.mikogo.com/](beamyourscreen redirects to https://www.mikogo.com/) diff --git a/lolrmm.com/content/rmm_tools/beanywhere.md b/lolrmm.com/content/rmm_tools/beanywhere.md index 04db5393..8816da25 100644 --- a/lolrmm.com/content/rmm_tools/beanywhere.md +++ b/lolrmm.com/content/rmm_tools/beanywhere.md @@ -24,6 +24,9 @@ BeAnyWhere is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -49,16 +52,16 @@ BeAnyWhere is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `beanywhere.en.uptodown.com/windows` - `beanywhere.com` - - +### Detections +- Detects potential network activity of BeAnyWhere RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml) +- Detects potential processes activity of BeAnyWhere RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml) ### References - [https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx](https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx) diff --git a/lolrmm.com/content/rmm_tools/beinsync.md b/lolrmm.com/content/rmm_tools/beinsync.md index 09ad700e..6ecfa0f7 100644 --- a/lolrmm.com/content/rmm_tools/beinsync.md +++ b/lolrmm.com/content/rmm_tools/beinsync.md @@ -24,6 +24,9 @@ BeInSync is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ BeInSync is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.beinsync.net` - `*.beinsync.com` - - +### Detections +- Detects potential network activity of BeInSync RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml) +- Detects potential processes activity of BeInSync RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml) ### References - [https://en.wikipedia.org/wiki/Phoenix_Technologies](https://en.wikipedia.org/wiki/Phoenix_Technologies) diff --git a/lolrmm.com/content/rmm_tools/beyondtrust.md b/lolrmm.com/content/rmm_tools/beyondtrust.md index 5e33c18c..49bd8e0d 100644 --- a/lolrmm.com/content/rmm_tools/beyondtrust.md +++ b/lolrmm.com/content/rmm_tools/beyondtrust.md @@ -23,6 +23,9 @@ BeyondTrust is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/beyondtrust__bomgar_.md b/lolrmm.com/content/rmm_tools/beyondtrust__bomgar_.md index a4403154..54c36839 100644 --- a/lolrmm.com/content/rmm_tools/beyondtrust__bomgar_.md +++ b/lolrmm.com/content/rmm_tools/beyondtrust__bomgar_.md @@ -24,6 +24,9 @@ BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More info #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,17 +49,17 @@ BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More info #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.beyondtrustcloud.com` - `*.bomgarcloud.com` - `bomgarcloud.com` - - +### Detections +- Detects potential network activity of BeyondTrust (Bomgar) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml) +- Detects potential processes activity of BeyondTrust (Bomgar) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml) ### References - [https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm](https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm) diff --git a/lolrmm.com/content/rmm_tools/bitvise_ssh_client.md b/lolrmm.com/content/rmm_tools/bitvise_ssh_client.md index 10a722bc..c46a5402 100644 --- a/lolrmm.com/content/rmm_tools/bitvise_ssh_client.md +++ b/lolrmm.com/content/rmm_tools/bitvise_ssh_client.md @@ -23,6 +23,9 @@ Bitvise SSH Client is a remote monitoring and management (RMM) tool. More inform #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Bitvise SSH Client is a remote monitoring and management (RMM) tool. More inform +### Detections +- Detects potential processes activity of Bitvise SSH Client RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/bitvise_ssh_server.md b/lolrmm.com/content/rmm_tools/bitvise_ssh_server.md index 8daedd82..9941d351 100644 --- a/lolrmm.com/content/rmm_tools/bitvise_ssh_server.md +++ b/lolrmm.com/content/rmm_tools/bitvise_ssh_server.md @@ -23,6 +23,9 @@ Bitvise SSH Server is a remote monitoring and management (RMM) tool. More inform #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Bitvise SSH Server is a remote monitoring and management (RMM) tool. More inform +### Detections +- Detects potential processes activity of Bitvise SSH Server RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/bomgar.md b/lolrmm.com/content/rmm_tools/bomgar.md index 124a9bc9..3ed3fd22 100644 --- a/lolrmm.com/content/rmm_tools/bomgar.md +++ b/lolrmm.com/content/rmm_tools/bomgar.md @@ -23,6 +23,9 @@ Bomgar is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -41,15 +44,15 @@ Bomgar is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `beyondtrust.com/brand/bomgar` - - +### Detections +- Detects potential network activity of Bomgar RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_network_sigma.yml) +- Detects potential processes activity of Bomgar RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/bomgar_-_now_beyondtrust.md b/lolrmm.com/content/rmm_tools/bomgar_-_now_beyondtrust.md index 1aa08c87..b1ab164c 100644 --- a/lolrmm.com/content/rmm_tools/bomgar_-_now_beyondtrust.md +++ b/lolrmm.com/content/rmm_tools/bomgar_-_now_beyondtrust.md @@ -23,6 +23,9 @@ Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) tool. More #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/box.md b/lolrmm.com/content/rmm_tools/box.md index 9d6ec8d9..b32b6963 100644 --- a/lolrmm.com/content/rmm_tools/box.md +++ b/lolrmm.com/content/rmm_tools/box.md @@ -23,6 +23,9 @@ Box is a remote monitoring and management (RMM) tool. More information will be a #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Box is a remote monitoring and management (RMM) tool. More information will be a +### Detections +- Detects potential processes activity of Box RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/carotdav.md b/lolrmm.com/content/rmm_tools/carotdav.md index 9d530a3d..5ac659eb 100644 --- a/lolrmm.com/content/rmm_tools/carotdav.md +++ b/lolrmm.com/content/rmm_tools/carotdav.md @@ -23,6 +23,9 @@ CarotDAV is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ CarotDAV is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of CarotDAV RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/centrastage__now_datto_.md b/lolrmm.com/content/rmm_tools/centrastage__now_datto_.md index 798c29a4..45a0886c 100644 --- a/lolrmm.com/content/rmm_tools/centrastage__now_datto_.md +++ b/lolrmm.com/content/rmm_tools/centrastage__now_datto_.md @@ -24,6 +24,9 @@ CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More i #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,17 +46,17 @@ CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More i #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.rmm.datto.com` - `*cc.centrastage.net` - `datto.com/au/products/rmm/` - - +### Detections +- Detects potential network activity of CentraStage (Now Datto) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml) +- Detects potential processes activity of CentraStage (Now Datto) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml) ### References - [https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm](https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm) diff --git a/lolrmm.com/content/rmm_tools/centurion.md b/lolrmm.com/content/rmm_tools/centurion.md index 87da7eca..99137a3d 100644 --- a/lolrmm.com/content/rmm_tools/centurion.md +++ b/lolrmm.com/content/rmm_tools/centurion.md @@ -24,6 +24,9 @@ Centurion is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ Centurion is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `centuriontech.com` - - +### Detections +- Detects potential network activity of Centurion RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml) +- Detects potential processes activity of Centurion RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml) ### References - [https://data443.atlassian.net/servicedesk/customer/portal/20](https://data443.atlassian.net/servicedesk/customer/portal/20) diff --git a/lolrmm.com/content/rmm_tools/chicken__of_the_vnc_.md b/lolrmm.com/content/rmm_tools/chicken__of_the_vnc_.md index 326cd08d..05c98203 100644 --- a/lolrmm.com/content/rmm_tools/chicken__of_the_vnc_.md +++ b/lolrmm.com/content/rmm_tools/chicken__of_the_vnc_.md @@ -23,6 +23,9 @@ Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More info #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/chrome_remote_desktop.md b/lolrmm.com/content/rmm_tools/chrome_remote_desktop.md index 3ad1ab16..e80e8ea7 100644 --- a/lolrmm.com/content/rmm_tools/chrome_remote_desktop.md +++ b/lolrmm.com/content/rmm_tools/chrome_remote_desktop.md @@ -24,6 +24,9 @@ Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More inf #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,17 +49,17 @@ Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More inf #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*remotedesktop-pa.googleapis.com` - `*remotedesktop.google.com` - `remotedesktop.google.com` - - +### Detections +- Detects potential network activity of Chrome Remote Desktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml) +- Detects potential processes activity of Chrome Remote Desktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml) ### References - [https://support.google.com/chrome/a/answer/2799701?hl=en](https://support.google.com/chrome/a/answer/2799701?hl=en) diff --git a/lolrmm.com/content/rmm_tools/chrome_ssh_extension.md b/lolrmm.com/content/rmm_tools/chrome_ssh_extension.md index 0740bf32..0d278e0d 100644 --- a/lolrmm.com/content/rmm_tools/chrome_ssh_extension.md +++ b/lolrmm.com/content/rmm_tools/chrome_ssh_extension.md @@ -23,6 +23,9 @@ Chrome SSH Extension is a remote monitoring and management (RMM) tool. More info #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cloud_explorer.md b/lolrmm.com/content/rmm_tools/cloud_explorer.md index 9c91982a..2d6f7a6c 100644 --- a/lolrmm.com/content/rmm_tools/cloud_explorer.md +++ b/lolrmm.com/content/rmm_tools/cloud_explorer.md @@ -23,6 +23,9 @@ Cloud Explorer is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cloud_turtle.md b/lolrmm.com/content/rmm_tools/cloud_turtle.md index cd4f2eb3..97e2579b 100644 --- a/lolrmm.com/content/rmm_tools/cloud_turtle.md +++ b/lolrmm.com/content/rmm_tools/cloud_turtle.md @@ -23,6 +23,9 @@ Cloud Turtle is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cloudberry_explorer.md b/lolrmm.com/content/rmm_tools/cloudberry_explorer.md index c7352ee2..efb63af2 100644 --- a/lolrmm.com/content/rmm_tools/cloudberry_explorer.md +++ b/lolrmm.com/content/rmm_tools/cloudberry_explorer.md @@ -23,6 +23,9 @@ CloudBerry Explorer is a remote monitoring and management (RMM) tool. More infor #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cloudbuckit.md b/lolrmm.com/content/rmm_tools/cloudbuckit.md index 7407b9d6..943e2c7f 100644 --- a/lolrmm.com/content/rmm_tools/cloudbuckit.md +++ b/lolrmm.com/content/rmm_tools/cloudbuckit.md @@ -23,6 +23,9 @@ CloudBuckIt is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ CloudBuckIt is a remote monitoring and management (RMM) tool. More information w +### Detections +- Detects potential processes activity of CloudBuckIt RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudbuckit_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/cloudexplorer.md b/lolrmm.com/content/rmm_tools/cloudexplorer.md index 320e70da..a5d54675 100644 --- a/lolrmm.com/content/rmm_tools/cloudexplorer.md +++ b/lolrmm.com/content/rmm_tools/cloudexplorer.md @@ -23,6 +23,9 @@ CloudExplorer is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cloudflare_tunnel.md b/lolrmm.com/content/rmm_tools/cloudflare_tunnel.md index 7fa16132..de0e99a6 100644 --- a/lolrmm.com/content/rmm_tools/cloudflare_tunnel.md +++ b/lolrmm.com/content/rmm_tools/cloudflare_tunnel.md @@ -24,6 +24,9 @@ CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More informa #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More informa #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `cloudflare.com/products/tunnel/` - - +### Detections +- Detects potential network activity of CloudFlare Tunnel RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml) +- Detects potential processes activity of CloudFlare Tunnel RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml) ### References - [cloudflare.com/products/tunnel/](cloudflare.com/products/tunnel/) diff --git a/lolrmm.com/content/rmm_tools/cloudfuze.md b/lolrmm.com/content/rmm_tools/cloudfuze.md index fed183c0..2af8862e 100644 --- a/lolrmm.com/content/rmm_tools/cloudfuze.md +++ b/lolrmm.com/content/rmm_tools/cloudfuze.md @@ -23,6 +23,9 @@ CloudFuze is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cloudgopher.md b/lolrmm.com/content/rmm_tools/cloudgopher.md index 16ddcf8a..05ed7172 100644 --- a/lolrmm.com/content/rmm_tools/cloudgopher.md +++ b/lolrmm.com/content/rmm_tools/cloudgopher.md @@ -23,6 +23,9 @@ CloudGopher is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cloudhq.md b/lolrmm.com/content/rmm_tools/cloudhq.md index e6e25dbd..a315fce2 100644 --- a/lolrmm.com/content/rmm_tools/cloudhq.md +++ b/lolrmm.com/content/rmm_tools/cloudhq.md @@ -23,6 +23,9 @@ CloudHQ is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cloudmounter.md b/lolrmm.com/content/rmm_tools/cloudmounter.md index 70bd05e1..2c7e6e85 100644 --- a/lolrmm.com/content/rmm_tools/cloudmounter.md +++ b/lolrmm.com/content/rmm_tools/cloudmounter.md @@ -23,6 +23,9 @@ CloudMounter is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ CloudMounter is a remote monitoring and management (RMM) tool. More information +### Detections +- Detects potential processes activity of CloudMounter RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/cloudsfer.md b/lolrmm.com/content/rmm_tools/cloudsfer.md index 141037a1..cd135fd9 100644 --- a/lolrmm.com/content/rmm_tools/cloudsfer.md +++ b/lolrmm.com/content/rmm_tools/cloudsfer.md @@ -23,6 +23,9 @@ Cloudsfer is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cloudxplorer.md b/lolrmm.com/content/rmm_tools/cloudxplorer.md index 103d796a..0f3445d2 100644 --- a/lolrmm.com/content/rmm_tools/cloudxplorer.md +++ b/lolrmm.com/content/rmm_tools/cloudxplorer.md @@ -23,6 +23,9 @@ CloudXplorer is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ CloudXplorer is a remote monitoring and management (RMM) tool. More information +### Detections +- Detects potential processes activity of CloudXplorer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/comodo_rmm.md b/lolrmm.com/content/rmm_tools/comodo_rmm.md index ec167998..5bdfd99f 100644 --- a/lolrmm.com/content/rmm_tools/comodo_rmm.md +++ b/lolrmm.com/content/rmm_tools/comodo_rmm.md @@ -24,6 +24,9 @@ Comodo RMM is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,17 +46,17 @@ Comodo RMM is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.itsm-us1.comodo.com` - `*mdmsupport.comodo.com` - `one.comodo.com` - - +### Detections +- Detects potential network activity of Comodo RMM RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml) +- Detects potential processes activity of Comodo RMM RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml) ### References - [https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html](https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html) diff --git a/lolrmm.com/content/rmm_tools/connectwise.md b/lolrmm.com/content/rmm_tools/connectwise.md index 315ad519..1078b5db 100644 --- a/lolrmm.com/content/rmm_tools/connectwise.md +++ b/lolrmm.com/content/rmm_tools/connectwise.md @@ -23,6 +23,9 @@ ConnectWise is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/connectwise_automate__labtech_.md b/lolrmm.com/content/rmm_tools/connectwise_automate__labtech_.md index dfaec755..57a114ad 100644 --- a/lolrmm.com/content/rmm_tools/connectwise_automate__labtech_.md +++ b/lolrmm.com/content/rmm_tools/connectwise_automate__labtech_.md @@ -24,6 +24,9 @@ Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,15 +47,15 @@ Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.hostedrmm.com` - - +### Detections +- Detects potential network activity of Connectwise Automate (LabTech) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml) +- Detects potential processes activity of Connectwise Automate (LabTech) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml) ### References - [https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate](https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate) diff --git a/lolrmm.com/content/rmm_tools/connectwise_control.md b/lolrmm.com/content/rmm_tools/connectwise_control.md index bf4f0889..c99a4cf3 100644 --- a/lolrmm.com/content/rmm_tools/connectwise_control.md +++ b/lolrmm.com/content/rmm_tools/connectwise_control.md @@ -23,6 +23,9 @@ ConnectWise Control is a remote monitoring and management (RMM) tool. More infor #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ ConnectWise Control is a remote monitoring and management (RMM) tool. More infor #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `live.screenconnect.com` - `control.connectwise.com` - - +### Detections +- Detects potential network activity of ConnectWise Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml) +- Detects potential processes activity of ConnectWise Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/core_ftp.md b/lolrmm.com/content/rmm_tools/core_ftp.md index 6bde62d3..2c18d783 100644 --- a/lolrmm.com/content/rmm_tools/core_ftp.md +++ b/lolrmm.com/content/rmm_tools/core_ftp.md @@ -23,6 +23,9 @@ Core FTP is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ Core FTP is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of Core FTP RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/crossloop.md b/lolrmm.com/content/rmm_tools/crossloop.md index d0131ebd..afd3466b 100644 --- a/lolrmm.com/content/rmm_tools/crossloop.md +++ b/lolrmm.com/content/rmm_tools/crossloop.md @@ -24,6 +24,9 @@ CrossLoop is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ CrossLoop is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.crossloop.com` - `crossloop.en.softonic.com` - - +### Detections +- Detects potential network activity of CrossLoop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml) +- Detects potential processes activity of CrossLoop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml) ### References - [www.CrossLoop.com -> redirects to avast.com](www.CrossLoop.com -> redirects to avast.com) diff --git a/lolrmm.com/content/rmm_tools/crosstec_remote_control.md b/lolrmm.com/content/rmm_tools/crosstec_remote_control.md index 2cde1ef9..942be649 100644 --- a/lolrmm.com/content/rmm_tools/crosstec_remote_control.md +++ b/lolrmm.com/content/rmm_tools/crosstec_remote_control.md @@ -24,6 +24,9 @@ CrossTec Remote Control is a remote monitoring and management (RMM) tool. More i #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ CrossTec Remote Control is a remote monitoring and management (RMM) tool. More i #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `crosstecsoftware.com/remotecontrol` - - +### Detections +- Detects potential network activity of CrossTec Remote Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml) +- Detects potential processes activity of CrossTec Remote Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml) ### References - [www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024](www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024) diff --git a/lolrmm.com/content/rmm_tools/cruz.md b/lolrmm.com/content/rmm_tools/cruz.md index bf3f1230..41abc480 100644 --- a/lolrmm.com/content/rmm_tools/cruz.md +++ b/lolrmm.com/content/rmm_tools/cruz.md @@ -23,6 +23,9 @@ Cruz is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ Cruz is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `resources.doradosoftware.com/cruz-rmm` - - +### Detections +- Detects potential network activity of Cruz RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/cruzcontrol.md b/lolrmm.com/content/rmm_tools/cruzcontrol.md index eacbb82c..7530e773 100644 --- a/lolrmm.com/content/rmm_tools/cruzcontrol.md +++ b/lolrmm.com/content/rmm_tools/cruzcontrol.md @@ -24,6 +24,9 @@ CruzControl is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/cuteftp.md b/lolrmm.com/content/rmm_tools/cuteftp.md index 5bf15400..45eafd43 100644 --- a/lolrmm.com/content/rmm_tools/cuteftp.md +++ b/lolrmm.com/content/rmm_tools/cuteftp.md @@ -23,6 +23,9 @@ CuteFTP is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ CuteFTP is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of CuteFTP RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/cyberduck.md b/lolrmm.com/content/rmm_tools/cyberduck.md index 381cd0c1..89c94c01 100644 --- a/lolrmm.com/content/rmm_tools/cyberduck.md +++ b/lolrmm.com/content/rmm_tools/cyberduck.md @@ -23,6 +23,9 @@ Cyberduck is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Cyberduck is a remote monitoring and management (RMM) tool. More information wil +### Detections +- Detects potential processes activity of Cyberduck RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cyberduck_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/dameware-mini_remote_control_protocol.md b/lolrmm.com/content/rmm_tools/dameware-mini_remote_control_protocol.md index 820fd2c0..94e52e95 100644 --- a/lolrmm.com/content/rmm_tools/dameware-mini_remote_control_protocol.md +++ b/lolrmm.com/content/rmm_tools/dameware-mini_remote_control_protocol.md @@ -23,6 +23,9 @@ Dameware-mini remote control Protocol is a remote monitoring and management (RMM #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ Dameware-mini remote control Protocol is a remote monitoring and management (RMM #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `dameware.com` - - +### Detections +- Detects potential network activity of Dameware-mini remote control Protocol RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml) +- Detects potential processes activity of Dameware-mini remote control Protocol RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/dameware.md b/lolrmm.com/content/rmm_tools/dameware.md index adccc191..1aba648d 100644 --- a/lolrmm.com/content/rmm_tools/dameware.md +++ b/lolrmm.com/content/rmm_tools/dameware.md @@ -24,6 +24,9 @@ DameWare is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -51,6 +54,9 @@ DameWare is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of DameWare RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml) ### References - [https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm](https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm) diff --git a/lolrmm.com/content/rmm_tools/datto.md b/lolrmm.com/content/rmm_tools/datto.md index 339c0431..efca087f 100644 --- a/lolrmm.com/content/rmm_tools/datto.md +++ b/lolrmm.com/content/rmm_tools/datto.md @@ -23,6 +23,9 @@ Datto is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ Datto is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `datto.com` - - +### Detections +- Detects potential network activity of Datto RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/deskday.md b/lolrmm.com/content/rmm_tools/deskday.md index 7a530f71..8ea887b7 100644 --- a/lolrmm.com/content/rmm_tools/deskday.md +++ b/lolrmm.com/content/rmm_tools/deskday.md @@ -24,6 +24,9 @@ DeskDay is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ DeskDay is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `deskday.ai` - `app.deskday.ai` - - +### Detections +- Detects potential network activity of DeskDay RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml) +- Detects potential processes activity of DeskDay RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml) ### References - [https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate](https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate) diff --git a/lolrmm.com/content/rmm_tools/desknets.md b/lolrmm.com/content/rmm_tools/desknets.md index 4e1d2f9c..99c5ddbf 100644 --- a/lolrmm.com/content/rmm_tools/desknets.md +++ b/lolrmm.com/content/rmm_tools/desknets.md @@ -24,6 +24,9 @@ DeskNets is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/deskshare.md b/lolrmm.com/content/rmm_tools/deskshare.md index a44b28f6..efe130fd 100644 --- a/lolrmm.com/content/rmm_tools/deskshare.md +++ b/lolrmm.com/content/rmm_tools/deskshare.md @@ -24,6 +24,9 @@ DeskShare is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ DeskShare is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - - +### Detections +- Detects potential network activity of DeskShare RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml) +- Detects potential processes activity of DeskShare RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml) ### References - [https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx](https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx) diff --git a/lolrmm.com/content/rmm_tools/desktop_central.md b/lolrmm.com/content/rmm_tools/desktop_central.md index dd0cf35a..1a067af9 100644 --- a/lolrmm.com/content/rmm_tools/desktop_central.md +++ b/lolrmm.com/content/rmm_tools/desktop_central.md @@ -23,6 +23,9 @@ Desktop Central is a remote monitoring and management (RMM) tool. More informati #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -41,15 +44,15 @@ Desktop Central is a remote monitoring and management (RMM) tool. More informati #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `desktopcentral.manageengine.com` - - +### Detections +- Detects potential network activity of Desktop Central RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml) +- Detects potential processes activity of Desktop Central RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/desktopnow.md b/lolrmm.com/content/rmm_tools/desktopnow.md index 18a0b58d..f623cd1c 100644 --- a/lolrmm.com/content/rmm_tools/desktopnow.md +++ b/lolrmm.com/content/rmm_tools/desktopnow.md @@ -24,6 +24,9 @@ DesktopNow is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ DesktopNow is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.nchuser.com` - - +### Detections +- Detects potential network activity of DesktopNow RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml) +- Detects potential processes activity of DesktopNow RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml) ### References - [https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US](https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US) diff --git a/lolrmm.com/content/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_.md b/lolrmm.com/content/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_.md index c50ad8f7..835e35cb 100644 --- a/lolrmm.com/content/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_.md +++ b/lolrmm.com/content/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_.md @@ -23,6 +23,9 @@ Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview` - - +### Detections +- Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/devolutions_remote_desktop_manager.md b/lolrmm.com/content/rmm_tools/devolutions_remote_desktop_manager.md index afa131b7..4988d7bb 100644 --- a/lolrmm.com/content/rmm_tools/devolutions_remote_desktop_manager.md +++ b/lolrmm.com/content/rmm_tools/devolutions_remote_desktop_manager.md @@ -23,6 +23,9 @@ Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) t #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/distant_desktop.md b/lolrmm.com/content/rmm_tools/distant_desktop.md index 0cabbca1..381ef2e1 100644 --- a/lolrmm.com/content/rmm_tools/distant_desktop.md +++ b/lolrmm.com/content/rmm_tools/distant_desktop.md @@ -24,6 +24,9 @@ Distant Desktop is a remote monitoring and management (RMM) tool. More informati #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ Distant Desktop is a remote monitoring and management (RMM) tool. More informati #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.distantdesktop.com` - `*signalserver.xyz` - - +### Detections +- Detects potential network activity of Distant Desktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml) +- Detects potential processes activity of Distant Desktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml) ### References - [https://www.distantdesktop.com/manual/first-start.htm](https://www.distantdesktop.com/manual/first-start.htm) diff --git a/lolrmm.com/content/rmm_tools/domotz.md b/lolrmm.com/content/rmm_tools/domotz.md index 97e8b522..30fc70cc 100644 --- a/lolrmm.com/content/rmm_tools/domotz.md +++ b/lolrmm.com/content/rmm_tools/domotz.md @@ -24,6 +24,9 @@ Domotz is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -47,17 +50,17 @@ Domotz is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.domotz.co` - `domotz.com` - `*cell-1.domotz.com` - - +### Detections +- Detects potential network activity of Domotz RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml) +- Detects potential processes activity of Domotz RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml) ### References - [https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/](https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/) diff --git a/lolrmm.com/content/rmm_tools/dragondisk.md b/lolrmm.com/content/rmm_tools/dragondisk.md index 6123c4d6..f03ada6d 100644 --- a/lolrmm.com/content/rmm_tools/dragondisk.md +++ b/lolrmm.com/content/rmm_tools/dragondisk.md @@ -23,6 +23,9 @@ DragonDisk is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ DragonDisk is a remote monitoring and management (RMM) tool. More information wi +### Detections +- Detects potential processes activity of DragonDisk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/drivemaker.md b/lolrmm.com/content/rmm_tools/drivemaker.md index 720088b8..22b09f26 100644 --- a/lolrmm.com/content/rmm_tools/drivemaker.md +++ b/lolrmm.com/content/rmm_tools/drivemaker.md @@ -23,6 +23,9 @@ DriveMaker is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ DriveMaker is a remote monitoring and management (RMM) tool. More information wi +### Detections +- Detects potential processes activity of DriveMaker RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/drivemaker_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/dropbox.md b/lolrmm.com/content/rmm_tools/dropbox.md index 3ff00da1..0e91a1ad 100644 --- a/lolrmm.com/content/rmm_tools/dropbox.md +++ b/lolrmm.com/content/rmm_tools/dropbox.md @@ -23,6 +23,9 @@ Dropbox is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ Dropbox is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of Dropbox RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/duplicati.md b/lolrmm.com/content/rmm_tools/duplicati.md index d040ffb6..aedc52bf 100644 --- a/lolrmm.com/content/rmm_tools/duplicati.md +++ b/lolrmm.com/content/rmm_tools/duplicati.md @@ -23,6 +23,9 @@ Duplicati is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ Duplicati is a remote monitoring and management (RMM) tool. More information wil +### Detections +- Detects potential processes activity of Duplicati RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/dw_service.md b/lolrmm.com/content/rmm_tools/dw_service.md index f1945aae..9fe66748 100644 --- a/lolrmm.com/content/rmm_tools/dw_service.md +++ b/lolrmm.com/content/rmm_tools/dw_service.md @@ -24,6 +24,9 @@ DW Service is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,15 +47,15 @@ DW Service is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.dwservice.net` - - +### Detections +- Detects potential network activity of DW Service RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml) +- Detects potential processes activity of DW Service RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml) ### References - [https://news.dwservice.net/dwservice-security-infrastructure/](https://news.dwservice.net/dwservice-security-infrastructure/) diff --git a/lolrmm.com/content/rmm_tools/echoware.md b/lolrmm.com/content/rmm_tools/echoware.md index 1c137a93..77d8ea10 100644 --- a/lolrmm.com/content/rmm_tools/echoware.md +++ b/lolrmm.com/content/rmm_tools/echoware.md @@ -24,6 +24,9 @@ Echoware is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Echoware is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of Echoware RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/ehorus.md b/lolrmm.com/content/rmm_tools/ehorus.md index 2ef9ffb3..5f8779ea 100644 --- a/lolrmm.com/content/rmm_tools/ehorus.md +++ b/lolrmm.com/content/rmm_tools/ehorus.md @@ -23,6 +23,9 @@ eHorus is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -41,15 +44,15 @@ eHorus is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `ehorus.com` - - +### Detections +- Detects potential network activity of eHorus RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml) +- Detects potential processes activity of eHorus RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/electric.md b/lolrmm.com/content/rmm_tools/electric.md index ba791a3c..3ae90588 100644 --- a/lolrmm.com/content/rmm_tools/electric.md +++ b/lolrmm.com/content/rmm_tools/electric.md @@ -23,6 +23,9 @@ Electric is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ Electric is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `electric.ai` - - +### Detections +- Detects potential network activity of Electric RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/electric_ai__kaseya_.md b/lolrmm.com/content/rmm_tools/electric_ai__kaseya_.md index acd4198a..dafd4f58 100644 --- a/lolrmm.com/content/rmm_tools/electric_ai__kaseya_.md +++ b/lolrmm.com/content/rmm_tools/electric_ai__kaseya_.md @@ -24,6 +24,9 @@ Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More info #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/emco_remote_console.md b/lolrmm.com/content/rmm_tools/emco_remote_console.md index 3ef126c4..ded7f314 100644 --- a/lolrmm.com/content/rmm_tools/emco_remote_console.md +++ b/lolrmm.com/content/rmm_tools/emco_remote_console.md @@ -24,6 +24,9 @@ EMCO Remote Console is a remote monitoring and management (RMM) tool. More infor #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ EMCO Remote Console is a remote monitoring and management (RMM) tool. More infor #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `emcosoftware.com` - - +### Detections +- Detects potential network activity of EMCO Remote Console RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml) +- Detects potential processes activity of EMCO Remote Console RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/encapto.md b/lolrmm.com/content/rmm_tools/encapto.md index ec1e2873..8a9a3011 100644 --- a/lolrmm.com/content/rmm_tools/encapto.md +++ b/lolrmm.com/content/rmm_tools/encapto.md @@ -24,6 +24,9 @@ Encapto is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -40,15 +43,13 @@ Encapto is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `encapto.com` - - +### Detections +- Detects potential network activity of Encapto RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml) ### References - [https://www.encapto.com - used to manage Cisco services](https://www.encapto.com - used to manage Cisco services) diff --git a/lolrmm.com/content/rmm_tools/ericom_accessnow.md b/lolrmm.com/content/rmm_tools/ericom_accessnow.md index 27a9d8f5..dd94d3c0 100644 --- a/lolrmm.com/content/rmm_tools/ericom_accessnow.md +++ b/lolrmm.com/content/rmm_tools/ericom_accessnow.md @@ -24,6 +24,9 @@ Ericom AccessNow is a remote monitoring and management (RMM) tool. More informat #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ Ericom AccessNow is a remote monitoring and management (RMM) tool. More informat #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `ericom.com` - - +### Detections +- Detects potential network activity of Ericom AccessNow RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml) +- Detects potential processes activity of Ericom AccessNow RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml) ### References - [https://www.ericom.com/connect-accessnow/](https://www.ericom.com/connect-accessnow/) diff --git a/lolrmm.com/content/rmm_tools/ericom_connect.md b/lolrmm.com/content/rmm_tools/ericom_connect.md index 2cb73174..9584fb04 100644 --- a/lolrmm.com/content/rmm_tools/ericom_connect.md +++ b/lolrmm.com/content/rmm_tools/ericom_connect.md @@ -24,6 +24,9 @@ Ericom Connect is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ Ericom Connect is a remote monitoring and management (RMM) tool. More informatio #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `ericom.com` - - +### Detections +- Detects potential network activity of Ericom Connect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml) +- Detects potential processes activity of Ericom Connect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml) ### References - [https://www.ericom.com/connect-accessnow/](https://www.ericom.com/connect-accessnow/) diff --git a/lolrmm.com/content/rmm_tools/eset_remote_administrator.md b/lolrmm.com/content/rmm_tools/eset_remote_administrator.md index a1ec8156..d8c5ce04 100644 --- a/lolrmm.com/content/rmm_tools/eset_remote_administrator.md +++ b/lolrmm.com/content/rmm_tools/eset_remote_administrator.md @@ -24,6 +24,9 @@ ESET Remote Administrator is a remote monitoring and management (RMM) tool. More #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,16 +49,16 @@ ESET Remote Administrator is a remote monitoring and management (RMM) tool. More #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `eset.com/me/business/remote-management/remote-administrator/` - - +### Detections +- Detects potential network activity of ESET Remote Administrator RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml) +- Detects potential processes activity of ESET Remote Administrator RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml) ### References - [eset.com/me/business/remote-management/remote-administrator/](eset.com/me/business/remote-management/remote-administrator/) diff --git a/lolrmm.com/content/rmm_tools/expandrive.md b/lolrmm.com/content/rmm_tools/expandrive.md index 3309191e..b821c3b2 100644 --- a/lolrmm.com/content/rmm_tools/expandrive.md +++ b/lolrmm.com/content/rmm_tools/expandrive.md @@ -23,6 +23,9 @@ ExpanDrive is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ ExpanDrive is a remote monitoring and management (RMM) tool. More information wi +### Detections +- Detects potential processes activity of ExpanDrive RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/expandrive_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/extraputty.md b/lolrmm.com/content/rmm_tools/extraputty.md index 76b70eaf..ae77ba91 100644 --- a/lolrmm.com/content/rmm_tools/extraputty.md +++ b/lolrmm.com/content/rmm_tools/extraputty.md @@ -23,6 +23,9 @@ ExtraPuTTY is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ ExtraPuTTY is a remote monitoring and management (RMM) tool. More information wi +### Detections +- Detects potential processes activity of ExtraPuTTY RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/ezhelp.md b/lolrmm.com/content/rmm_tools/ezhelp.md index db6ec1b5..b72e435b 100644 --- a/lolrmm.com/content/rmm_tools/ezhelp.md +++ b/lolrmm.com/content/rmm_tools/ezhelp.md @@ -24,6 +24,9 @@ ezHelp is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ ezHelp is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.ezhelp.co.kr` - `ezhelp.co.kr` - - +### Detections +- Detects potential network activity of ezHelp RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml) +- Detects potential processes activity of ezHelp RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml) ### References - [https://www.exhelp.co.kr](https://www.exhelp.co.kr) diff --git a/lolrmm.com/content/rmm_tools/fastviewer.md b/lolrmm.com/content/rmm_tools/fastviewer.md index 70f8d492..649d0598 100644 --- a/lolrmm.com/content/rmm_tools/fastviewer.md +++ b/lolrmm.com/content/rmm_tools/fastviewer.md @@ -24,6 +24,9 @@ FastViewer is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ FastViewer is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.fastviewer.com` - `fastviewer.com` - - +### Detections +- Detects potential network activity of FastViewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml) +- Detects potential processes activity of FastViewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml) ### References - [https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf](https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf) diff --git a/lolrmm.com/content/rmm_tools/filezilla.md b/lolrmm.com/content/rmm_tools/filezilla.md index efba9e97..17a2f3e5 100644 --- a/lolrmm.com/content/rmm_tools/filezilla.md +++ b/lolrmm.com/content/rmm_tools/filezilla.md @@ -23,6 +23,9 @@ FileZilla is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ FileZilla is a remote monitoring and management (RMM) tool. More information wil +### Detections +- Detects potential processes activity of FileZilla RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/filezilla_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/fixme.it.md b/lolrmm.com/content/rmm_tools/fixme.it.md index 85074ec2..4532883e 100644 --- a/lolrmm.com/content/rmm_tools/fixme.it.md +++ b/lolrmm.com/content/rmm_tools/fixme.it.md @@ -24,6 +24,9 @@ FixMe.it is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -53,10 +56,7 @@ FixMe.it is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.fixme.it` - `*.techinline.net` - `fixme.it` @@ -64,8 +64,11 @@ FixMe.it is a remote monitoring and management (RMM) tool. More information will - `*setme.net` - - +### Detections +- Detects potential network activity of FixMe.it RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml) +- Detects potential processes activity of FixMe.it RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml) ### References - [https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use](https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use) diff --git a/lolrmm.com/content/rmm_tools/fixme.md b/lolrmm.com/content/rmm_tools/fixme.md index 88eecfaf..154a188f 100644 --- a/lolrmm.com/content/rmm_tools/fixme.md +++ b/lolrmm.com/content/rmm_tools/fixme.md @@ -23,6 +23,9 @@ FixMe is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,15 +49,15 @@ FixMe is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `fixme.it` - - +### Detections +- Detects potential network activity of FixMe RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml) +- Detects potential processes activity of FixMe RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/fleetdeck.io.md b/lolrmm.com/content/rmm_tools/fleetdeck.io.md index d5ec6cf0..72526d46 100644 --- a/lolrmm.com/content/rmm_tools/fleetdeck.io.md +++ b/lolrmm.com/content/rmm_tools/fleetdeck.io.md @@ -23,6 +23,9 @@ FleetDeck.io is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,15 +48,15 @@ FleetDeck.io is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `fleetdeck.io` - - +### Detections +- Detects potential network activity of FleetDeck.io RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml) +- Detects potential processes activity of FleetDeck.io RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/fleetdeck.md b/lolrmm.com/content/rmm_tools/fleetdeck.md index 015a5236..261f2e78 100644 --- a/lolrmm.com/content/rmm_tools/fleetdeck.md +++ b/lolrmm.com/content/rmm_tools/fleetdeck.md @@ -23,6 +23,9 @@ FleetDeck is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -41,15 +44,15 @@ FleetDeck is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `fleetdeck.io` - - +### Detections +- Detects potential network activity of FleetDeck RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml) +- Detects potential processes activity of FleetDeck RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/fleetdesk.io.md b/lolrmm.com/content/rmm_tools/fleetdesk.io.md index 49fea2d1..9c355ef9 100644 --- a/lolrmm.com/content/rmm_tools/fleetdesk.io.md +++ b/lolrmm.com/content/rmm_tools/fleetdesk.io.md @@ -24,6 +24,9 @@ FleetDesk.io is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,17 +49,17 @@ FleetDesk.io is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.fleetdeck.io` - `cognito-idp.us-west-2.amazonaws.com` - `fleetdeck.io` - - +### Detections +- Detects potential network activity of FleetDesk.io RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml) +- Detects potential processes activity of FleetDesk.io RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml) ### References - [https://fleetdeck.io/faq/](https://fleetdeck.io/faq/) diff --git a/lolrmm.com/content/rmm_tools/fortra.md b/lolrmm.com/content/rmm_tools/fortra.md index 72e91828..96797f79 100644 --- a/lolrmm.com/content/rmm_tools/fortra.md +++ b/lolrmm.com/content/rmm_tools/fortra.md @@ -24,6 +24,9 @@ Fortra is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -40,15 +43,13 @@ Fortra is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `fortra.com` - - +### Detections +- Detects potential network activity of Fortra RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml) ### References - [https://www.fortra.com - No free/cloud RMM softwars listed](https://www.fortra.com - No free/cloud RMM softwars listed) diff --git a/lolrmm.com/content/rmm_tools/free_ping_tool.md b/lolrmm.com/content/rmm_tools/free_ping_tool.md index 49c02174..6a7899a4 100644 --- a/lolrmm.com/content/rmm_tools/free_ping_tool.md +++ b/lolrmm.com/content/rmm_tools/free_ping_tool.md @@ -23,6 +23,9 @@ Free Ping Tool is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/free_tools_launcher.md b/lolrmm.com/content/rmm_tools/free_tools_launcher.md index b251c60d..2c222117 100644 --- a/lolrmm.com/content/rmm_tools/free_tools_launcher.md +++ b/lolrmm.com/content/rmm_tools/free_tools_launcher.md @@ -23,6 +23,9 @@ Free Tools Launcher is a remote monitoring and management (RMM) tool. More infor #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/freefilesync.md b/lolrmm.com/content/rmm_tools/freefilesync.md index 2b017ecd..a734ff0d 100644 --- a/lolrmm.com/content/rmm_tools/freefilesync.md +++ b/lolrmm.com/content/rmm_tools/freefilesync.md @@ -23,6 +23,9 @@ FreeFileSync is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ FreeFileSync is a remote monitoring and management (RMM) tool. More information +### Detections +- Detects potential processes activity of FreeFileSync RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freefilesync_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/freenx.md b/lolrmm.com/content/rmm_tools/freenx.md index 5e00f7e8..39336be2 100644 --- a/lolrmm.com/content/rmm_tools/freenx.md +++ b/lolrmm.com/content/rmm_tools/freenx.md @@ -23,6 +23,9 @@ FreeNX is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ FreeNX is a remote monitoring and management (RMM) tool. More information will b +### Detections +- Detects potential processes activity of FreeNX RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/freerdp.md b/lolrmm.com/content/rmm_tools/freerdp.md index 6107e433..b30612cf 100644 --- a/lolrmm.com/content/rmm_tools/freerdp.md +++ b/lolrmm.com/content/rmm_tools/freerdp.md @@ -23,6 +23,9 @@ FreeRDP is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/gatherplace-desktop_sharing.md b/lolrmm.com/content/rmm_tools/gatherplace-desktop_sharing.md index b905f2bc..e22f90d2 100644 --- a/lolrmm.com/content/rmm_tools/gatherplace-desktop_sharing.md +++ b/lolrmm.com/content/rmm_tools/gatherplace-desktop_sharing.md @@ -24,6 +24,9 @@ GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. Mo #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,17 +47,17 @@ GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. Mo #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.gatherplace.com` - `*.gatherplace.net` - `gatherplace.com` - - +### Detections +- Detects potential network activity of GatherPlace-desktop sharing RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml) +- Detects potential processes activity of GatherPlace-desktop sharing RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml) ### References - [https://www.gatherplace.com/kb?id=136377](https://www.gatherplace.com/kb?id=136377) diff --git a/lolrmm.com/content/rmm_tools/getscreen.md b/lolrmm.com/content/rmm_tools/getscreen.md index de44575e..b6f59d25 100644 --- a/lolrmm.com/content/rmm_tools/getscreen.md +++ b/lolrmm.com/content/rmm_tools/getscreen.md @@ -24,6 +24,9 @@ GetScreen is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,17 +46,17 @@ GetScreen is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `getscreen.me` - `GetScreen.me` - `*.getscreen.me` - - +### Detections +- Detects potential network activity of GetScreen RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml) +- Detects potential processes activity of GetScreen RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml) ### References - [https://docs.getscreen.me/self-hosted/system-requirements/](https://docs.getscreen.me/self-hosted/system-requirements/) diff --git a/lolrmm.com/content/rmm_tools/goodsync.md b/lolrmm.com/content/rmm_tools/goodsync.md index c891f697..c31231d3 100644 --- a/lolrmm.com/content/rmm_tools/goodsync.md +++ b/lolrmm.com/content/rmm_tools/goodsync.md @@ -23,6 +23,9 @@ GoodSync is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ GoodSync is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of GoodSync RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goodsync_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/google_drive.md b/lolrmm.com/content/rmm_tools/google_drive.md index 09aee015..b0531d91 100644 --- a/lolrmm.com/content/rmm_tools/google_drive.md +++ b/lolrmm.com/content/rmm_tools/google_drive.md @@ -23,6 +23,9 @@ Google Drive is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,6 +49,9 @@ Google Drive is a remote monitoring and management (RMM) tool. More information +### Detections +- Detects potential processes activity of Google Drive RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/google_drive_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/goto_opener.md b/lolrmm.com/content/rmm_tools/goto_opener.md index fdd57917..0e8051b6 100644 --- a/lolrmm.com/content/rmm_tools/goto_opener.md +++ b/lolrmm.com/content/rmm_tools/goto_opener.md @@ -23,6 +23,9 @@ GoTo Opener is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/gotoassist.md b/lolrmm.com/content/rmm_tools/gotoassist.md index 0bb31d9a..7a3f76cb 100644 --- a/lolrmm.com/content/rmm_tools/gotoassist.md +++ b/lolrmm.com/content/rmm_tools/gotoassist.md @@ -24,6 +24,9 @@ GoToAssist is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,10 +47,7 @@ GoToAssist is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `goto.com` - `*.getgo.com` - `*.fastsupport.com` @@ -58,8 +58,11 @@ GoToAssist is a remote monitoring and management (RMM) tool. More information wi - `*.desktopstreaming.com` - - +### Detections +- Detects potential network activity of GoToAssist RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml) +- Detects potential processes activity of GoToAssist RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml) ### References - [https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5](https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5) diff --git a/lolrmm.com/content/rmm_tools/gotoassist__goto_resolve_.md b/lolrmm.com/content/rmm_tools/gotoassist__goto_resolve_.md index 8aeda2f7..cb2efa61 100644 --- a/lolrmm.com/content/rmm_tools/gotoassist__goto_resolve_.md +++ b/lolrmm.com/content/rmm_tools/gotoassist__goto_resolve_.md @@ -23,6 +23,9 @@ GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/gotoassist_agent_desktop_console.md b/lolrmm.com/content/rmm_tools/gotoassist_agent_desktop_console.md index 71d2dcad..e28aecde 100644 --- a/lolrmm.com/content/rmm_tools/gotoassist_agent_desktop_console.md +++ b/lolrmm.com/content/rmm_tools/gotoassist_agent_desktop_console.md @@ -23,6 +23,9 @@ GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) too #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/gotohttp.md b/lolrmm.com/content/rmm_tools/gotohttp.md index 8c2608cb..354ed70d 100644 --- a/lolrmm.com/content/rmm_tools/gotohttp.md +++ b/lolrmm.com/content/rmm_tools/gotohttp.md @@ -24,6 +24,9 @@ GotoHTTP is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ GotoHTTP is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.gotohttp.com` - `gotohttp.com` - - +### Detections +- Detects potential network activity of GotoHTTP RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml) +- Detects potential processes activity of GotoHTTP RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml) ### References - [https://gotohttp.com/goto/help.12x](https://gotohttp.com/goto/help.12x) diff --git a/lolrmm.com/content/rmm_tools/gotomypc.md b/lolrmm.com/content/rmm_tools/gotomypc.md index cb296286..83845973 100644 --- a/lolrmm.com/content/rmm_tools/gotomypc.md +++ b/lolrmm.com/content/rmm_tools/gotomypc.md @@ -66,6 +66,8 @@ GoToMyPC is a remote monitoring and management (RMM) tool. More information will - **Filename**: gopcsrv.exe - **Filename**: GoToScrUtils.exe - **Filename**: GoTo.exe +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -81,42 +83,35 @@ GoToMyPC is a remote monitoring and management (RMM) tool. More information will ### Forensic Artifacts #### Disk Artifacts - - **File**: `%AppData%\GoTo\Logs\goto.log` - **Description**: N/A - - **OS**: Windows - #### Registry Artifacts - **Path**: `HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc` **Description**: Configuration settings including registration email - - **Path**: `HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc\GuestInvite` **Description**: Guest invites send to connect - - **Path**: `HKEY_CURRENT_USER\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history` **Description**: hostname of the computer making connections and location of transferred files - - **Path**: `HKEY_USERS\\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history` **Description**: hostname of the computer making connections and location of transferred files - #### Network Artifacts - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.GoToMyPC.com` - **Ports**: - `N/A` - +### Detections +- Detects potential registry activity of GoToMyPC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml) +- Detects potential network activity of GoToMyPC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml) +- Detects potential files activity of GoToMyPC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml) ### References - [https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#](https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#) diff --git a/lolrmm.com/content/rmm_tools/goverlan.md b/lolrmm.com/content/rmm_tools/goverlan.md index 983e4372..c11ca4b0 100644 --- a/lolrmm.com/content/rmm_tools/goverlan.md +++ b/lolrmm.com/content/rmm_tools/goverlan.md @@ -24,6 +24,9 @@ Goverlan is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -49,16 +52,16 @@ Goverlan is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `goverlan.com` - - +### Detections +- Detects potential network activity of Goverlan RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml) +- Detects potential processes activity of Goverlan RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml) ### References - [https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf](https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf) diff --git a/lolrmm.com/content/rmm_tools/guacamole.md b/lolrmm.com/content/rmm_tools/guacamole.md index 83a2873b..3534c8be 100644 --- a/lolrmm.com/content/rmm_tools/guacamole.md +++ b/lolrmm.com/content/rmm_tools/guacamole.md @@ -24,6 +24,9 @@ Guacamole is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ Guacamole is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `guacamole.apache.org` - - +### Detections +- Detects potential network activity of Guacamole RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml) +- Detects potential processes activity of Guacamole RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml) ### References - [guacamole.apache.org](guacamole.apache.org) diff --git a/lolrmm.com/content/rmm_tools/helpbeam.md b/lolrmm.com/content/rmm_tools/helpbeam.md index 6bf596cf..00b36acc 100644 --- a/lolrmm.com/content/rmm_tools/helpbeam.md +++ b/lolrmm.com/content/rmm_tools/helpbeam.md @@ -24,6 +24,9 @@ HelpBeam is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ HelpBeam is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `helpbeam.software.informer.com` - - +### Detections +- Detects potential network activity of HelpBeam RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml) +- Detects potential processes activity of HelpBeam RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml) ### References - [https://www.helpbeam.com domain for sale in 2024](https://www.helpbeam.com domain for sale in 2024) diff --git a/lolrmm.com/content/rmm_tools/helpu.md b/lolrmm.com/content/rmm_tools/helpu.md index c4700979..51fe6cfb 100644 --- a/lolrmm.com/content/rmm_tools/helpu.md +++ b/lolrmm.com/content/rmm_tools/helpu.md @@ -24,6 +24,9 @@ HelpU is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ HelpU is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `helpu.co.kr` - `*.helpu.co.kr` - - +### Detections +- Detects potential network activity of HelpU RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml) +- Detects potential processes activity of HelpU RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml) ### References - [https://helpu.co.kr/](https://helpu.co.kr/) diff --git a/lolrmm.com/content/rmm_tools/i'm_intouch.md b/lolrmm.com/content/rmm_tools/i'm_intouch.md index 3989a4f6..639314ab 100644 --- a/lolrmm.com/content/rmm_tools/i'm_intouch.md +++ b/lolrmm.com/content/rmm_tools/i'm_intouch.md @@ -24,6 +24,9 @@ I'm InTouch is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ I'm InTouch is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.01com.com` - `01com.com/imintouch-remote-pc-desktop` - - +### Detections +- Detects potential network activity of I'm InTouch RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml) +- Detects potential processes activity of I'm InTouch RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml) ### References - [https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/](https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/) diff --git a/lolrmm.com/content/rmm_tools/impero_connect.md b/lolrmm.com/content/rmm_tools/impero_connect.md index c844652d..fd80173e 100644 --- a/lolrmm.com/content/rmm_tools/impero_connect.md +++ b/lolrmm.com/content/rmm_tools/impero_connect.md @@ -23,6 +23,9 @@ Impero Connect is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -41,15 +44,15 @@ Impero Connect is a remote monitoring and management (RMM) tool. More informatio #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `imperosoftware.com` - - +### Detections +- Detects potential network activity of Impero Connect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml) +- Detects potential processes activity of Impero Connect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/instant_housecall.md b/lolrmm.com/content/rmm_tools/instant_housecall.md index b1786242..20576fae 100644 --- a/lolrmm.com/content/rmm_tools/instant_housecall.md +++ b/lolrmm.com/content/rmm_tools/instant_housecall.md @@ -24,6 +24,9 @@ Instant Housecall is a remote monitoring and management (RMM) tool. More informa #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,18 +48,18 @@ Instant Housecall is a remote monitoring and management (RMM) tool. More informa #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.instanthousecall.com` - `secure.instanthousecall.com` - `*.instanthousecall.net` - `instanthousecall.com` - - +### Detections +- Detects potential network activity of Instant Housecall RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml) +- Detects potential processes activity of Instant Housecall RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml) ### References - [https://instanthousecall.com/features/](https://instanthousecall.com/features/) diff --git a/lolrmm.com/content/rmm_tools/insync.md b/lolrmm.com/content/rmm_tools/insync.md index e74ac45f..652318f9 100644 --- a/lolrmm.com/content/rmm_tools/insync.md +++ b/lolrmm.com/content/rmm_tools/insync.md @@ -23,6 +23,9 @@ Insync is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Insync is a remote monitoring and management (RMM) tool. More information will b +### Detections +- Detects potential processes activity of Insync RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/intelliadmin_remote_control.md b/lolrmm.com/content/rmm_tools/intelliadmin_remote_control.md index f2fc4a93..6214db48 100644 --- a/lolrmm.com/content/rmm_tools/intelliadmin_remote_control.md +++ b/lolrmm.com/content/rmm_tools/intelliadmin_remote_control.md @@ -24,6 +24,9 @@ IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. Mo #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,17 +49,17 @@ IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. Mo #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `*.intelliadmin.com` - `intelliadmin.com/remote-control` - - +### Detections +- Detects potential network activity of IntelliAdmin Remote Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml) +- Detects potential processes activity of IntelliAdmin Remote Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml) ### References - [intelliadmin.com/remote-control](intelliadmin.com/remote-control) diff --git a/lolrmm.com/content/rmm_tools/iperius_remote.md b/lolrmm.com/content/rmm_tools/iperius_remote.md index 09b4a359..1e5bddd7 100644 --- a/lolrmm.com/content/rmm_tools/iperius_remote.md +++ b/lolrmm.com/content/rmm_tools/iperius_remote.md @@ -24,6 +24,9 @@ Iperius Remote is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,18 +46,18 @@ Iperius Remote is a remote monitoring and management (RMM) tool. More informatio #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.iperiusremote.com` - `*.iperius.com` - `*.iperius-rs.com` - `iperiusremote.com` - - +### Detections +- Detects potential network activity of Iperius Remote RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml) +- Detects potential processes activity of Iperius Remote RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml) ### References - [https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx](https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx) diff --git a/lolrmm.com/content/rmm_tools/isl_light.md b/lolrmm.com/content/rmm_tools/isl_light.md index c660aa3a..c9e86dad 100644 --- a/lolrmm.com/content/rmm_tools/isl_light.md +++ b/lolrmm.com/content/rmm_tools/isl_light.md @@ -23,6 +23,9 @@ ISL Light is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ ISL Light is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `islonline.com` - - +### Detections +- Detects potential network activity of ISL Light RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml) +- Detects potential processes activity of ISL Light RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/isl_online.md b/lolrmm.com/content/rmm_tools/isl_online.md index db72f357..60bd8910 100644 --- a/lolrmm.com/content/rmm_tools/isl_online.md +++ b/lolrmm.com/content/rmm_tools/isl_online.md @@ -24,6 +24,9 @@ ISL Online is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -48,16 +51,16 @@ ISL Online is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.islonline.com` - `*.islonline.net` - - +### Detections +- Detects potential network activity of ISL Online RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml) +- Detects potential processes activity of ISL Online RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml) ### References - [https://help.islonline.com/19818/165940](https://help.islonline.com/19818/165940) diff --git a/lolrmm.com/content/rmm_tools/itarian.md b/lolrmm.com/content/rmm_tools/itarian.md index a635a6b8..4b4cb7db 100644 --- a/lolrmm.com/content/rmm_tools/itarian.md +++ b/lolrmm.com/content/rmm_tools/itarian.md @@ -24,6 +24,9 @@ Itarian is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -51,10 +54,7 @@ Itarian is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `mdmsupport.comodo.com` - `*.itsm-us1.comodo.com` - `*.cmdm.comodo.com` @@ -62,8 +62,11 @@ Itarian is a remote monitoring and management (RMM) tool. More information will - `servicedesk.itarian.com` - - +### Detections +- Detects potential network activity of Itarian RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml) +- Detects potential processes activity of Itarian RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml) ### References - [https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html](https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html) diff --git a/lolrmm.com/content/rmm_tools/itsupport247__connectwise_.md b/lolrmm.com/content/rmm_tools/itsupport247__connectwise_.md index c1515597..7a863e08 100644 --- a/lolrmm.com/content/rmm_tools/itsupport247__connectwise_.md +++ b/lolrmm.com/content/rmm_tools/itsupport247__connectwise_.md @@ -24,6 +24,9 @@ ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. Mor #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. Mor #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.itsupport247.net` - `itsupport247.net` - - +### Detections +- Detects potential network activity of ITSupport247 (ConnectWise) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml) +- Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml) ### References - [https://control.itsupport247.net/](https://control.itsupport247.net/) diff --git a/lolrmm.com/content/rmm_tools/ivanti_remote_control.md b/lolrmm.com/content/rmm_tools/ivanti_remote_control.md index 2fcbf762..9c66661b 100644 --- a/lolrmm.com/content/rmm_tools/ivanti_remote_control.md +++ b/lolrmm.com/content/rmm_tools/ivanti_remote_control.md @@ -24,6 +24,9 @@ Ivanti Remote Control is a remote monitoring and management (RMM) tool. More inf #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,15 +47,15 @@ Ivanti Remote Control is a remote monitoring and management (RMM) tool. More inf #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.ivanticloud.com` - - +### Detections +- Detects potential network activity of Ivanti Remote Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml) +- Detects potential processes activity of Ivanti Remote Control RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml) ### References - [https://rc1.ivanticloud.com/](https://rc1.ivanticloud.com/) diff --git a/lolrmm.com/content/rmm_tools/jollysfastvnc.md b/lolrmm.com/content/rmm_tools/jollysfastvnc.md index c29b7c6c..cb4861b7 100644 --- a/lolrmm.com/content/rmm_tools/jollysfastvnc.md +++ b/lolrmm.com/content/rmm_tools/jollysfastvnc.md @@ -23,6 +23,9 @@ JollysFastVNC is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/jump_cloud.md b/lolrmm.com/content/rmm_tools/jump_cloud.md index 84faf39b..7c31cfce 100644 --- a/lolrmm.com/content/rmm_tools/jump_cloud.md +++ b/lolrmm.com/content/rmm_tools/jump_cloud.md @@ -24,6 +24,9 @@ Jump Cloud is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,14 @@ Jump Cloud is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.api.jumpcloud.com` - `*.assist.jumpcloud.com` - - +### Detections +- Detects potential network activity of Jump Cloud RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml) ### References - [https://jumpcloud.com/support/understand-remote-assist-agent](https://jumpcloud.com/support/understand-remote-assist-agent) diff --git a/lolrmm.com/content/rmm_tools/jump_desktop.md b/lolrmm.com/content/rmm_tools/jump_desktop.md index 3c5709bf..26476fba 100644 --- a/lolrmm.com/content/rmm_tools/jump_desktop.md +++ b/lolrmm.com/content/rmm_tools/jump_desktop.md @@ -24,6 +24,9 @@ Jump Desktop is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,18 +49,18 @@ Jump Desktop is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.jumpdesktop.com` - `jumpdesktop.com` - `jumpto.me` - `*.jumpto.me` - - +### Detections +- Detects potential network activity of Jump Desktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml) +- Detects potential processes activity of Jump Desktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml) ### References - [https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect](https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect) diff --git a/lolrmm.com/content/rmm_tools/kabuto.md b/lolrmm.com/content/rmm_tools/kabuto.md index 1ed8df74..bb78deee 100644 --- a/lolrmm.com/content/rmm_tools/kabuto.md +++ b/lolrmm.com/content/rmm_tools/kabuto.md @@ -24,6 +24,9 @@ Kabuto is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ Kabuto is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.kabuto.io` - `repairtechsolutions.com/kabuto/` - - +### Detections +- Detects potential network activity of Kabuto RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml) +- Detects potential processes activity of Kabuto RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml) ### References - [https://www.repairtechsolutions.com/documentation/kabuto/](https://www.repairtechsolutions.com/documentation/kabuto/) diff --git a/lolrmm.com/content/rmm_tools/kaseya__vsa_.md b/lolrmm.com/content/rmm_tools/kaseya__vsa_.md index 3edebd73..0c9a6548 100644 --- a/lolrmm.com/content/rmm_tools/kaseya__vsa_.md +++ b/lolrmm.com/content/rmm_tools/kaseya__vsa_.md @@ -30,6 +30,8 @@ Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More i - **Filename**: agentmon.exe - **Filename**: KaUpdHlp.exe - **Filename**: KaUsrTsk.exe +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,134 +48,69 @@ Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More i ### Forensic Artifacts #### Disk Artifacts - - **File**: `%localappdata%\Kaseya\Log\KaseyaLiveConnect\*` - **Description**: Kaseya Live Connect logs - - **OS**: Windows - - **File**: `~/Library/Logs/com.kaseya/KaseyaLiveConnect/*` - **Description**: Kaseya Live Connect logs - - **OS**: MacOS - - **File**: `C:\ProgramData\Kaseya\Log\Endpoint\*` - **Description**: Kaseya Endpoint logs - - **OS**: Windows - - **File**: `C:\Program Files*\Kaseya\*\agentmon.log` - **Description**: Kaseya Agent Monitor log - - - - **File**: `/var/log/system.log` - **Description**: Kaseya Agent Monitor log - - **OS**: MacOS 32bit - - **File**: ` ~/opt/kaseya/*/logs*` - **Description**: Kaseya Agent Monitor log - - **OS**: MacOS 64bit - - **File**: `C:\Users\*\AppData\Local\Temp\KASetup.log` - **Description**: Kaseya Setup log in user temp directory - - **OS**: Windows - - **File**: `C:\Windows\Temp\KASetup.log` - **Description**: Kaseya Setup log in Windows temp directory - - **OS**: Windows - - **File**: `C:\ProgramData\Kaseya\Log\KaseyaEdgeServices\*` - **Description**: Kaseya Edge Services logs - - **OS**: Windows - - **File**: `C:\Kaseya\api\v1.0\logs\` - **Description**: Kaseya API logs - - **OS**: Windows - - **File**: `C:\Kaseya\api\v1.5\endpoint\logs` - **Description**: Kaseya API logs - - **OS**: Windows - - **File**: `C:\Kaseya\api\v1.5\endpoints\logs` - **Description**: Kaseya API logs - - **OS**: Windows - - **File**: `C:\Windows\System32\config\systemprofile\AppData\Local\Kaseya\Log\MakeSelfSignedCert.exe\` - **Description**: Certificate creation - - **OS**: Windows - - **File**: `C:\Kaseya\WebPages\install\makecert.txt` - **Description**: Certificate creation - - **OS**: Windows - - **File**: `C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\KaseyaEndpoint*` - **Description**: Endpoint service logs - - **OS**: Windows - - **File**: `C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\Session_*` - **Description**: Session logs - - **OS**: Windows - #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `deploy01.kaseya.com` - `*managedsupport.kaseya.net` - `*.kaseya.net` - `kaseya.com` - - +### Detections +- Detects potential network activity of Kaseya (VSA) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml) +- Detects potential files activity of Kaseya (VSA) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml) ### References - [https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements](https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements) diff --git a/lolrmm.com/content/rmm_tools/khelpdesk.md b/lolrmm.com/content/rmm_tools/khelpdesk.md index f0b2165b..d2bc918f 100644 --- a/lolrmm.com/content/rmm_tools/khelpdesk.md +++ b/lolrmm.com/content/rmm_tools/khelpdesk.md @@ -24,6 +24,9 @@ KHelpDesk is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ KHelpDesk is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.khelpdesk.com.br` - - +### Detections +- Detects potential network activity of KHelpDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml) +- Detects potential processes activity of KHelpDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml) ### References - [https://www.khelpdesk.com.br/en-us](https://www.khelpdesk.com.br/en-us) diff --git a/lolrmm.com/content/rmm_tools/kickidler.md b/lolrmm.com/content/rmm_tools/kickidler.md index 63671b13..e111a22b 100644 --- a/lolrmm.com/content/rmm_tools/kickidler.md +++ b/lolrmm.com/content/rmm_tools/kickidler.md @@ -24,6 +24,9 @@ KickIdler is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,14 @@ KickIdler is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `kickidler.com` - `my.kickidler.com` - - +### Detections +- Detects potential network activity of KickIdler RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml) ### References - [https://www.kickidler.com/for-it/faq/](https://www.kickidler.com/for-it/faq/) diff --git a/lolrmm.com/content/rmm_tools/kitty.md b/lolrmm.com/content/rmm_tools/kitty.md index 587ddb5d..2ac8c3c2 100644 --- a/lolrmm.com/content/rmm_tools/kitty.md +++ b/lolrmm.com/content/rmm_tools/kitty.md @@ -23,6 +23,9 @@ KiTTY is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ KiTTY is a remote monitoring and management (RMM) tool. More information will be +### Detections +- Detects potential processes activity of KiTTY RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/koofr.md b/lolrmm.com/content/rmm_tools/koofr.md index c899d3f9..966e3a70 100644 --- a/lolrmm.com/content/rmm_tools/koofr.md +++ b/lolrmm.com/content/rmm_tools/koofr.md @@ -23,6 +23,9 @@ Koofr is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/labteach__connectwise_automate_.md b/lolrmm.com/content/rmm_tools/labteach__connectwise_automate_.md index efce90da..bf326955 100644 --- a/lolrmm.com/content/rmm_tools/labteach__connectwise_automate_.md +++ b/lolrmm.com/content/rmm_tools/labteach__connectwise_automate_.md @@ -23,6 +23,9 @@ LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,6 +45,9 @@ LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool +### Detections +- Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/labtech_rmm__now_connectwise_automate_.md b/lolrmm.com/content/rmm_tools/labtech_rmm__now_connectwise_automate_.md index 7dc1d70f..c1bacd5a 100644 --- a/lolrmm.com/content/rmm_tools/labtech_rmm__now_connectwise_automate_.md +++ b/lolrmm.com/content/rmm_tools/labtech_rmm__now_connectwise_automate_.md @@ -23,6 +23,9 @@ LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RM #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RM #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `connectwise.com` - - +### Detections +- Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml) +- Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/landesk.md b/lolrmm.com/content/rmm_tools/landesk.md index b90de9d9..08a65e30 100644 --- a/lolrmm.com/content/rmm_tools/landesk.md +++ b/lolrmm.com/content/rmm_tools/landesk.md @@ -24,6 +24,9 @@ LANDesk is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -51,17 +54,17 @@ LANDesk is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.ivanticloud.com` - `*.ivanti.com` - `ivanti.com` - - +### Detections +- Detects potential network activity of LANDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml) +- Detects potential processes activity of LANDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml) ### References - [https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US](https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US) diff --git a/lolrmm.com/content/rmm_tools/laplink_everywhere.md b/lolrmm.com/content/rmm_tools/laplink_everywhere.md index 5f2bf909..06ff8f84 100644 --- a/lolrmm.com/content/rmm_tools/laplink_everywhere.md +++ b/lolrmm.com/content/rmm_tools/laplink_everywhere.md @@ -24,6 +24,9 @@ Laplink Everywhere is a remote monitoring and management (RMM) tool. More inform #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -47,17 +50,17 @@ Laplink Everywhere is a remote monitoring and management (RMM) tool. More inform #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `everywhere.laplink.com` - `le.laplink.com` - `atled.syspectr.com` - - +### Detections +- Detects potential network activity of Laplink Everywhere RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml) +- Detects potential processes activity of Laplink Everywhere RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml) ### References - [https://everywhere.laplink.com/docs](https://everywhere.laplink.com/docs) diff --git a/lolrmm.com/content/rmm_tools/laplink_gold.md b/lolrmm.com/content/rmm_tools/laplink_gold.md index a058d551..375bde8e 100644 --- a/lolrmm.com/content/rmm_tools/laplink_gold.md +++ b/lolrmm.com/content/rmm_tools/laplink_gold.md @@ -24,6 +24,9 @@ Laplink Gold is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ Laplink Gold is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `wen.laplink.com/product/laplink-gold` - - +### Detections +- Detects potential network activity of Laplink Gold RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml) +- Detects potential processes activity of Laplink Gold RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml) ### References - [wen.laplink.com/product/laplink-gold](wen.laplink.com/product/laplink-gold) diff --git a/lolrmm.com/content/rmm_tools/level.io.md b/lolrmm.com/content/rmm_tools/level.io.md index 67570cfc..71a68f4c 100644 --- a/lolrmm.com/content/rmm_tools/level.io.md +++ b/lolrmm.com/content/rmm_tools/level.io.md @@ -24,6 +24,9 @@ Level.io is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ Level.io is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `level.io` - `*.level.io` - - +### Detections +- Detects potential network activity of Level.io RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml) +- Detects potential processes activity of Level.io RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml) ### References - [https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues](https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues) diff --git a/lolrmm.com/content/rmm_tools/level.md b/lolrmm.com/content/rmm_tools/level.md index 17147fa3..92383707 100644 --- a/lolrmm.com/content/rmm_tools/level.md +++ b/lolrmm.com/content/rmm_tools/level.md @@ -23,6 +23,9 @@ Level is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ Level is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `level.io` - - +### Detections +- Detects potential network activity of Level RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/lite_manager.md b/lolrmm.com/content/rmm_tools/lite_manager.md index bc5cb0cf..2378145a 100644 --- a/lolrmm.com/content/rmm_tools/lite_manager.md +++ b/lolrmm.com/content/rmm_tools/lite_manager.md @@ -23,6 +23,9 @@ Lite Manager is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/litemanager.md b/lolrmm.com/content/rmm_tools/litemanager.md index d07c7f77..3272afb7 100644 --- a/lolrmm.com/content/rmm_tools/litemanager.md +++ b/lolrmm.com/content/rmm_tools/litemanager.md @@ -24,6 +24,9 @@ LiteManager is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -47,17 +50,17 @@ LiteManager is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.litemanager.ru` - `*.litemanager.com` - `litemanager.com` - - +### Detections +- Detects potential network activity of LiteManager RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml) +- Detects potential processes activity of LiteManager RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml) ### References - [https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/](https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/) diff --git a/lolrmm.com/content/rmm_tools/logmein.md b/lolrmm.com/content/rmm_tools/logmein.md index 986da9b0..5936efe6 100644 --- a/lolrmm.com/content/rmm_tools/logmein.md +++ b/lolrmm.com/content/rmm_tools/logmein.md @@ -32,6 +32,8 @@ LogMeIn is a remote monitoring and management (RMM) tool. More information will - **Filename**: lmiignition.exe - **Filename**: logmeinsystray.exe - **Filename**: logmein.exe +- **OriginalFileName**: +- **Company**: LogMeIn, Inc. - **Description**: LMIGuardianSvc - **Product**: LMIGuardianSvc @@ -50,62 +52,35 @@ LogMeIn is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `logmein-gateway.com` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.logmein.com` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.logmein.eu` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `logmeinrescue.com` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.logmeininc.com` - **Ports**: - `443` - ### Detections -- [Sigma rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml) - - DNS Query To Remote Access Software Domain From Non-Browser App - - - -- [Sigma rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml) - - Remote Access Tool - LogMeIn Execution - - - +- DNS Query To Remote Access Software Domain From Non-Browser App + - [Sigma Rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml) +- Remote Access Tool - LogMeIn Execution + - [Sigma Rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml) +- Detects potential network activity of LogMeIn RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml) ### References - [https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration](https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration) diff --git a/lolrmm.com/content/rmm_tools/logmein_rescue.md b/lolrmm.com/content/rmm_tools/logmein_rescue.md index d4b17dcb..62f409eb 100644 --- a/lolrmm.com/content/rmm_tools/logmein_rescue.md +++ b/lolrmm.com/content/rmm_tools/logmein_rescue.md @@ -24,6 +24,9 @@ LogMeIn rescue is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,17 +47,17 @@ LogMeIn rescue is a remote monitoring and management (RMM) tool. More informatio #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.logmeinrescue.com` - `*.logmeinrescue.eu` - `logmeinrescue.com` - - +### Detections +- Detects potential network activity of LogMeIn rescue RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml) +- Detects potential processes activity of LogMeIn rescue RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml) ### References - [https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue](https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue) diff --git a/lolrmm.com/content/rmm_tools/manage_engine__desktop_central_.md b/lolrmm.com/content/rmm_tools/manage_engine__desktop_central_.md index 3cc78a4b..10558978 100644 --- a/lolrmm.com/content/rmm_tools/manage_engine__desktop_central_.md +++ b/lolrmm.com/content/rmm_tools/manage_engine__desktop_central_.md @@ -24,6 +24,9 @@ Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,10 +46,7 @@ Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `desktopcentral.manageengine.com` - `desktopcentral.manageengine.com.eu` - `desktopcentral.manageengine.cn` @@ -55,8 +55,11 @@ Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool - `*.-dms.zoho.com.cn` - - +### Detections +- Detects potential network activity of Manage Engine (Desktop Central) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml) +- Detects potential processes activity of Manage Engine (Desktop Central) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml) ### References - [https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html](https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html) diff --git a/lolrmm.com/content/rmm_tools/manageengine.md b/lolrmm.com/content/rmm_tools/manageengine.md index dd1f248f..1e0cb0ba 100644 --- a/lolrmm.com/content/rmm_tools/manageengine.md +++ b/lolrmm.com/content/rmm_tools/manageengine.md @@ -23,6 +23,9 @@ ManageEngine is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,6 +49,9 @@ ManageEngine is a remote monitoring and management (RMM) tool. More information +### Detections +- Detects potential processes activity of ManageEngine RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/manageengine_rmm_central.md b/lolrmm.com/content/rmm_tools/manageengine_rmm_central.md index e559ba03..dd612e18 100644 --- a/lolrmm.com/content/rmm_tools/manageengine_rmm_central.md +++ b/lolrmm.com/content/rmm_tools/manageengine_rmm_central.md @@ -23,6 +23,9 @@ ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `manageengine.com/remote-monitoring-management/` - - +### Detections +- Detects potential network activity of ManageEngine RMM Central RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/megasync.md b/lolrmm.com/content/rmm_tools/megasync.md index 46af31ac..c3ab0bfd 100644 --- a/lolrmm.com/content/rmm_tools/megasync.md +++ b/lolrmm.com/content/rmm_tools/megasync.md @@ -23,6 +23,9 @@ MEGAsync is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -47,6 +50,9 @@ MEGAsync is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of MEGAsync RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/meshcentral.md b/lolrmm.com/content/rmm_tools/meshcentral.md index c5dd9b54..1b0b03eb 100644 --- a/lolrmm.com/content/rmm_tools/meshcentral.md +++ b/lolrmm.com/content/rmm_tools/meshcentral.md @@ -24,6 +24,9 @@ MeshCentral is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ MeshCentral is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `meshcentral.com` - - +### Detections +- Detects potential network activity of MeshCentral RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml) +- Detects potential processes activity of MeshCentral RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml) ### References - [https://ylianst.github.io/MeshCentral/meshcentral/](https://ylianst.github.io/MeshCentral/meshcentral/) diff --git a/lolrmm.com/content/rmm_tools/microsoft_onedrive.md b/lolrmm.com/content/rmm_tools/microsoft_onedrive.md index 78255dc9..302b7d0b 100644 --- a/lolrmm.com/content/rmm_tools/microsoft_onedrive.md +++ b/lolrmm.com/content/rmm_tools/microsoft_onedrive.md @@ -23,6 +23,9 @@ Microsoft OneDrive is a remote monitoring and management (RMM) tool. More inform #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/microsoft_quick_assist.md b/lolrmm.com/content/rmm_tools/microsoft_quick_assist.md index 26f932dd..9c2c151f 100644 --- a/lolrmm.com/content/rmm_tools/microsoft_quick_assist.md +++ b/lolrmm.com/content/rmm_tools/microsoft_quick_assist.md @@ -24,6 +24,9 @@ Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More in #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More in #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - - +### Detections +- Detects potential network activity of Microsoft Quick Assist RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml) +- Detects potential processes activity of Microsoft Quick Assist RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml) ### References - [https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca](https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca) diff --git a/lolrmm.com/content/rmm_tools/microsoft_rdp.md b/lolrmm.com/content/rmm_tools/microsoft_rdp.md index 37041c8f..75fb12e2 100644 --- a/lolrmm.com/content/rmm_tools/microsoft_rdp.md +++ b/lolrmm.com/content/rmm_tools/microsoft_rdp.md @@ -24,6 +24,9 @@ Microsoft RDP is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ Microsoft RDP is a remote monitoring and management (RMM) tool. More information +### Detections +- Detects potential processes activity of Microsoft RDP RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml) ### References - [https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows](https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows) diff --git a/lolrmm.com/content/rmm_tools/microsoft_tsc.md b/lolrmm.com/content/rmm_tools/microsoft_tsc.md index 5ec6d425..14d24ee4 100644 --- a/lolrmm.com/content/rmm_tools/microsoft_tsc.md +++ b/lolrmm.com/content/rmm_tools/microsoft_tsc.md @@ -24,6 +24,9 @@ Microsoft TSC is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Microsoft TSC is a remote monitoring and management (RMM) tool. More information +### Detections +- Detects potential processes activity of Microsoft TSC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml) ### References - [https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application](https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application) diff --git a/lolrmm.com/content/rmm_tools/mikogo.md b/lolrmm.com/content/rmm_tools/mikogo.md index fe6685a5..697696e3 100644 --- a/lolrmm.com/content/rmm_tools/mikogo.md +++ b/lolrmm.com/content/rmm_tools/mikogo.md @@ -24,6 +24,9 @@ Mikogo is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -49,18 +52,18 @@ Mikogo is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.real-time-collaboration.com` - `*.mikogo4.com` - `*.mikogo.com` - `mikogo.com` - - +### Detections +- Detects potential network activity of Mikogo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml) +- Detects potential processes activity of Mikogo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml) ### References - [https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services](https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services) diff --git a/lolrmm.com/content/rmm_tools/mionet__also_known_as_wd_anywhere_access_.md b/lolrmm.com/content/rmm_tools/mionet__also_known_as_wd_anywhere_access_.md index 4aa0693c..6f905352 100644 --- a/lolrmm.com/content/rmm_tools/mionet__also_known_as_wd_anywhere_access_.md +++ b/lolrmm.com/content/rmm_tools/mionet__also_known_as_wd_anywhere_access_.md @@ -23,6 +23,9 @@ MioNet (Also known as WD Anywhere Access) is a remote monitoring and management #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ MioNet (Also known as WD Anywhere Access) is a remote monitoring and management +### Detections +- Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/mionet__wd_anywhere_access_.md b/lolrmm.com/content/rmm_tools/mionet__wd_anywhere_access_.md index 991ba454..3836740e 100644 --- a/lolrmm.com/content/rmm_tools/mionet__wd_anywhere_access_.md +++ b/lolrmm.com/content/rmm_tools/mionet__wd_anywhere_access_.md @@ -24,6 +24,9 @@ MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. Mo #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. Mo +### Detections +- Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml) ### References - [https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016](https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016) diff --git a/lolrmm.com/content/rmm_tools/mobaxterm.md b/lolrmm.com/content/rmm_tools/mobaxterm.md index d487e918..96cc3ca5 100644 --- a/lolrmm.com/content/rmm_tools/mobaxterm.md +++ b/lolrmm.com/content/rmm_tools/mobaxterm.md @@ -23,6 +23,9 @@ MobaXterm is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/mocha_vnc_lite.md b/lolrmm.com/content/rmm_tools/mocha_vnc_lite.md index 05a68488..d82eddba 100644 --- a/lolrmm.com/content/rmm_tools/mocha_vnc_lite.md +++ b/lolrmm.com/content/rmm_tools/mocha_vnc_lite.md @@ -23,6 +23,9 @@ Mocha VNC Lite is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/mremoteng.md b/lolrmm.com/content/rmm_tools/mremoteng.md index 27b4f84c..e9aad0b1 100644 --- a/lolrmm.com/content/rmm_tools/mremoteng.md +++ b/lolrmm.com/content/rmm_tools/mremoteng.md @@ -24,6 +24,9 @@ mRemoteNG is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,42 +49,31 @@ mRemoteNG is a remote monitoring and management (RMM) tool. More information wil ### Forensic Artifacts #### Disk Artifacts - - **File**: `C:\Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log` - **Description**: mRemoteNG log file - - **OS**: Windows - - **File**: `C:\Users\*\AppData\Roaming\mRemoteNG\confCons.xml` - **Description**: mRemoteNG configuration file - - **OS**: Windows - - **File**: `C:\Users\*\AppData\*\mRemoteNG\**10\user.config` - **Description**: mRemoteNG user configuration file - - **OS**: Windows - #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `mremoteng.org` - - +### Detections +- Detects potential network activity of mRemoteNG RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml) +- Detects potential files activity of mRemoteNG RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml) +- Detects potential processes activity of mRemoteNG RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml) ### References - [https://github.com/mRemoteNG/mRemoteNG](https://github.com/mRemoteNG/mRemoteNG) diff --git a/lolrmm.com/content/rmm_tools/msp360.md b/lolrmm.com/content/rmm_tools/msp360.md index 602c6f3e..cbcb9e4a 100644 --- a/lolrmm.com/content/rmm_tools/msp360.md +++ b/lolrmm.com/content/rmm_tools/msp360.md @@ -24,6 +24,9 @@ MSP360 is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -52,18 +55,18 @@ MSP360 is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.cloudberrylab.com` - `*.msp360.com` - `*.mspbackups.com` - `msp360.com` - - +### Detections +- Detects potential network activity of MSP360 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml) +- Detects potential processes activity of MSP360 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml) ### References - [https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#](https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#) diff --git a/lolrmm.com/content/rmm_tools/mstsc.md b/lolrmm.com/content/rmm_tools/mstsc.md index 620b6167..853af9fd 100644 --- a/lolrmm.com/content/rmm_tools/mstsc.md +++ b/lolrmm.com/content/rmm_tools/mstsc.md @@ -23,6 +23,9 @@ mstsc is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ mstsc is a remote monitoring and management (RMM) tool. More information will be +### Detections +- Detects potential processes activity of mstsc RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/multcloud.md b/lolrmm.com/content/rmm_tools/multcloud.md index e5d1d2d5..d218e2a9 100644 --- a/lolrmm.com/content/rmm_tools/multcloud.md +++ b/lolrmm.com/content/rmm_tools/multcloud.md @@ -23,6 +23,9 @@ MultCloud is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/mygreenpc.md b/lolrmm.com/content/rmm_tools/mygreenpc.md index e1a0cf59..cbf5a006 100644 --- a/lolrmm.com/content/rmm_tools/mygreenpc.md +++ b/lolrmm.com/content/rmm_tools/mygreenpc.md @@ -24,6 +24,9 @@ MyGreenPC is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ MyGreenPC is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*mygreenpc.com` - - +### Detections +- Detects potential network activity of MyGreenPC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml) +- Detects potential processes activity of MyGreenPC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml) ### References - [http://www.mygreenpc.com/](http://www.mygreenpc.com/) diff --git a/lolrmm.com/content/rmm_tools/myivo.md b/lolrmm.com/content/rmm_tools/myivo.md index c524051d..1b3fabf2 100644 --- a/lolrmm.com/content/rmm_tools/myivo.md +++ b/lolrmm.com/content/rmm_tools/myivo.md @@ -24,6 +24,9 @@ MyIVO is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ MyIVO is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `myivo-server.software.informer.com` - - +### Detections +- Detects potential network activity of MyIVO RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml) +- Detects potential processes activity of MyIVO RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml) ### References - [myivo.com - DOA as of 2024](myivo.com - DOA as of 2024) diff --git a/lolrmm.com/content/rmm_tools/n-able_advanced_monitoring_agent.md b/lolrmm.com/content/rmm_tools/n-able_advanced_monitoring_agent.md index 799ef51c..2736b40c 100644 --- a/lolrmm.com/content/rmm_tools/n-able_advanced_monitoring_agent.md +++ b/lolrmm.com/content/rmm_tools/n-able_advanced_monitoring_agent.md @@ -24,6 +24,9 @@ N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) too #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -48,10 +51,7 @@ N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) too #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.beanywhere.com ` - `systemmonitor.co.uk` - `*system-monitor.com` @@ -73,8 +73,11 @@ N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) too - `*.n-able.com` - - +### Detections +- Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml) +- Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml) ### References - [https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm](https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm) diff --git a/lolrmm.com/content/rmm_tools/n-able_remote_access_software.md b/lolrmm.com/content/rmm_tools/n-able_remote_access_software.md index 85057e12..c268e1b4 100644 --- a/lolrmm.com/content/rmm_tools/n-able_remote_access_software.md +++ b/lolrmm.com/content/rmm_tools/n-able_remote_access_software.md @@ -23,6 +23,9 @@ N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `n-able.com` - - +### Detections +- Detects potential network activity of N-ABLE Remote Access Software RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/nateon-desktop_sharing.md b/lolrmm.com/content/rmm_tools/nateon-desktop_sharing.md index 631f4d06..31d5d997 100644 --- a/lolrmm.com/content/rmm_tools/nateon-desktop_sharing.md +++ b/lolrmm.com/content/rmm_tools/nateon-desktop_sharing.md @@ -24,6 +24,9 @@ NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More in #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,15 +47,15 @@ NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More in #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.nate.com` - - +### Detections +- Detects potential network activity of NateOn-desktop sharing RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml) +- Detects potential processes activity of NateOn-desktop sharing RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml) ### References - [http://rsupport.nate.com/rview/r8/main/index.aspx](http://rsupport.nate.com/rview/r8/main/index.aspx) diff --git a/lolrmm.com/content/rmm_tools/naverisk.md b/lolrmm.com/content/rmm_tools/naverisk.md index bb7e4b4e..223fc593 100644 --- a/lolrmm.com/content/rmm_tools/naverisk.md +++ b/lolrmm.com/content/rmm_tools/naverisk.md @@ -24,6 +24,9 @@ Naverisk is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ Naverisk is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `naverisk.com` - - +### Detections +- Detects potential network activity of Naverisk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml) +- Detects potential processes activity of Naverisk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml) ### References - [http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents](http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents) diff --git a/lolrmm.com/content/rmm_tools/netop.md b/lolrmm.com/content/rmm_tools/netop.md index 81b8ec14..8d143fe2 100644 --- a/lolrmm.com/content/rmm_tools/netop.md +++ b/lolrmm.com/content/rmm_tools/netop.md @@ -23,6 +23,9 @@ Netop is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/netop_remote_control__aka_impero_connect_.md b/lolrmm.com/content/rmm_tools/netop_remote_control__aka_impero_connect_.md index 71f31fd5..14c73e50 100644 --- a/lolrmm.com/content/rmm_tools/netop_remote_control__aka_impero_connect_.md +++ b/lolrmm.com/content/rmm_tools/netop_remote_control__aka_impero_connect_.md @@ -23,6 +23,9 @@ Netop Remote Control (aka Impero Connect) is a remote monitoring and management #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,15 +47,15 @@ Netop Remote Control (aka Impero Connect) is a remote monitoring and management #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `imperosoftware.com/impero-connect/` - - +### Detections +- Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml) +- Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/netop_remote_control__impero_connect_.md b/lolrmm.com/content/rmm_tools/netop_remote_control__impero_connect_.md index 9658dd0a..a54c38c6 100644 --- a/lolrmm.com/content/rmm_tools/netop_remote_control__impero_connect_.md +++ b/lolrmm.com/content/rmm_tools/netop_remote_control__impero_connect_.md @@ -24,6 +24,9 @@ Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -50,16 +53,16 @@ Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.connect.backdrop.cloud` - `*.netop.com` - - +### Detections +- Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml) +- Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml) ### References - [https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html](https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html) diff --git a/lolrmm.com/content/rmm_tools/netreo.md b/lolrmm.com/content/rmm_tools/netreo.md index 08d4dcf4..53ab69fd 100644 --- a/lolrmm.com/content/rmm_tools/netreo.md +++ b/lolrmm.com/content/rmm_tools/netreo.md @@ -24,6 +24,9 @@ Netreo is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -40,18 +43,16 @@ Netreo is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `charon.netreo.net` - `activation.netreo.net` - `*.api.netreo.com` - `netreo.com` - - +### Detections +- Detects potential network activity of Netreo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml) ### References - [https://solutions.netreo.com/docs/firewall-requirements](https://solutions.netreo.com/docs/firewall-requirements) diff --git a/lolrmm.com/content/rmm_tools/netsupport_manager.md b/lolrmm.com/content/rmm_tools/netsupport_manager.md index 45913bd8..5ba717db 100644 --- a/lolrmm.com/content/rmm_tools/netsupport_manager.md +++ b/lolrmm.com/content/rmm_tools/netsupport_manager.md @@ -24,6 +24,9 @@ NetSupport Manager is a remote monitoring and management (RMM) tool. More inform #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,17 +47,17 @@ NetSupport Manager is a remote monitoring and management (RMM) tool. More inform #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `geo.netsupportsoftware.com` - `netsupportmanager.com` - `*.netsupportmanager.com` - - +### Detections +- Detects potential network activity of NetSupport Manager RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml) +- Detects potential processes activity of NetSupport Manager RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml) ### References - [https://www.netsupportmanager.com/resources/](https://www.netsupportmanager.com/resources/) diff --git a/lolrmm.com/content/rmm_tools/neturo.md b/lolrmm.com/content/rmm_tools/neturo.md index 77e374d3..6abcdafd 100644 --- a/lolrmm.com/content/rmm_tools/neturo.md +++ b/lolrmm.com/content/rmm_tools/neturo.md @@ -24,6 +24,9 @@ Neturo is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,15 +47,15 @@ Neturo is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `neturo.uplus.co.kr` - - +### Detections +- Detects potential network activity of Neturo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml) +- Detects potential processes activity of Neturo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml) ### References - [Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2](Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2) diff --git a/lolrmm.com/content/rmm_tools/netviewer.md b/lolrmm.com/content/rmm_tools/netviewer.md index 92b8abb6..23367f61 100644 --- a/lolrmm.com/content/rmm_tools/netviewer.md +++ b/lolrmm.com/content/rmm_tools/netviewer.md @@ -23,6 +23,9 @@ Netviewer is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ Netviewer is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `download.cnet.com/Net-Viewer/3000-2370_4-10034828.html` - - +### Detections +- Detects potential network activity of Netviewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml) +- Detects potential processes activity of Netviewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/netviewer__gotomeet_.md b/lolrmm.com/content/rmm_tools/netviewer__gotomeet_.md index 9872ac09..9bfa83ac 100644 --- a/lolrmm.com/content/rmm_tools/netviewer__gotomeet_.md +++ b/lolrmm.com/content/rmm_tools/netviewer__gotomeet_.md @@ -24,6 +24,9 @@ Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More info #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More info +### Detections +- Detects potential processes activity of Netviewer (GoToMeet) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml) ### References - [Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html](Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html) diff --git a/lolrmm.com/content/rmm_tools/ngrok.md b/lolrmm.com/content/rmm_tools/ngrok.md index c41c3099..a90e151a 100644 --- a/lolrmm.com/content/rmm_tools/ngrok.md +++ b/lolrmm.com/content/rmm_tools/ngrok.md @@ -24,6 +24,9 @@ ngrok is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ ngrok is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `ngrok.com` - - +### Detections +- Detects potential network activity of ngrok RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml) +- Detects potential processes activity of ngrok RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml) ### References - [https://ngrok.com/docs/guides/running-behind-firewalls/](https://ngrok.com/docs/guides/running-behind-firewalls/) diff --git a/lolrmm.com/content/rmm_tools/ninjaone__formerly_ninjarmm_.md b/lolrmm.com/content/rmm_tools/ninjaone__formerly_ninjarmm_.md index 08304a9e..b19f9c96 100644 --- a/lolrmm.com/content/rmm_tools/ninjaone__formerly_ninjarmm_.md +++ b/lolrmm.com/content/rmm_tools/ninjaone__formerly_ninjarmm_.md @@ -23,6 +23,9 @@ NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. M #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/ninjarmm.md b/lolrmm.com/content/rmm_tools/ninjarmm.md index 159edcd4..ba18a88b 100644 --- a/lolrmm.com/content/rmm_tools/ninjarmm.md +++ b/lolrmm.com/content/rmm_tools/ninjarmm.md @@ -24,6 +24,9 @@ NinjaRMM is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,18 +48,18 @@ NinjaRMM is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.ninjarmm.com` - `*.ninjaone.com` - `resources.ninjarmm.com` - `ninjaone.com` - - +### Detections +- Detects potential network activity of NinjaRMM RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml) +- Detects potential processes activity of NinjaRMM RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml) ### References - [https://www.ninjaone.com/faq/](https://www.ninjaone.com/faq/) diff --git a/lolrmm.com/content/rmm_tools/nomachine.md b/lolrmm.com/content/rmm_tools/nomachine.md index 0cdb5c3c..e458c6f8 100644 --- a/lolrmm.com/content/rmm_tools/nomachine.md +++ b/lolrmm.com/content/rmm_tools/nomachine.md @@ -24,6 +24,9 @@ NoMachine is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ NoMachine is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `nomachine.com` - - +### Detections +- Detects potential network activity of NoMachine RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml) +- Detects potential processes activity of NoMachine RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml) ### References - [https://kb.nomachine.com/AR04S01122](https://kb.nomachine.com/AR04S01122) diff --git a/lolrmm.com/content/rmm_tools/nordlocker.md b/lolrmm.com/content/rmm_tools/nordlocker.md index 392d1cef..b8242200 100644 --- a/lolrmm.com/content/rmm_tools/nordlocker.md +++ b/lolrmm.com/content/rmm_tools/nordlocker.md @@ -23,6 +23,9 @@ NordLocker is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/noteon-desktop_sharing.md b/lolrmm.com/content/rmm_tools/noteon-desktop_sharing.md index 5258489a..0efdaa7d 100644 --- a/lolrmm.com/content/rmm_tools/noteon-desktop_sharing.md +++ b/lolrmm.com/content/rmm_tools/noteon-desktop_sharing.md @@ -23,6 +23,9 @@ NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More in #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More in +### Detections +- Detects potential processes activity of NoteOn-desktop sharing RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/ntr_remote.md b/lolrmm.com/content/rmm_tools/ntr_remote.md index 71422012..ddeaeda6 100644 --- a/lolrmm.com/content/rmm_tools/ntr_remote.md +++ b/lolrmm.com/content/rmm_tools/ntr_remote.md @@ -24,6 +24,9 @@ NTR Remote is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ NTR Remote is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.ntrsupport.com` - - +### Detections +- Detects potential network activity of NTR Remote RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml) +- Detects potential processes activity of NTR Remote RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml) ### References - [DOA as of 2024](DOA as of 2024) diff --git a/lolrmm.com/content/rmm_tools/ocamlfuse.md b/lolrmm.com/content/rmm_tools/ocamlfuse.md index b024ffeb..f1fe85ef 100644 --- a/lolrmm.com/content/rmm_tools/ocamlfuse.md +++ b/lolrmm.com/content/rmm_tools/ocamlfuse.md @@ -23,6 +23,9 @@ Ocamlfuse is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/ocs_inventory.md b/lolrmm.com/content/rmm_tools/ocs_inventory.md index 2d8ff890..c481ed7f 100644 --- a/lolrmm.com/content/rmm_tools/ocs_inventory.md +++ b/lolrmm.com/content/rmm_tools/ocs_inventory.md @@ -24,6 +24,9 @@ OCS inventory is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ OCS inventory is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `ocsinventory-ng.org` - - +### Detections +- Detects potential network activity of OCS inventory RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml) +- Detects potential processes activity of OCS inventory RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml) ### References - [https://ocsinventory-ng.org/?page_id=878&lang=en](https://ocsinventory-ng.org/?page_id=878&lang=en) diff --git a/lolrmm.com/content/rmm_tools/odrive.md b/lolrmm.com/content/rmm_tools/odrive.md index 0504fbf9..e9806754 100644 --- a/lolrmm.com/content/rmm_tools/odrive.md +++ b/lolrmm.com/content/rmm_tools/odrive.md @@ -23,6 +23,9 @@ ODrive is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ ODrive is a remote monitoring and management (RMM) tool. More information will b +### Detections +- Detects potential processes activity of ODrive RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/odrive_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/onionshare.md b/lolrmm.com/content/rmm_tools/onionshare.md index 6af47f21..118084da 100644 --- a/lolrmm.com/content/rmm_tools/onionshare.md +++ b/lolrmm.com/content/rmm_tools/onionshare.md @@ -23,6 +23,9 @@ Onionshare is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ Onionshare is a remote monitoring and management (RMM) tool. More information wi +### Detections +- Detects potential processes activity of Onionshare RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/optitune.md b/lolrmm.com/content/rmm_tools/optitune.md index 54c34453..7d2dad1b 100644 --- a/lolrmm.com/content/rmm_tools/optitune.md +++ b/lolrmm.com/content/rmm_tools/optitune.md @@ -24,6 +24,9 @@ OptiTune is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ OptiTune is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.optitune.us` - `*.opti-tune.com` - - +### Detections +- Detects potential network activity of OptiTune RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml) +- Detects potential processes activity of OptiTune RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml) ### References - [https://www.bravurasoftware.com/optitune/support/faq.aspx](https://www.bravurasoftware.com/optitune/support/faq.aspx) diff --git a/lolrmm.com/content/rmm_tools/pandora_rc__ehorus_.md b/lolrmm.com/content/rmm_tools/pandora_rc__ehorus_.md index a3533eb1..e6b2efb6 100644 --- a/lolrmm.com/content/rmm_tools/pandora_rc__ehorus_.md +++ b/lolrmm.com/content/rmm_tools/pandora_rc__ehorus_.md @@ -24,6 +24,9 @@ Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More infor #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More infor #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `portal.ehorus.com` - - +### Detections +- Detects potential network activity of Pandora RC (eHorus) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml) +- Detects potential processes activity of Pandora RC (eHorus) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml) ### References - [https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction](https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction) diff --git a/lolrmm.com/content/rmm_tools/panorama9.md b/lolrmm.com/content/rmm_tools/panorama9.md index 8106d170..f053ddf1 100644 --- a/lolrmm.com/content/rmm_tools/panorama9.md +++ b/lolrmm.com/content/rmm_tools/panorama9.md @@ -24,6 +24,9 @@ Panorama9 is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,17 +45,17 @@ Panorama9 is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `trusted.panorama9.com` - `changes.panorama9.com` - `panorama9.com` - - +### Detections +- Detects potential network activity of Panorama9 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml) +- Detects potential processes activity of Panorama9 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml) ### References - [https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with](https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with) diff --git a/lolrmm.com/content/rmm_tools/parallels_access.md b/lolrmm.com/content/rmm_tools/parallels_access.md index 2ec34c90..211453a4 100644 --- a/lolrmm.com/content/rmm_tools/parallels_access.md +++ b/lolrmm.com/content/rmm_tools/parallels_access.md @@ -24,6 +24,9 @@ Parallels Access is a remote monitoring and management (RMM) tool. More informat #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,16 +49,16 @@ Parallels Access is a remote monitoring and management (RMM) tool. More informat #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.parallels.com` - `parallels.com/products/ras/try` - - +### Detections +- Detects potential network activity of Parallels Access RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml) +- Detects potential processes activity of Parallels Access RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml) ### References - [https://kb.parallels.com/en/129097](https://kb.parallels.com/en/129097) diff --git a/lolrmm.com/content/rmm_tools/pcanywhere.md b/lolrmm.com/content/rmm_tools/pcanywhere.md index 8b262b00..4278efd1 100644 --- a/lolrmm.com/content/rmm_tools/pcanywhere.md +++ b/lolrmm.com/content/rmm_tools/pcanywhere.md @@ -24,6 +24,9 @@ pcAnywhere is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,15 +48,15 @@ pcAnywhere is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - - +### Detections +- Detects potential network activity of pcAnywhere RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml) +- Detects potential processes activity of pcAnywhere RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml) ### References - [https://en.wikipedia.org/wiki/PcAnywhere](https://en.wikipedia.org/wiki/PcAnywhere) diff --git a/lolrmm.com/content/rmm_tools/pcloud.md b/lolrmm.com/content/rmm_tools/pcloud.md index 93cbcb1c..8e5befed 100644 --- a/lolrmm.com/content/rmm_tools/pcloud.md +++ b/lolrmm.com/content/rmm_tools/pcloud.md @@ -23,6 +23,9 @@ pCloud is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ pCloud is a remote monitoring and management (RMM) tool. More information will b +### Detections +- Detects potential processes activity of pCloud RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcloud_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/pcnow.md b/lolrmm.com/content/rmm_tools/pcnow.md index 4502f92c..6462d2fc 100644 --- a/lolrmm.com/content/rmm_tools/pcnow.md +++ b/lolrmm.com/content/rmm_tools/pcnow.md @@ -24,6 +24,9 @@ Pcnow is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,15 +47,15 @@ Pcnow is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `au.pcmag.com/utilities/21470/webex-pcnow` - - +### Detections +- Detects potential network activity of Pcnow RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml) +- Detects potential processes activity of Pcnow RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml) ### References - [http://pcnow.webex.com/ - DOA as of 2024](http://pcnow.webex.com/ - DOA as of 2024) diff --git a/lolrmm.com/content/rmm_tools/pcvisit.md b/lolrmm.com/content/rmm_tools/pcvisit.md index 89f1a695..b72b120f 100644 --- a/lolrmm.com/content/rmm_tools/pcvisit.md +++ b/lolrmm.com/content/rmm_tools/pcvisit.md @@ -24,6 +24,9 @@ Pcvisit is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,16 +48,16 @@ Pcvisit is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.pcvisit.de` - `pcvisit.de` - - +### Detections +- Detects potential network activity of Pcvisit RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml) +- Detects potential processes activity of Pcvisit RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml) ### References - [https://www.pcvisit.de/](https://www.pcvisit.de/) diff --git a/lolrmm.com/content/rmm_tools/pdq_connect.md b/lolrmm.com/content/rmm_tools/pdq_connect.md index 2b63fa1c..e9400bdb 100644 --- a/lolrmm.com/content/rmm_tools/pdq_connect.md +++ b/lolrmm.com/content/rmm_tools/pdq_connect.md @@ -24,6 +24,9 @@ PDQ Connect is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ PDQ Connect is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `app.pdq.com` - `cfcdn.pdq.com` - - +### Detections +- Detects potential network activity of PDQ Connect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml) +- Detects potential processes activity of PDQ Connect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml) ### References - [https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements](https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements) diff --git a/lolrmm.com/content/rmm_tools/pilixo.md b/lolrmm.com/content/rmm_tools/pilixo.md index e705859b..c7051f38 100644 --- a/lolrmm.com/content/rmm_tools/pilixo.md +++ b/lolrmm.com/content/rmm_tools/pilixo.md @@ -24,6 +24,9 @@ Pilixo is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,17 +46,17 @@ Pilixo is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `pilixo.com` - `download.pilixo.com` - `*.pilixo.com` - - +### Detections +- Detects potential network activity of Pilixo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml) +- Detects potential processes activity of Pilixo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml) ### References - [https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls](https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls) diff --git a/lolrmm.com/content/rmm_tools/pocket_cloud__wyse_.md b/lolrmm.com/content/rmm_tools/pocket_cloud__wyse_.md index c1ce9b42..57f12870 100644 --- a/lolrmm.com/content/rmm_tools/pocket_cloud__wyse_.md +++ b/lolrmm.com/content/rmm_tools/pocket_cloud__wyse_.md @@ -24,6 +24,9 @@ Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More infor #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More infor +### Detections +- Detects potential processes activity of Pocket Cloud (Wyse) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml) ### References - [https://wyse-pocketcloud.informer.com/2.1/](https://wyse-pocketcloud.informer.com/2.1/) diff --git a/lolrmm.com/content/rmm_tools/pocket_controller.md b/lolrmm.com/content/rmm_tools/pocket_controller.md index ecee37da..7f5c84a2 100644 --- a/lolrmm.com/content/rmm_tools/pocket_controller.md +++ b/lolrmm.com/content/rmm_tools/pocket_controller.md @@ -23,6 +23,9 @@ Pocket Controller is a remote monitoring and management (RMM) tool. More informa #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ Pocket Controller is a remote monitoring and management (RMM) tool. More informa #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `soti.net/products/soti-pocket-controller` - - +### Detections +- Detects potential network activity of Pocket Controller RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml) +- Detects potential processes activity of Pocket Controller RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/pocket_controller__soti_xsight_.md b/lolrmm.com/content/rmm_tools/pocket_controller__soti_xsight_.md index a9a03525..092d1b99 100644 --- a/lolrmm.com/content/rmm_tools/pocket_controller__soti_xsight_.md +++ b/lolrmm.com/content/rmm_tools/pocket_controller__soti_xsight_.md @@ -24,6 +24,9 @@ Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,15 +47,15 @@ Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*soti.net` - - +### Detections +- Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml) +- Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml) ### References - [https://pulse.soti.net/support/soti-xsight/help/](https://pulse.soti.net/support/soti-xsight/help/) diff --git a/lolrmm.com/content/rmm_tools/proton_drive.md b/lolrmm.com/content/rmm_tools/proton_drive.md index ec9b46c5..8ecd9ac6 100644 --- a/lolrmm.com/content/rmm_tools/proton_drive.md +++ b/lolrmm.com/content/rmm_tools/proton_drive.md @@ -23,6 +23,9 @@ Proton Drive is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/psexec.md b/lolrmm.com/content/rmm_tools/psexec.md index 9b787aa3..77a260d8 100644 --- a/lolrmm.com/content/rmm_tools/psexec.md +++ b/lolrmm.com/content/rmm_tools/psexec.md @@ -24,6 +24,9 @@ PSEXEC is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ PSEXEC is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - - +### Detections +- Detects potential network activity of PSEXEC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml) +- Detects potential processes activity of PSEXEC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml) ### References - [https://learn.microsoft.com/en-us/sysinternals/downloads/psexec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) diff --git a/lolrmm.com/content/rmm_tools/psexec__clone_.md b/lolrmm.com/content/rmm_tools/psexec__clone_.md index cd2b1cf7..5a4c0295 100644 --- a/lolrmm.com/content/rmm_tools/psexec__clone_.md +++ b/lolrmm.com/content/rmm_tools/psexec__clone_.md @@ -24,6 +24,9 @@ PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More informatio #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -48,15 +51,15 @@ PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More informatio #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - - +### Detections +- Detects potential network activity of PSEXEC (Clone) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml) +- Detects potential processes activity of PSEXEC (Clone) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml) ### References - [https://www.poweradmin.com/paexec/](https://www.poweradmin.com/paexec/) diff --git a/lolrmm.com/content/rmm_tools/pulseway.md b/lolrmm.com/content/rmm_tools/pulseway.md index 74f9005d..5d07d504 100644 --- a/lolrmm.com/content/rmm_tools/pulseway.md +++ b/lolrmm.com/content/rmm_tools/pulseway.md @@ -24,6 +24,9 @@ Pulseway is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ Pulseway is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `pulseway.com` - - +### Detections +- Detects potential network activity of Pulseway RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml) +- Detects potential processes activity of Pulseway RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml) ### References - [https://intercom.help/pulseway/en/](https://intercom.help/pulseway/en/) diff --git a/lolrmm.com/content/rmm_tools/putty.md b/lolrmm.com/content/rmm_tools/putty.md index 29fc08b3..fa8dd513 100644 --- a/lolrmm.com/content/rmm_tools/putty.md +++ b/lolrmm.com/content/rmm_tools/putty.md @@ -23,6 +23,9 @@ PuTTY is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/putty_tray.md b/lolrmm.com/content/rmm_tools/putty_tray.md index d1ca2fd7..fc25fee5 100644 --- a/lolrmm.com/content/rmm_tools/putty_tray.md +++ b/lolrmm.com/content/rmm_tools/putty_tray.md @@ -23,6 +23,9 @@ PuTTY Tray is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ PuTTY Tray is a remote monitoring and management (RMM) tool. More information wi +### Detections +- Detects potential processes activity of PuTTY Tray RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/qq_im-remote_assistance.md b/lolrmm.com/content/rmm_tools/qq_im-remote_assistance.md index e3545546..d3dcfed8 100644 --- a/lolrmm.com/content/rmm_tools/qq_im-remote_assistance.md +++ b/lolrmm.com/content/rmm_tools/qq_im-remote_assistance.md @@ -24,6 +24,9 @@ QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More i #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,18 +47,18 @@ QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More i #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.mdt.qq.com` - `*.desktop.qq.com` - `upload_data.qq.com` - `qq-messenger.en.softonic.com` - - +### Detections +- Detects potential network activity of QQ IM-remote assistance RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml) +- Detects potential processes activity of QQ IM-remote assistance RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml) ### References - [https://en.wikipedia.org/wiki/Tencent_QQ](https://en.wikipedia.org/wiki/Tencent_QQ) diff --git a/lolrmm.com/content/rmm_tools/quest_kace_agent__formerly_dell_kace_.md b/lolrmm.com/content/rmm_tools/quest_kace_agent__formerly_dell_kace_.md index cca34494..954aef2c 100644 --- a/lolrmm.com/content/rmm_tools/quest_kace_agent__formerly_dell_kace_.md +++ b/lolrmm.com/content/rmm_tools/quest_kace_agent__formerly_dell_kace_.md @@ -24,6 +24,9 @@ Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.kace.com` - `www.quest.com/kace/` - - +### Detections +- Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml) +- Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml) ### References - [https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function](https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function) diff --git a/lolrmm.com/content/rmm_tools/quick_assist.md b/lolrmm.com/content/rmm_tools/quick_assist.md index 5ef782f0..240d97b3 100644 --- a/lolrmm.com/content/rmm_tools/quick_assist.md +++ b/lolrmm.com/content/rmm_tools/quick_assist.md @@ -23,6 +23,9 @@ Quick Assist is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -41,15 +44,15 @@ Quick Assist is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.support.services.microsoft.com` - - +### Detections +- Detects potential network activity of Quick Assist RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml) +- Detects potential processes activity of Quick Assist RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/radmin.md b/lolrmm.com/content/rmm_tools/radmin.md index 371bd675..59930b81 100644 --- a/lolrmm.com/content/rmm_tools/radmin.md +++ b/lolrmm.com/content/rmm_tools/radmin.md @@ -29,13 +29,17 @@ RAdmin is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata - **Filename**: RServer3.exe -- **Original File Name**: RServer3.exe +- **OriginalFileName**: RServer3.exe +- **InternalName**: RServer3 - **Description**: Radmin Server - **Product**: Radmin Server +- **Comments**: Radmin - Remote Control Server - **Filename**: Radmin.exe -- **Original File Name**: Radmin.exe +- **OriginalFileName**: Radmin.exe +- **InternalName**: Radmin - **Description**: Radmin Viewer - **Product**: Radmin Viewer +- **Comments**: Radmin Viewer - **Free**: No @@ -56,67 +60,44 @@ RAdmin is a remote monitoring and management (RMM) tool. More information will b ### Forensic Artifacts #### Disk Artifacts - - **File**: `C:\Windows\SysWOW64\rserver30\Radm_log.htm` - **Description**: RAdmin log file (32-bit) - - **OS**: Windows - - **File**: `C:\Windows\System32\rserver30\Radm_log.htm` - **Description**: RAdmin log file (64-bit) - - **OS**: Windows - - **File**: `C:\Windows\System32\rserver30\CHATLOGS\*\*.htm` - **Description**: RAdmin chat logs - - **OS**: Windows - - **File**: `C:\Users\*\Documents\ChatLogs\*\*.htm` - **Description**: RAdmin user chat logs - - **OS**: Windows - #### Registry Artifacts - **Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin Security` **Description**: N/A - #### Network Artifacts - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `radmin.com` - **Ports**: - `443` - ### Detections -- [Sigma rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml) - - PUA - Radmin Viewer Utility Execution - - - -- [Sigma rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml) - - Enumeration for 3rd Party Creds From CLI - - - +- PUA - Radmin Viewer Utility Execution + - [Sigma Rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml) +- Enumeration for 3rd Party Creds From CLI + - [Sigma Rule](https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml) +- Detects potential registry activity of RAdmin RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml) +- Detects potential network activity of RAdmin RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml) +- Detects potential files activity of RAdmin RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml) +- Detects potential processes activity of RAdmin RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml) ### References - [https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/](https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/) diff --git a/lolrmm.com/content/rmm_tools/raidrive.md b/lolrmm.com/content/rmm_tools/raidrive.md index df0bcc58..32598326 100644 --- a/lolrmm.com/content/rmm_tools/raidrive.md +++ b/lolrmm.com/content/rmm_tools/raidrive.md @@ -23,6 +23,9 @@ Raidrive is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/rapid7.md b/lolrmm.com/content/rmm_tools/rapid7.md index 33a96deb..c4a454bf 100644 --- a/lolrmm.com/content/rmm_tools/rapid7.md +++ b/lolrmm.com/content/rmm_tools/rapid7.md @@ -24,6 +24,9 @@ Rapid7 is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ Rapid7 is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.analytics.insight.rapid7.com` - `*.endpoint.ingress.rapid7.com` - - +### Detections +- Detects potential network activity of Rapid7 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml) +- Detects potential processes activity of Rapid7 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml) ### References - [https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/](https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/) diff --git a/lolrmm.com/content/rmm_tools/rclone.md b/lolrmm.com/content/rmm_tools/rclone.md index d1f94c89..5dd5727f 100644 --- a/lolrmm.com/content/rmm_tools/rclone.md +++ b/lolrmm.com/content/rmm_tools/rclone.md @@ -23,6 +23,9 @@ rclone is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ rclone is a remote monitoring and management (RMM) tool. More information will b +### Detections +- Detects potential processes activity of rclone RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rclone_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/rdp2tcp.md b/lolrmm.com/content/rmm_tools/rdp2tcp.md index fb2eddc0..d769ddd5 100644 --- a/lolrmm.com/content/rmm_tools/rdp2tcp.md +++ b/lolrmm.com/content/rmm_tools/rdp2tcp.md @@ -24,6 +24,9 @@ rdp2tcp is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ rdp2tcp is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `github.com/V-E-O/rdp2tcp` - - +### Detections +- Detects potential network activity of rdp2tcp RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml) +- Detects potential processes activity of rdp2tcp RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml) ### References - [github.com/V-E-O/rdp2tcp](github.com/V-E-O/rdp2tcp) diff --git a/lolrmm.com/content/rmm_tools/rdpview.md b/lolrmm.com/content/rmm_tools/rdpview.md index 6b50b730..6b4f1743 100644 --- a/lolrmm.com/content/rmm_tools/rdpview.md +++ b/lolrmm.com/content/rmm_tools/rdpview.md @@ -24,6 +24,9 @@ RDPView is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ RDPView is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `systemmanager.ru/dntu.en/rdp_view.htm` - - +### Detections +- Detects potential network activity of RDPView RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml) +- Detects potential processes activity of RDPView RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml) ### References - [systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware](systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware) diff --git a/lolrmm.com/content/rmm_tools/rdpwrap.md b/lolrmm.com/content/rmm_tools/rdpwrap.md index 79193ada..d2bbb245 100644 --- a/lolrmm.com/content/rmm_tools/rdpwrap.md +++ b/lolrmm.com/content/rmm_tools/rdpwrap.md @@ -24,6 +24,9 @@ rdpwrap is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ rdpwrap is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `github.com/stascorp/rdpwrap` - - +### Detections +- Detects potential network activity of rdpwrap RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml) +- Detects potential processes activity of rdpwrap RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml) ### References - [github.com/stascorp/rdpwrap](github.com/stascorp/rdpwrap) diff --git a/lolrmm.com/content/rmm_tools/realvnc.md b/lolrmm.com/content/rmm_tools/realvnc.md index 116e194b..2859e022 100644 --- a/lolrmm.com/content/rmm_tools/realvnc.md +++ b/lolrmm.com/content/rmm_tools/realvnc.md @@ -23,6 +23,9 @@ RealVNC is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/remcos.md b/lolrmm.com/content/rmm_tools/remcos.md index 9ceecf1a..1062489f 100644 --- a/lolrmm.com/content/rmm_tools/remcos.md +++ b/lolrmm.com/content/rmm_tools/remcos.md @@ -23,6 +23,9 @@ Remcos is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,6 +45,9 @@ Remcos is a remote monitoring and management (RMM) tool. More information will b +### Detections +- Detects potential processes activity of Remcos RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/remmina.md b/lolrmm.com/content/rmm_tools/remmina.md index d2e80edc..e7c39f8a 100644 --- a/lolrmm.com/content/rmm_tools/remmina.md +++ b/lolrmm.com/content/rmm_tools/remmina.md @@ -23,6 +23,9 @@ Remmina is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/remobo.md b/lolrmm.com/content/rmm_tools/remobo.md index 06ff8696..1b659619 100644 --- a/lolrmm.com/content/rmm_tools/remobo.md +++ b/lolrmm.com/content/rmm_tools/remobo.md @@ -24,6 +24,9 @@ Remobo is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ Remobo is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `remobo.en.softonic.com` - - +### Detections +- Detects potential network activity of Remobo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml) +- Detects potential processes activity of Remobo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml) ### References - [https://www.remobo.com - DOA as of 2024](https://www.remobo.com - DOA as of 2024) diff --git a/lolrmm.com/content/rmm_tools/remote.it.md b/lolrmm.com/content/rmm_tools/remote.it.md index eaadd1c0..552590aa 100644 --- a/lolrmm.com/content/rmm_tools/remote.it.md +++ b/lolrmm.com/content/rmm_tools/remote.it.md @@ -24,6 +24,9 @@ Remote.it is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,17 +47,17 @@ Remote.it is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `auth.api.remote.it` - `api.remote.it` - `remote.it` - - +### Detections +- Detects potential network activity of Remote.it RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml) +- Detects potential processes activity of Remote.it RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml) ### References - [https://docs.remote.it/introduction/get-started](https://docs.remote.it/introduction/get-started) diff --git a/lolrmm.com/content/rmm_tools/remote_desktop_manager__devolutions_.md b/lolrmm.com/content/rmm_tools/remote_desktop_manager__devolutions_.md index beb48bca..2075f278 100644 --- a/lolrmm.com/content/rmm_tools/remote_desktop_manager__devolutions_.md +++ b/lolrmm.com/content/rmm_tools/remote_desktop_manager__devolutions_.md @@ -23,6 +23,9 @@ Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/remote_desktop_plus.md b/lolrmm.com/content/rmm_tools/remote_desktop_plus.md index 0e72efc3..cec2ccbf 100644 --- a/lolrmm.com/content/rmm_tools/remote_desktop_plus.md +++ b/lolrmm.com/content/rmm_tools/remote_desktop_plus.md @@ -24,6 +24,9 @@ Remote Desktop Plus is a remote monitoring and management (RMM) tool. More infor #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,15 +45,15 @@ Remote Desktop Plus is a remote monitoring and management (RMM) tool. More infor #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `donkz.nl` - - +### Detections +- Detects potential network activity of Remote Desktop Plus RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml) +- Detects potential processes activity of Remote Desktop Plus RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml) ### References - [https://www.donkz.nl/](https://www.donkz.nl/) diff --git a/lolrmm.com/content/rmm_tools/remote_manipulator_system.md b/lolrmm.com/content/rmm_tools/remote_manipulator_system.md index e8e129fe..709227a5 100644 --- a/lolrmm.com/content/rmm_tools/remote_manipulator_system.md +++ b/lolrmm.com/content/rmm_tools/remote_manipulator_system.md @@ -24,6 +24,9 @@ Remote Manipulator System is a remote monitoring and management (RMM) tool. More #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ Remote Manipulator System is a remote monitoring and management (RMM) tool. More #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.internetid.ru` - `rmansys.ru` - - +### Detections +- Detects potential network activity of Remote Manipulator System RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml) +- Detects potential processes activity of Remote Manipulator System RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml) ### References - [https://rmansys.ru/files/](https://rmansys.ru/files/) diff --git a/lolrmm.com/content/rmm_tools/remote_utilities.md b/lolrmm.com/content/rmm_tools/remote_utilities.md index 3d4e40ea..b5f9d3b8 100644 --- a/lolrmm.com/content/rmm_tools/remote_utilities.md +++ b/lolrmm.com/content/rmm_tools/remote_utilities.md @@ -24,6 +24,9 @@ Remote Utilities is a remote monitoring and management (RMM) tool. More informat #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ Remote Utilities is a remote monitoring and management (RMM) tool. More informat #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.internetid.ru` - - +### Detections +- Detects potential network activity of Remote Utilities RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml) +- Detects potential processes activity of Remote Utilities RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml) ### References - [https://www.remoteutilities.com/download/](https://www.remoteutilities.com/download/) diff --git a/lolrmm.com/content/rmm_tools/remotecall.md b/lolrmm.com/content/rmm_tools/remotecall.md index 5e2b9837..44d955c1 100644 --- a/lolrmm.com/content/rmm_tools/remotecall.md +++ b/lolrmm.com/content/rmm_tools/remotecall.md @@ -24,6 +24,9 @@ RemoteCall is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -48,17 +51,17 @@ RemoteCall is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.remotecall.com` - `*.startsupport.com` - `remotecall.com` - - +### Detections +- Detects potential network activity of RemoteCall RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml) +- Detects potential processes activity of RemoteCall RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml) ### References - [https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall](https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall) diff --git a/lolrmm.com/content/rmm_tools/remotepass.md b/lolrmm.com/content/rmm_tools/remotepass.md index a9c1fd82..4cdd7297 100644 --- a/lolrmm.com/content/rmm_tools/remotepass.md +++ b/lolrmm.com/content/rmm_tools/remotepass.md @@ -23,6 +23,9 @@ RemotePass is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ RemotePass is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `remotepass.com` - - +### Detections +- Detects potential network activity of RemotePass RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml) +- Detects potential processes activity of RemotePass RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml) ### References - [https://www.remotepass.com/rpaccess.html - DOA as of 2024](https://www.remotepass.com/rpaccess.html - DOA as of 2024) diff --git a/lolrmm.com/content/rmm_tools/remotepc.md b/lolrmm.com/content/rmm_tools/remotepc.md index b43ecce0..e998b669 100644 --- a/lolrmm.com/content/rmm_tools/remotepc.md +++ b/lolrmm.com/content/rmm_tools/remotepc.md @@ -24,6 +24,9 @@ RemotePC is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -51,18 +54,18 @@ RemotePC is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.remotedesktop.com` - `*.remotepc.com` - `www.remotepc.com` - `remotepc.com` - - +### Detections +- Detects potential network activity of RemotePC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml) +- Detects potential processes activity of RemotePC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml) ### References - [https://www.remotedesktop.com/helpdesk/faq-firewall](https://www.remotedesktop.com/helpdesk/faq-firewall) diff --git a/lolrmm.com/content/rmm_tools/remoteutilities.md b/lolrmm.com/content/rmm_tools/remoteutilities.md index e9c762b6..52e9a387 100644 --- a/lolrmm.com/content/rmm_tools/remoteutilities.md +++ b/lolrmm.com/content/rmm_tools/remoteutilities.md @@ -23,6 +23,9 @@ RemoteUtilities is a remote monitoring and management (RMM) tool. More informati #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,15 +49,15 @@ RemoteUtilities is a remote monitoring and management (RMM) tool. More informati #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `remoteutilities.com` - - +### Detections +- Detects potential network activity of RemoteUtilities RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml) +- Detects potential processes activity of RemoteUtilities RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/remoteview.md b/lolrmm.com/content/rmm_tools/remoteview.md index 2c446039..6ff13750 100644 --- a/lolrmm.com/content/rmm_tools/remoteview.md +++ b/lolrmm.com/content/rmm_tools/remoteview.md @@ -24,6 +24,9 @@ RemoteView is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,17 +48,17 @@ RemoteView is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*content.rview.com` - `*.rview.com` - `content.rview.com` - - +### Detections +- Detects potential network activity of RemoteView RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml) +- Detects potential processes activity of RemoteView RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml) ### References - [https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall](https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall) diff --git a/lolrmm.com/content/rmm_tools/res_automation_manager.md b/lolrmm.com/content/rmm_tools/res_automation_manager.md index 688908a4..ce773b46 100644 --- a/lolrmm.com/content/rmm_tools/res_automation_manager.md +++ b/lolrmm.com/content/rmm_tools/res_automation_manager.md @@ -24,6 +24,9 @@ RES Automation Manager is a remote monitoring and management (RMM) tool. More in #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,16 +48,16 @@ RES Automation Manager is a remote monitoring and management (RMM) tool. More in #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `ivanti.com/` - - +### Detections +- Detects potential network activity of RES Automation Manager RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml) +- Detects potential processes activity of RES Automation Manager RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml) ### References - [https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1](https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1) diff --git a/lolrmm.com/content/rmm_tools/rocket_remote_desktop.md b/lolrmm.com/content/rmm_tools/rocket_remote_desktop.md index f8e7ace6..6c51f1ed 100644 --- a/lolrmm.com/content/rmm_tools/rocket_remote_desktop.md +++ b/lolrmm.com/content/rmm_tools/rocket_remote_desktop.md @@ -23,6 +23,9 @@ Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More inf #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,6 +46,9 @@ Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More inf +### Detections +- Detects potential processes activity of Rocket Remote Desktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/royal_apps.md b/lolrmm.com/content/rmm_tools/royal_apps.md index fb3d93bb..73b08b6d 100644 --- a/lolrmm.com/content/rmm_tools/royal_apps.md +++ b/lolrmm.com/content/rmm_tools/royal_apps.md @@ -24,6 +24,9 @@ Royal Apps is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ Royal Apps is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - - +### Detections +- Detects potential network activity of Royal Apps RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml) +- Detects potential processes activity of Royal Apps RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml) ### References - [https://www.royalapps.com/ts/win/download](https://www.royalapps.com/ts/win/download) diff --git a/lolrmm.com/content/rmm_tools/royal_server.md b/lolrmm.com/content/rmm_tools/royal_server.md index 2d276b35..c566b001 100644 --- a/lolrmm.com/content/rmm_tools/royal_server.md +++ b/lolrmm.com/content/rmm_tools/royal_server.md @@ -23,6 +23,9 @@ Royal Server is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ Royal Server is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `royalapps.com` - - +### Detections +- Detects potential network activity of Royal Server RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/royal_ts.md b/lolrmm.com/content/rmm_tools/royal_ts.md index c4aee473..ae74d80d 100644 --- a/lolrmm.com/content/rmm_tools/royal_ts.md +++ b/lolrmm.com/content/rmm_tools/royal_ts.md @@ -23,6 +23,9 @@ Royal TS is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -41,15 +44,15 @@ Royal TS is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `royalapps.com` - - +### Detections +- Detects potential network activity of Royal TS RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml) +- Detects potential processes activity of Royal TS RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/rport.md b/lolrmm.com/content/rmm_tools/rport.md index a0442a0d..678d2e1c 100644 --- a/lolrmm.com/content/rmm_tools/rport.md +++ b/lolrmm.com/content/rmm_tools/rport.md @@ -24,6 +24,9 @@ RPort is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ RPort is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `rport.io` - - +### Detections +- Detects potential network activity of RPort RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml) +- Detects potential processes activity of RPort RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml) ### References - [https://kb.rport.io/using-the-remote-access](https://kb.rport.io/using-the-remote-access) diff --git a/lolrmm.com/content/rmm_tools/rsync.md b/lolrmm.com/content/rmm_tools/rsync.md index a9f879b2..9ff18c1c 100644 --- a/lolrmm.com/content/rmm_tools/rsync.md +++ b/lolrmm.com/content/rmm_tools/rsync.md @@ -23,6 +23,9 @@ rsync is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/rudesktop.md b/lolrmm.com/content/rmm_tools/rudesktop.md index a2c864d2..527765c6 100644 --- a/lolrmm.com/content/rmm_tools/rudesktop.md +++ b/lolrmm.com/content/rmm_tools/rudesktop.md @@ -24,6 +24,9 @@ RuDesktop is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ RuDesktop is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.rudesktop.ru` - `rudesktop.ru` - - +### Detections +- Detects potential network activity of RuDesktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml) +- Detects potential processes activity of RuDesktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml) ### References - [https://rudesktop.ru](https://rudesktop.ru) diff --git a/lolrmm.com/content/rmm_tools/runsmart.md b/lolrmm.com/content/rmm_tools/runsmart.md index 57fdc1a1..4c9efc36 100644 --- a/lolrmm.com/content/rmm_tools/runsmart.md +++ b/lolrmm.com/content/rmm_tools/runsmart.md @@ -23,6 +23,9 @@ RunSmart is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ RunSmart is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `runsmart.io` - - +### Detections +- Detects potential network activity of RunSmart RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/rustdesk.md b/lolrmm.com/content/rmm_tools/rustdesk.md index b0ca8831..861a811f 100644 --- a/lolrmm.com/content/rmm_tools/rustdesk.md +++ b/lolrmm.com/content/rmm_tools/rustdesk.md @@ -24,6 +24,9 @@ RustDesk is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,17 +46,17 @@ RustDesk is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `rustdesk.com` - `user_managed` - `web.rustdesk.com` - - +### Detections +- Detects potential network activity of RustDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml) +- Detects potential processes activity of RustDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml) ### References - [https://rustdesk.com/docs/en/](https://rustdesk.com/docs/en/) diff --git a/lolrmm.com/content/rmm_tools/s3_browser.md b/lolrmm.com/content/rmm_tools/s3_browser.md index c48e24e4..04fcb1fa 100644 --- a/lolrmm.com/content/rmm_tools/s3_browser.md +++ b/lolrmm.com/content/rmm_tools/s3_browser.md @@ -23,6 +23,9 @@ S3 Browser is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ S3 Browser is a remote monitoring and management (RMM) tool. More information wi +### Detections +- Detects potential processes activity of S3 Browser RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/screenconnect.md b/lolrmm.com/content/rmm_tools/screenconnect.md index b2b987db..0b9b7cb1 100644 --- a/lolrmm.com/content/rmm_tools/screenconnect.md +++ b/lolrmm.com/content/rmm_tools/screenconnect.md @@ -27,6 +27,9 @@ ScreenConnect is a remote monitoring and management (RMM) tool. More information - **Website**: [https://www.connectwise.com](https://www.connectwise.com) #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: Yes @@ -71,43 +74,32 @@ ScreenConnect is a remote monitoring and management (RMM) tool. More information ### Forensic Artifacts #### Disk Artifacts - - **File**: `C:\Program Files*\ScreenConnect\App_Data\Session.db` - **Description**: ScreenConnect session database - - **OS**: Windows - - **File**: `C:\Program Files*\ScreenConnect\App_Data\User.xml` - **Description**: ScreenConnect user configuration - - **OS**: Windows - - **File**: `C:\ProgramData\ScreenConnect Client*\user.config` - **Description**: ScreenConnect client user configuration - - **OS**: Windows - #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `control.connectwise.com` - `*.connectwise.com` - `*.screenconnect.com` - - +### Detections +- Detects potential network activity of ScreenConnect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml) +- Detects potential files activity of ScreenConnect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml) +- Detects potential processes activity of ScreenConnect RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml) ### References - [https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/](https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/) diff --git a/lolrmm.com/content/rmm_tools/screenmeet.md b/lolrmm.com/content/rmm_tools/screenmeet.md index 676525be..5a6a3269 100644 --- a/lolrmm.com/content/rmm_tools/screenmeet.md +++ b/lolrmm.com/content/rmm_tools/screenmeet.md @@ -24,6 +24,9 @@ ScreenMeet is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ ScreenMeet is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.screenmeet.com` - `*.scrn.mt` - - +### Detections +- Detects potential network activity of ScreenMeet RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml) +- Detects potential processes activity of ScreenMeet RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml) ### References - [https://docs.screenmeet.com/docs/firewall-white-list](https://docs.screenmeet.com/docs/firewall-white-list) diff --git a/lolrmm.com/content/rmm_tools/securecrt.md b/lolrmm.com/content/rmm_tools/securecrt.md index 89bad1fa..2382b24c 100644 --- a/lolrmm.com/content/rmm_tools/securecrt.md +++ b/lolrmm.com/content/rmm_tools/securecrt.md @@ -23,6 +23,9 @@ SecureCRT is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ SecureCRT is a remote monitoring and management (RMM) tool. More information wil +### Detections +- Detects potential processes activity of SecureCRT RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/seetrol.md b/lolrmm.com/content/rmm_tools/seetrol.md index 56ae33c3..1db39d04 100644 --- a/lolrmm.com/content/rmm_tools/seetrol.md +++ b/lolrmm.com/content/rmm_tools/seetrol.md @@ -24,6 +24,9 @@ Seetrol is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,15 +49,15 @@ Seetrol is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `seetrol.co.kr` - - +### Detections +- Detects potential network activity of Seetrol RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml) +- Detects potential processes activity of Seetrol RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml) ### References - [http://www.seetrol.com/en/features/features3.php](http://www.seetrol.com/en/features/features3.php) diff --git a/lolrmm.com/content/rmm_tools/senso.cloud.md b/lolrmm.com/content/rmm_tools/senso.cloud.md index 33dd5f50..30bf5c63 100644 --- a/lolrmm.com/content/rmm_tools/senso.cloud.md +++ b/lolrmm.com/content/rmm_tools/senso.cloud.md @@ -24,6 +24,9 @@ Senso.cloud is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ Senso.cloud is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.senso.cloud` - `senso.cloud` - - +### Detections +- Detects potential network activity of Senso.cloud RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml) +- Detects potential processes activity of Senso.cloud RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml) ### References - [https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration](https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration) diff --git a/lolrmm.com/content/rmm_tools/servereye.md b/lolrmm.com/content/rmm_tools/servereye.md index 7d688d03..dd172619 100644 --- a/lolrmm.com/content/rmm_tools/servereye.md +++ b/lolrmm.com/content/rmm_tools/servereye.md @@ -24,6 +24,9 @@ ServerEye is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,15 +46,15 @@ ServerEye is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.server-eye.de` - - +### Detections +- Detects potential network activity of ServerEye RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml) +- Detects potential processes activity of ServerEye RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml) ### References - [https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf](https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf) diff --git a/lolrmm.com/content/rmm_tools/showmypc.md b/lolrmm.com/content/rmm_tools/showmypc.md index 863bb0e3..be63cb74 100644 --- a/lolrmm.com/content/rmm_tools/showmypc.md +++ b/lolrmm.com/content/rmm_tools/showmypc.md @@ -24,6 +24,9 @@ ShowMyPC is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,16 +48,16 @@ ShowMyPC is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.showmypc.com` - `showmypc.com` - - +### Detections +- Detects potential network activity of ShowMyPC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml) +- Detects potential processes activity of ShowMyPC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml) ### References - [https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf](https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf) diff --git a/lolrmm.com/content/rmm_tools/simplehelp.md b/lolrmm.com/content/rmm_tools/simplehelp.md index 922a7ff2..cfea135c 100644 --- a/lolrmm.com/content/rmm_tools/simplehelp.md +++ b/lolrmm.com/content/rmm_tools/simplehelp.md @@ -24,6 +24,9 @@ SimpleHelp is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,16 +49,16 @@ SimpleHelp is a remote monitoring and management (RMM) tool. More information wi #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `simple-help.com` - - +### Detections +- Detects potential network activity of SimpleHelp RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml) +- Detects potential processes activity of SimpleHelp RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml) ### References - [https://simple-help.com/remote-support](https://simple-help.com/remote-support) diff --git a/lolrmm.com/content/rmm_tools/site24x7.md b/lolrmm.com/content/rmm_tools/site24x7.md index 72827b98..269494be 100644 --- a/lolrmm.com/content/rmm_tools/site24x7.md +++ b/lolrmm.com/content/rmm_tools/site24x7.md @@ -24,6 +24,9 @@ Site24x7 is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,10 +48,7 @@ Site24x7 is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `plus*.site24x7.com` - `plus*.site24x7.eu` - `plus*.site24x7.in` @@ -57,8 +57,11 @@ Site24x7 is a remote monitoring and management (RMM) tool. More information will - `site24x7.com/msp` - - +### Detections +- Detects potential network activity of Site24x7 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml) +- Detects potential processes activity of Site24x7 RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml) ### References - [https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent](https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent) diff --git a/lolrmm.com/content/rmm_tools/skyfex.md b/lolrmm.com/content/rmm_tools/skyfex.md index f72f70ea..b3a3e585 100644 --- a/lolrmm.com/content/rmm_tools/skyfex.md +++ b/lolrmm.com/content/rmm_tools/skyfex.md @@ -24,6 +24,9 @@ SkyFex is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,17 +46,17 @@ SkyFex is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `skyfex.com` - `deskroll.com` - `*.deskroll.com` - - +### Detections +- Detects potential network activity of SkyFex RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml) +- Detects potential processes activity of SkyFex RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml) ### References - [https://skyfex.com/](https://skyfex.com/) diff --git a/lolrmm.com/content/rmm_tools/smartcode_web_vnc.md b/lolrmm.com/content/rmm_tools/smartcode_web_vnc.md index 0d7106d3..b2ecbaa9 100644 --- a/lolrmm.com/content/rmm_tools/smartcode_web_vnc.md +++ b/lolrmm.com/content/rmm_tools/smartcode_web_vnc.md @@ -23,6 +23,9 @@ SmartCode Web VNC is a remote monitoring and management (RMM) tool. More informa #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/smartftp.md b/lolrmm.com/content/rmm_tools/smartftp.md index 8f77bc16..daaa4c03 100644 --- a/lolrmm.com/content/rmm_tools/smartftp.md +++ b/lolrmm.com/content/rmm_tools/smartftp.md @@ -23,6 +23,9 @@ SmartFTP is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/smartty.md b/lolrmm.com/content/rmm_tools/smartty.md index 0fd0a80b..94cf6d5e 100644 --- a/lolrmm.com/content/rmm_tools/smartty.md +++ b/lolrmm.com/content/rmm_tools/smartty.md @@ -23,6 +23,9 @@ SmarTTY is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ SmarTTY is a remote monitoring and management (RMM) tool. More information will +### Detections +- Detects potential processes activity of SmarTTY RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/solar-putty.md b/lolrmm.com/content/rmm_tools/solar-putty.md index ccc87c9f..d4d43865 100644 --- a/lolrmm.com/content/rmm_tools/solar-putty.md +++ b/lolrmm.com/content/rmm_tools/solar-putty.md @@ -23,6 +23,9 @@ Solar-PuTTY is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Solar-PuTTY is a remote monitoring and management (RMM) tool. More information w +### Detections +- Detects potential processes activity of Solar-PuTTY RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/sophos-remote_management_system.md b/lolrmm.com/content/rmm_tools/sophos-remote_management_system.md index 664fdd87..175de227 100644 --- a/lolrmm.com/content/rmm_tools/sophos-remote_management_system.md +++ b/lolrmm.com/content/rmm_tools/sophos-remote_management_system.md @@ -24,6 +24,9 @@ Sophos-Remote Management System is a remote monitoring and management (RMM) tool #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,18 +47,18 @@ Sophos-Remote Management System is a remote monitoring and management (RMM) tool #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.sophos.com` - `*.sophosupd.com` - `*.sophosupd.net` - `community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system` - - +### Detections +- Detects potential network activity of Sophos-Remote Management System RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml) +- Detects potential processes activity of Sophos-Remote Management System RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml) ### References - [community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system](community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system) diff --git a/lolrmm.com/content/rmm_tools/sorillus.md b/lolrmm.com/content/rmm_tools/sorillus.md index 7f21344a..ca308eb2 100644 --- a/lolrmm.com/content/rmm_tools/sorillus.md +++ b/lolrmm.com/content/rmm_tools/sorillus.md @@ -24,6 +24,9 @@ Sorillus is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ Sorillus is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.sorillus.com` - `sorillus.com` - - +### Detections +- Detects potential network activity of Sorillus RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml) +- Detects potential processes activity of Sorillus RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml) ### References - [https://sorillus.com/](https://sorillus.com/) diff --git a/lolrmm.com/content/rmm_tools/splashtop.md b/lolrmm.com/content/rmm_tools/splashtop.md index 917bc549..32b2e2c5 100644 --- a/lolrmm.com/content/rmm_tools/splashtop.md +++ b/lolrmm.com/content/rmm_tools/splashtop.md @@ -24,6 +24,9 @@ Splashtop is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -41,169 +44,109 @@ Splashtop is a remote monitoring and management (RMM) tool. More information wil ### Forensic Artifacts #### Disk Artifacts - - **File**: `C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Status%4Operational.evtx` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx` - **Description**: N/A - - **OS**: Windows - - **File**: `%PROGRAMDATA%\Splashtop\Temp\log\FTCLog.txt` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\agent_log.txt` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\SPLog.txt` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\svcinfo.txt` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\sysinfo.txt` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe` - **Description**: Splashtop Remote Service - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe` - **Description**: SplashTop Remote Agent - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUAgent.exe` - **Description**: Splashtop Updater - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3` - **Description**: N/A - - **OS**: Windows - #### Event Log Artifacts - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: Splashtop Software Updater Service - - **Image Path**: "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUService.exe" + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: Splashtop Software Updater Service + - **ImagePath**: "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUService.exe" - **Description**: Service installation event as result of Splashtop Software Updater Service installation. - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: Splashtop® Remote Service - - **Image Path**: "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe" + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: Splashtop® Remote Service + - **ImagePath**: "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe" - **Description**: Service installation event as result of Splashtop Remote Service installation. - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: SplashtopRemoteService - - **Image Path**: "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe" + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: SplashtopRemoteService + - **ImagePath**: "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe" - **Description**: Service installation event as result of Splashtop Remote Service installation. #### Registry Artifacts - **Path**: `KLM\SOFTWARE\WOW6432Node\Splashtop Inc.\*` **Description**: Splashtop Inc. registry key - - **Path**: `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater` **Description**: Splashtop Software Updater uninstall key - - **Path**: `HKLM\SYSTEM\CurrentControlSet\Services\SplashtopRemoteService` **Description**: Splashtop Remote Service registry key - - **Path**: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop Streamer-Remote Session/Operational` **Description**: Splashtop Streamer Remote Session event log channel - - **Path**: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop Streamer-Status/Operational` **Description**: Splashtop Streamer Status event log channel - - **Path**: `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater\InstallRefCount` **Description**: Splashtop Software Updater install reference count - - **Path**: `HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SplashtopRemoteService` **Description**: Splashtop Remote Service safe boot configuration - - **Path**: `HKU\.DEFAULT\Software\Splashtop Inc.\*` **Description**: Default user Splashtop Inc. registry key - - **Path**: `HKU\SID\Software\Splashtop Inc.\*` **Description**: User-specific Splashtop Inc. registry key - - **Path**: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Splashtop PDF Remote Printer` **Description**: Splashtop PDF Remote Printer configuration - - **Path**: `HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\*` **Description**: Splashtop Remote Server client information - #### Network Artifacts - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `*.splashtop.com` - **Ports**: - `N/A` - +### Detections +- Detects potential registry activity of Splashtop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml) +- Detects potential network activity of Splashtop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml) +- Detects potential files activity of Splashtop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml) +- Detects potential processes activity of Splashtop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml) ### References - [https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html](https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html) diff --git a/lolrmm.com/content/rmm_tools/splashtop__beta_.md b/lolrmm.com/content/rmm_tools/splashtop__beta_.md index 4e9bafb5..df00d2a0 100644 --- a/lolrmm.com/content/rmm_tools/splashtop__beta_.md +++ b/lolrmm.com/content/rmm_tools/splashtop__beta_.md @@ -23,6 +23,9 @@ Splashtop (Beta) is a remote monitoring and management (RMM) tool. More informat #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,15 +47,15 @@ Splashtop (Beta) is a remote monitoring and management (RMM) tool. More informat #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `splashtop.com` - - +### Detections +- Detects potential network activity of Splashtop (Beta) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml) +- Detects potential processes activity of Splashtop (Beta) RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/splashtop_remote.md b/lolrmm.com/content/rmm_tools/splashtop_remote.md index 4fcbc5bb..6c4278ff 100644 --- a/lolrmm.com/content/rmm_tools/splashtop_remote.md +++ b/lolrmm.com/content/rmm_tools/splashtop_remote.md @@ -24,6 +24,9 @@ Splashtop Remote is a remote monitoring and management (RMM) tool. More informat #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -48,18 +51,18 @@ Splashtop Remote is a remote monitoring and management (RMM) tool. More informat #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `splashtop.com` - `*.api.splashtop.com` - `*.relay.splashtop.com` - `*.api.splashtop.eu` - - +### Detections +- Detects potential network activity of Splashtop Remote RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml) +- Detects potential processes activity of Splashtop Remote RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml) ### References - [https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services](https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services) diff --git a/lolrmm.com/content/rmm_tools/spyanywhere.md b/lolrmm.com/content/rmm_tools/spyanywhere.md index 50d56500..d26fdd92 100644 --- a/lolrmm.com/content/rmm_tools/spyanywhere.md +++ b/lolrmm.com/content/rmm_tools/spyanywhere.md @@ -24,6 +24,9 @@ SpyAnywhere is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ SpyAnywhere is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.spytech-web.com` - `spyanywhere.com` - - +### Detections +- Detects potential network activity of SpyAnywhere RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml) +- Detects potential processes activity of SpyAnywhere RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml) ### References - [https://www.spyanywhere.com/support.shtml](https://www.spyanywhere.com/support.shtml) diff --git a/lolrmm.com/content/rmm_tools/sunlogin.md b/lolrmm.com/content/rmm_tools/sunlogin.md index 666b1a9b..968dd7e8 100644 --- a/lolrmm.com/content/rmm_tools/sunlogin.md +++ b/lolrmm.com/content/rmm_tools/sunlogin.md @@ -24,6 +24,9 @@ SunLogin is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ SunLogin is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `sunlogin.oray.com` - `client.oray.net` - - +### Detections +- Detects potential network activity of SunLogin RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml) +- Detects potential processes activity of SunLogin RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml) ### References - [https://sunlogin.oray.com/en/embed/software.html](https://sunlogin.oray.com/en/embed/software.html) diff --git a/lolrmm.com/content/rmm_tools/superops.md b/lolrmm.com/content/rmm_tools/superops.md index 35643baf..5e6c0b6f 100644 --- a/lolrmm.com/content/rmm_tools/superops.md +++ b/lolrmm.com/content/rmm_tools/superops.md @@ -24,6 +24,9 @@ SuperOps is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,10 +46,7 @@ SuperOps is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.superopsbeta.com` - `superops.ai` - `serv.superopsalpha.com` @@ -54,8 +54,11 @@ SuperOps is a remote monitoring and management (RMM) tool. More information will - `*.superopsalpha.com` - - +### Detections +- Detects potential network activity of SuperOps RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml) +- Detects potential processes activity of SuperOps RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml) ### References - [https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent](https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent) diff --git a/lolrmm.com/content/rmm_tools/superputty.md b/lolrmm.com/content/rmm_tools/superputty.md index 597e502d..77766143 100644 --- a/lolrmm.com/content/rmm_tools/superputty.md +++ b/lolrmm.com/content/rmm_tools/superputty.md @@ -23,6 +23,9 @@ SuperPuTTY is a remote monitoring and management (RMM) tool. More information wi #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ SuperPuTTY is a remote monitoring and management (RMM) tool. More information wi +### Detections +- Detects potential processes activity of SuperPuTTY RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/supremo.md b/lolrmm.com/content/rmm_tools/supremo.md index b4c2f75e..3f1692ac 100644 --- a/lolrmm.com/content/rmm_tools/supremo.md +++ b/lolrmm.com/content/rmm_tools/supremo.md @@ -24,6 +24,9 @@ Supremo is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,17 +48,17 @@ Supremo is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `supremocontrol.com` - `*.supremocontrol.com` - `* .nanosystems.it` - - +### Detections +- Detects potential network activity of Supremo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml) +- Detects potential processes activity of Supremo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml) ### References - [https://www.supremocontrol.com/frequently-asked-questions/](https://www.supremocontrol.com/frequently-asked-questions/) diff --git a/lolrmm.com/content/rmm_tools/syncro.md b/lolrmm.com/content/rmm_tools/syncro.md index 94ff6912..7435ad8e 100644 --- a/lolrmm.com/content/rmm_tools/syncro.md +++ b/lolrmm.com/content/rmm_tools/syncro.md @@ -24,6 +24,9 @@ Syncro is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -51,10 +54,7 @@ Syncro is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `kabuto.io` - `*.syncromsp.com` - `*.syncroapi.com` @@ -68,8 +68,11 @@ Syncro is a remote monitoring and management (RMM) tool. More information will b - `attachments.servably.com` - - +### Detections +- Detects potential network activity of Syncro RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml) +- Detects potential processes activity of Syncro RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml) ### References - [https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004](https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004) diff --git a/lolrmm.com/content/rmm_tools/syncthing.md b/lolrmm.com/content/rmm_tools/syncthing.md index 50bf67ba..030cc5ec 100644 --- a/lolrmm.com/content/rmm_tools/syncthing.md +++ b/lolrmm.com/content/rmm_tools/syncthing.md @@ -23,6 +23,9 @@ Syncthing is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Syncthing is a remote monitoring and management (RMM) tool. More information wil +### Detections +- Detects potential processes activity of Syncthing RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/synergy.md b/lolrmm.com/content/rmm_tools/synergy.md index 823a6892..d7c5696b 100644 --- a/lolrmm.com/content/rmm_tools/synergy.md +++ b/lolrmm.com/content/rmm_tools/synergy.md @@ -24,6 +24,9 @@ Synergy is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -40,15 +43,13 @@ Synergy is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - - +### Detections +- Detects potential network activity of Synergy RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml) ### References - [https://symless.com/synergy](https://symless.com/synergy) diff --git a/lolrmm.com/content/rmm_tools/sysaid.md b/lolrmm.com/content/rmm_tools/sysaid.md index a2e3dd55..4d20723b 100644 --- a/lolrmm.com/content/rmm_tools/sysaid.md +++ b/lolrmm.com/content/rmm_tools/sysaid.md @@ -23,6 +23,9 @@ SysAid is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ SysAid is a remote monitoring and management (RMM) tool. More information will b +### Detections +- Detects potential processes activity of SysAid RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/syspectr.md b/lolrmm.com/content/rmm_tools/syspectr.md index 6f8e2c43..414e1cbc 100644 --- a/lolrmm.com/content/rmm_tools/syspectr.md +++ b/lolrmm.com/content/rmm_tools/syspectr.md @@ -24,6 +24,9 @@ Syspectr is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,16 +46,16 @@ Syspectr is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `atled.syspectr.com` - `app.syspectr.com` - - +### Detections +- Detects potential network activity of Syspectr RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml) +- Detects potential processes activity of Syspectr RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml) ### References - [https://www.syspectr.com/en/installation-in-a-network](https://www.syspectr.com/en/installation-in-a-network) diff --git a/lolrmm.com/content/rmm_tools/tactical_rmm.md b/lolrmm.com/content/rmm_tools/tactical_rmm.md index ea183873..3f827eb3 100644 --- a/lolrmm.com/content/rmm_tools/tactical_rmm.md +++ b/lolrmm.com/content/rmm_tools/tactical_rmm.md @@ -24,6 +24,9 @@ Tactical RMM is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -43,17 +46,17 @@ Tactical RMM is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `login.tailscale.com` - `login.tailscale.com` - `docs.tacticalrmm.com` - - +### Detections +- Detects potential network activity of Tactical RMM RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml) +- Detects potential processes activity of Tactical RMM RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml) ### References - [docs.tacticalrmm.com](docs.tacticalrmm.com) diff --git a/lolrmm.com/content/rmm_tools/tailscale.md b/lolrmm.com/content/rmm_tools/tailscale.md index 7e9f8d04..9acc75c4 100644 --- a/lolrmm.com/content/rmm_tools/tailscale.md +++ b/lolrmm.com/content/rmm_tools/tailscale.md @@ -24,6 +24,9 @@ Tailscale is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,17 +47,17 @@ Tailscale is a remote monitoring and management (RMM) tool. More information wil #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.tailscale.com` - `*.tailscale.io` - `tailscale.com` - - +### Detections +- Detects potential network activity of Tailscale RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml) +- Detects potential processes activity of Tailscale RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml) ### References - [https://tailscale.com/kb/1023/troubleshooting](https://tailscale.com/kb/1023/troubleshooting) diff --git a/lolrmm.com/content/rmm_tools/tanium.md b/lolrmm.com/content/rmm_tools/tanium.md index 0c26ac37..8f13c230 100644 --- a/lolrmm.com/content/rmm_tools/tanium.md +++ b/lolrmm.com/content/rmm_tools/tanium.md @@ -24,6 +24,9 @@ Tanium is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,16 +49,16 @@ Tanium is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `cloud.tanium.com` - `*.cloud.tanium.com` - - +### Detections +- Detects potential network activity of Tanium RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml) +- Detects potential processes activity of Tanium RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml) ### References - [https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html](https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html) diff --git a/lolrmm.com/content/rmm_tools/tanium_deploy.md b/lolrmm.com/content/rmm_tools/tanium_deploy.md index f4c97c30..ef4753ab 100644 --- a/lolrmm.com/content/rmm_tools/tanium_deploy.md +++ b/lolrmm.com/content/rmm_tools/tanium_deploy.md @@ -23,6 +23,9 @@ Tanium Deploy is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -39,15 +42,13 @@ Tanium Deploy is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `tanium.com/products/tanium-deploy` - - +### Detections +- Detects potential network activity of Tanium Deploy RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/teamviewer.md b/lolrmm.com/content/rmm_tools/teamviewer.md index 2ba0f76e..2bd5d85c 100644 --- a/lolrmm.com/content/rmm_tools/teamviewer.md +++ b/lolrmm.com/content/rmm_tools/teamviewer.md @@ -29,6 +29,8 @@ TeamViewer is a remote monitoring and management (RMM) tool. #### PE Metadata - **Filename**: TeamViewer.exe +- **OriginalFileName**: +- **Description**: - **Product**: TeamViewer - **Privileges**: user @@ -58,230 +60,131 @@ TeamViewer is a remote monitoring and management (RMM) tool. ### Forensic Artifacts #### Disk Artifacts - - **File**: `C:\Users\\AppData\Local\Temp\TeamViewer\TV15Install.log` - **Description**: N/A - - **OS**: Windows - - **File**: `TeamViewer\d\d_Logfile\.log` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files\TeamViewer\Connections_incoming.txt` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files\TeamViewer\TVNetwork.log` - **Description**: N/A - - **OS**: Windows - - **File**: `%LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log` - **Description**: N/A - - **OS**: Windows - - **File**: `%APPDATA%\\TeamViewer\\TeamViewer\d\d_Logfile\.log` - **Description**: N/A - - **OS**: Windows - - **File**: `teamviewerqs.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `tv_w32.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `tv_w64.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `tv_x64.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `teamviewer.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `teamviewer_service.exe` - **Description**: N/A - - **OS**: Windows - - **File**: `%LOCALAPPDATA%\TeamViewer\Database\tvchatfilecache.db` - **Description**: SQlite 3 database storing cache about TeamViewer chat - - **OS**: Windows - - **File**: `%LOCALAPPDATA%\TeamViewer\RemotePrinting\tvprint.db` - **Description**: SQlite 3 database storing TeamViewer print jobs - - **OS**: Windows - - **File**: `%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\TeamViewer.lnk` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Program Files*\TeamViewer\connections*.txt` - **Description**: N/A - - **OS**: Windows - - **File**: `C:\Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\*tvc` - **Description**: N/A - - **OS**: Windows - #### Event Log Artifacts - Event Details: - - **Event ID**: 7045 - - **Provider Name**: Service Control Manager - - **Log File**: System.evtx - - **Service Name**: TeamViewer - - **Image Path**: "C:\\Program Files\\TeamViewer\\TeamViewer_Service.exe" + - **EventID**: 7045 + - **ProviderName**: Service Control Manager + - **LogFile**: System.evtx + - **ServiceName**: TeamViewer + - **ImagePath**: "C:\\Program Files\\TeamViewer\\TeamViewer_Service.exe" - **Description**: Service installation event as result of TeamViewer installation. #### Registry Artifacts - **Path**: `HKLM\SOFTWARE\TeamViewer\*` **Description**: N/A - - **Path**: `HKU\\SOFTWARE\TeamViewer\*` **Description**: N/A - - **Path**: `HKLM\SYSTEM\CurrentControlSet\Services\TeamViewer\*` **Description**: N/A - - **Path**: `HKLM\SOFTWARE\TeamViewer\ConnectionHistory` **Description**: N/A - - **Path**: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer\*` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\MainWindowHandle` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImage` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePath` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePosition` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\MinimizeToTray` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedCapturingEndpoint` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioSendingVolumeV2` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedRenderingEndpoint` **Description**: N/A - - **Path**: `HKLM\SOFTWARE\TeamViewer\ConnectionHistory` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\ClientWindow_Mode` **Description**: N/A - - **Path**: `HKU\SID\SOFTWARE\TeamViewer\ClientWindowPositions` **Description**: N/A - #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.teamviewer.com` - - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `router15.teamviewer.com` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `client.teamviewer.com` - **Ports**: - `443` - -- **Description**: N/A - - **Domains**: +- **Description**: N/A **Domains**: - `taf.teamviewer.com` - **Ports**: - `443` - #### Other Artifacts -- **Type**: Mutex - - **Value**: TeamViewer_LogMutex -- **Type**: Mutex - - **Value**: TeamViewerHooks_DynamicMemMutex -- **Type**: Mutex - - **Value**: TeamViewer3_Win32_Instance_Mutex - +- **Type**: Mutex **Value**: TeamViewer_LogMutex +- **Type**: Mutex **Value**: TeamViewerHooks_DynamicMemMutex +- **Type**: Mutex **Value**: TeamViewer3_Win32_Instance_Mutex + +### Detections +- Detects potential registry activity of TeamViewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml) +- Detects potential network activity of TeamViewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml) +- Detects potential files activity of TeamViewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml) +- Detects potential processes activity of TeamViewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml) ### References - [https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer](https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer) diff --git a/lolrmm.com/content/rmm_tools/teledesktop.md b/lolrmm.com/content/rmm_tools/teledesktop.md index ebbf4bf4..f53cf4e2 100644 --- a/lolrmm.com/content/rmm_tools/teledesktop.md +++ b/lolrmm.com/content/rmm_tools/teledesktop.md @@ -24,6 +24,9 @@ TeleDesktop is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ TeleDesktop is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `tele-desk.com` - - +### Detections +- Detects potential network activity of TeleDesktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml) +- Detects potential processes activity of TeleDesktop RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml) ### References - [http://potomacsoft.com/ - DOA as of 2024](http://potomacsoft.com/ - DOA as of 2024) diff --git a/lolrmm.com/content/rmm_tools/teracloud.md b/lolrmm.com/content/rmm_tools/teracloud.md index 1e89a6cc..3b13847a 100644 --- a/lolrmm.com/content/rmm_tools/teracloud.md +++ b/lolrmm.com/content/rmm_tools/teracloud.md @@ -23,6 +23,9 @@ TeraCLOUD is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ TeraCLOUD is a remote monitoring and management (RMM) tool. More information wil +### Detections +- Detects potential processes activity of TeraCLOUD RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teracloud_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/terminals.md b/lolrmm.com/content/rmm_tools/terminals.md index 91833cb9..03a40a77 100644 --- a/lolrmm.com/content/rmm_tools/terminals.md +++ b/lolrmm.com/content/rmm_tools/terminals.md @@ -23,6 +23,9 @@ Terminals is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/tigervnc.md b/lolrmm.com/content/rmm_tools/tigervnc.md index e724369a..bcc8288c 100644 --- a/lolrmm.com/content/rmm_tools/tigervnc.md +++ b/lolrmm.com/content/rmm_tools/tigervnc.md @@ -24,6 +24,9 @@ TigerVNC is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,15 +49,15 @@ TigerVNC is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - - +### Detections +- Detects potential network activity of TigerVNC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml) +- Detects potential processes activity of TigerVNC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml) ### References - [https://github.com/TigerVNC/tigervnc/releases](https://github.com/TigerVNC/tigervnc/releases) diff --git a/lolrmm.com/content/rmm_tools/tightvnc.md b/lolrmm.com/content/rmm_tools/tightvnc.md index c3081293..f59f0903 100644 --- a/lolrmm.com/content/rmm_tools/tightvnc.md +++ b/lolrmm.com/content/rmm_tools/tightvnc.md @@ -24,6 +24,9 @@ TightVNC is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ TightVNC is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `tightvnc.com` - - +### Detections +- Detects potential network activity of TightVNC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml) +- Detects potential processes activity of TightVNC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml) ### References - [https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf](https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf) diff --git a/lolrmm.com/content/rmm_tools/todesk.md b/lolrmm.com/content/rmm_tools/todesk.md index f04d99bf..c7255310 100644 --- a/lolrmm.com/content/rmm_tools/todesk.md +++ b/lolrmm.com/content/rmm_tools/todesk.md @@ -24,6 +24,9 @@ ToDesk is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,18 +47,18 @@ ToDesk is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `todesk.com` - `*.todesk.com` - `*.todesk.com` - `todesktop.com` - - +### Detections +- Detects potential network activity of ToDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml) +- Detects potential processes activity of ToDesk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml) ### References - [https://www.todesk.com/](https://www.todesk.com/) diff --git a/lolrmm.com/content/rmm_tools/total_software_deployment.md b/lolrmm.com/content/rmm_tools/total_software_deployment.md index 5ac94d2a..a537cb71 100644 --- a/lolrmm.com/content/rmm_tools/total_software_deployment.md +++ b/lolrmm.com/content/rmm_tools/total_software_deployment.md @@ -23,6 +23,9 @@ Total Software Deployment is a remote monitoring and management (RMM) tool. More #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ Total Software Deployment is a remote monitoring and management (RMM) tool. More +### Detections +- Detects potential processes activity of Total Software Deployment RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/turbomeeting.md b/lolrmm.com/content/rmm_tools/turbomeeting.md index 4c5df9c3..2f279b19 100644 --- a/lolrmm.com/content/rmm_tools/turbomeeting.md +++ b/lolrmm.com/content/rmm_tools/turbomeeting.md @@ -24,6 +24,9 @@ TurboMeeting is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ TurboMeeting is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `acceo.com/turbomeeting/` - - +### Detections +- Detects potential network activity of TurboMeeting RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml) +- Detects potential processes activity of TurboMeeting RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml) ### References - [http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv](http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv) diff --git a/lolrmm.com/content/rmm_tools/ultra_vnc.md b/lolrmm.com/content/rmm_tools/ultra_vnc.md index 6d945802..b17cf403 100644 --- a/lolrmm.com/content/rmm_tools/ultra_vnc.md +++ b/lolrmm.com/content/rmm_tools/ultra_vnc.md @@ -23,6 +23,9 @@ Ultra VNC is a remote monitoring and management (RMM) tool. More information wil #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -46,6 +49,9 @@ Ultra VNC is a remote monitoring and management (RMM) tool. More information wil +### Detections +- Detects potential processes activity of Ultra VNC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/ultraviewer.md b/lolrmm.com/content/rmm_tools/ultraviewer.md index 34f6365a..4907dc8a 100644 --- a/lolrmm.com/content/rmm_tools/ultraviewer.md +++ b/lolrmm.com/content/rmm_tools/ultraviewer.md @@ -24,6 +24,9 @@ UltraViewer is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -53,16 +56,16 @@ UltraViewer is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `* .ultraviewer.net` - `ultraviewer.net` - - +### Detections +- Detects potential network activity of UltraViewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml) +- Detects potential processes activity of UltraViewer RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml) ### References - [https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html](https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html) diff --git a/lolrmm.com/content/rmm_tools/ultravnc.md b/lolrmm.com/content/rmm_tools/ultravnc.md index e66e6504..de29a2bf 100644 --- a/lolrmm.com/content/rmm_tools/ultravnc.md +++ b/lolrmm.com/content/rmm_tools/ultravnc.md @@ -24,6 +24,9 @@ UltraVNC is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ UltraVNC is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `ultravnc.com` - `user_managed` - - +### Detections +- Detects potential network activity of UltraVNC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml) +- Detects potential processes activity of UltraVNC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml) ### References - [https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html](https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html) diff --git a/lolrmm.com/content/rmm_tools/visual_studio_dev_tunnel.md b/lolrmm.com/content/rmm_tools/visual_studio_dev_tunnel.md index 639aeb8a..8b1953f0 100644 --- a/lolrmm.com/content/rmm_tools/visual_studio_dev_tunnel.md +++ b/lolrmm.com/content/rmm_tools/visual_studio_dev_tunnel.md @@ -24,6 +24,9 @@ Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -40,17 +43,15 @@ Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `global.rel.tunnels.api.visualstudio.com` - `*.rel.tunnels.api.visualstudio.com` - `*.devtunnels.ms` - - +### Detections +- Detects potential network activity of Visual Studio Dev Tunnel RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml) ### References - [https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security](https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security) diff --git a/lolrmm.com/content/rmm_tools/vnc.md b/lolrmm.com/content/rmm_tools/vnc.md index 29a42b24..5ae62a97 100644 --- a/lolrmm.com/content/rmm_tools/vnc.md +++ b/lolrmm.com/content/rmm_tools/vnc.md @@ -24,6 +24,9 @@ VNC is a remote monitoring and management (RMM) tool. More information will be a #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -48,16 +51,16 @@ VNC is a remote monitoring and management (RMM) tool. More information will be a #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `realvnc.com/en/connect/download/vnc` - - +### Detections +- Detects potential network activity of VNC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml) +- Detects potential processes activity of VNC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml) ### References - [https://realvnc.com/en/connect/download/vnc](https://realvnc.com/en/connect/download/vnc) diff --git a/lolrmm.com/content/rmm_tools/vnc_connect.md b/lolrmm.com/content/rmm_tools/vnc_connect.md index ba95a33b..81ba6a03 100644 --- a/lolrmm.com/content/rmm_tools/vnc_connect.md +++ b/lolrmm.com/content/rmm_tools/vnc_connect.md @@ -23,6 +23,9 @@ VNC Connect is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/webex__remote_access_.md b/lolrmm.com/content/rmm_tools/webex__remote_access_.md index 269d2a08..d455b7c1 100644 --- a/lolrmm.com/content/rmm_tools/webex__remote_access_.md +++ b/lolrmm.com/content/rmm_tools/webex__remote_access_.md @@ -24,6 +24,9 @@ WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More inf #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/webrdp.md b/lolrmm.com/content/rmm_tools/webrdp.md index b18fe89f..91d298b7 100644 --- a/lolrmm.com/content/rmm_tools/webrdp.md +++ b/lolrmm.com/content/rmm_tools/webrdp.md @@ -24,6 +24,9 @@ WebRDP is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ WebRDP is a remote monitoring and management (RMM) tool. More information will b #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `github.com/Mikej81/WebRDP` - - +### Detections +- Detects potential network activity of WebRDP RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml) +- Detects potential processes activity of WebRDP RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml) ### References - [github.com/Mikej81/WebRDP](github.com/Mikej81/WebRDP) diff --git a/lolrmm.com/content/rmm_tools/weezo.md b/lolrmm.com/content/rmm_tools/weezo.md index d32f5211..b7447518 100644 --- a/lolrmm.com/content/rmm_tools/weezo.md +++ b/lolrmm.com/content/rmm_tools/weezo.md @@ -24,6 +24,9 @@ Weezo is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,18 +47,18 @@ Weezo is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.weezo.me` - `weezo.net` - `*.weezo.net` - `weezo.en.softonic.com` - - +### Detections +- Detects potential network activity of Weezo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml) +- Detects potential processes activity of Weezo RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml) ### References - [weezo.en.softonic.com](weezo.en.softonic.com) diff --git a/lolrmm.com/content/rmm_tools/winscp.md b/lolrmm.com/content/rmm_tools/winscp.md index 969cc06f..0ddc4b91 100644 --- a/lolrmm.com/content/rmm_tools/winscp.md +++ b/lolrmm.com/content/rmm_tools/winscp.md @@ -23,6 +23,9 @@ WinSCP is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ WinSCP is a remote monitoring and management (RMM) tool. More information will b +### Detections +- Detects potential processes activity of WinSCP RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/x2go.md b/lolrmm.com/content/rmm_tools/x2go.md index 0fdda807..e55c6907 100644 --- a/lolrmm.com/content/rmm_tools/x2go.md +++ b/lolrmm.com/content/rmm_tools/x2go.md @@ -23,6 +23,9 @@ X2Go is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/xeox.md b/lolrmm.com/content/rmm_tools/xeox.md index fa3330cb..f01791e9 100644 --- a/lolrmm.com/content/rmm_tools/xeox.md +++ b/lolrmm.com/content/rmm_tools/xeox.md @@ -24,6 +24,9 @@ Xeox is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,16 +48,16 @@ Xeox is a remote monitoring and management (RMM) tool. More information will be #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.xeox.com` - `xeox.com` - - +### Detections +- Detects potential network activity of Xeox RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml) +- Detects potential processes activity of Xeox RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml) ### References - [https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW](https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW) diff --git a/lolrmm.com/content/rmm_tools/xpra.md b/lolrmm.com/content/rmm_tools/xpra.md index 174899c2..eed10a4d 100644 --- a/lolrmm.com/content/rmm_tools/xpra.md +++ b/lolrmm.com/content/rmm_tools/xpra.md @@ -23,6 +23,9 @@ Xpra is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -45,6 +48,9 @@ Xpra is a remote monitoring and management (RMM) tool. More information will be +### Detections +- Detects potential processes activity of Xpra RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/xrdp.md b/lolrmm.com/content/rmm_tools/xrdp.md index 4a8e54ed..e8195083 100644 --- a/lolrmm.com/content/rmm_tools/xrdp.md +++ b/lolrmm.com/content/rmm_tools/xrdp.md @@ -23,6 +23,9 @@ XRDP is a remote monitoring and management (RMM) tool. More information will be #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No diff --git a/lolrmm.com/content/rmm_tools/xshell.md b/lolrmm.com/content/rmm_tools/xshell.md index cdebd2b5..bc6ac969 100644 --- a/lolrmm.com/content/rmm_tools/xshell.md +++ b/lolrmm.com/content/rmm_tools/xshell.md @@ -23,6 +23,9 @@ Xshell is a remote monitoring and management (RMM) tool. More information will b #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Xshell is a remote monitoring and management (RMM) tool. More information will b +### Detections +- Detects potential processes activity of Xshell RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/yandex.disk.md b/lolrmm.com/content/rmm_tools/yandex.disk.md index 7cb7688a..a5215ec8 100644 --- a/lolrmm.com/content/rmm_tools/yandex.disk.md +++ b/lolrmm.com/content/rmm_tools/yandex.disk.md @@ -23,6 +23,9 @@ Yandex.Disk is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ Yandex.Disk is a remote monitoring and management (RMM) tool. More information w +### Detections +- Detects potential processes activity of Yandex.Disk RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/zabbix_agent.md b/lolrmm.com/content/rmm_tools/zabbix_agent.md index 10a21f6d..4dc875ff 100644 --- a/lolrmm.com/content/rmm_tools/zabbix_agent.md +++ b/lolrmm.com/content/rmm_tools/zabbix_agent.md @@ -24,6 +24,9 @@ Zabbix Agent is a remote monitoring and management (RMM) tool. More information #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -42,16 +45,16 @@ Zabbix Agent is a remote monitoring and management (RMM) tool. More information #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `user_managed` - `zabbix.com` - - +### Detections +- Detects potential network activity of Zabbix Agent RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml) +- Detects potential processes activity of Zabbix Agent RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml) ### References - [https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent](https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent) diff --git a/lolrmm.com/content/rmm_tools/zerotier.md b/lolrmm.com/content/rmm_tools/zerotier.md index 1aba027b..72f7aa7f 100644 --- a/lolrmm.com/content/rmm_tools/zerotier.md +++ b/lolrmm.com/content/rmm_tools/zerotier.md @@ -24,6 +24,9 @@ ZeroTier is a remote monitoring and management (RMM) tool. More information will #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,16 +47,16 @@ ZeroTier is a remote monitoring and management (RMM) tool. More information will #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `zerotier.com` - `*.zerotier.com` - - +### Detections +- Detects potential network activity of ZeroTier RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml) +- Detects potential processes activity of ZeroTier RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml) ### References - [https://my.zerotier.com/](https://my.zerotier.com/) diff --git a/lolrmm.com/content/rmm_tools/zoc.md b/lolrmm.com/content/rmm_tools/zoc.md index 8cc4d678..521e1a2d 100644 --- a/lolrmm.com/content/rmm_tools/zoc.md +++ b/lolrmm.com/content/rmm_tools/zoc.md @@ -23,6 +23,9 @@ ZOC is a remote monitoring and management (RMM) tool. More information will be a #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -44,6 +47,9 @@ ZOC is a remote monitoring and management (RMM) tool. More information will be a +### Detections +- Detects potential processes activity of ZOC RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml) diff --git a/lolrmm.com/content/rmm_tools/zoho_assist.md b/lolrmm.com/content/rmm_tools/zoho_assist.md index 874dedc4..bdf4d076 100644 --- a/lolrmm.com/content/rmm_tools/zoho_assist.md +++ b/lolrmm.com/content/rmm_tools/zoho_assist.md @@ -24,6 +24,9 @@ Zoho Assist is a remote monitoring and management (RMM) tool. More information w #### PE Metadata +- **Filename**: +- **OriginalFileName**: +- **Description**: - **Free**: No @@ -51,10 +54,7 @@ Zoho Assist is a remote monitoring and management (RMM) tool. More information w #### Network Artifacts - -- **Description**: Known remote domains - - **Domains**: +- **Description**: Known remote domains **Domains**: - `*.zoho.com.au` - `*.zohoassist.jp` - `assist.zoho.com` @@ -70,8 +70,11 @@ Zoho Assist is a remote monitoring and management (RMM) tool. More information w - `*.zoho.eu` - - +### Detections +- Detects potential network activity of Zoho Assist RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml) +- Detects potential processes activity of Zoho Assist RMM tool + - [Sigma Rule](https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml) ### References - [https://www.zoho.com/assist/kb/firewall-configuration.html](https://www.zoho.com/assist/kb/firewall-configuration.html) diff --git a/yaml/247ithelp.com_(connectwise).yaml b/yaml/247ithelp.com_(connectwise).yaml index 26c46448..a36c1081 100644 --- a/yaml/247ithelp.com_(connectwise).yaml +++ b/yaml/247ithelp.com_(connectwise).yaml @@ -17,17 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - Remote Workforce Client.exe + - Remote Workforce Client.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.247ithelp.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.247ithelp.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml + Description: Detects potential network activity of 247ithelp.com (ConnectWise) RMM + tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml + Description: Detects potential processes activity of 247ithelp.com (ConnectWise) + RMM tool References: - - Similar / replaced by ScreenConnect +- Similar / replaced by ScreenConnect Acknowledgement: [] diff --git a/yaml/absolute_(computrace).yaml b/yaml/absolute_(computrace).yaml index a793cda1..acd7c1d9 100644 --- a/yaml/absolute_(computrace).yaml +++ b/yaml/absolute_(computrace).yaml @@ -17,22 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rpcnet.exe - - ctes.exe - - ctespersitence.exe - - cteshostsvc.exe - - rpcld.exe + - rpcnet.exe + - ctes.exe + - ctespersitence.exe + - cteshostsvc.exe + - rpcld.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*search.namequery.com' - - '*server.absolute.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*search.namequery.com' + - '*server.absolute.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml + Description: Detects potential network activity of Absolute (Computrace) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml + Description: Detects potential processes activity of Absolute (Computrace) RMM tool References: - - https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com +- https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com Acknowledgement: [] diff --git a/yaml/access_remote_pc.yaml b/yaml/access_remote_pc.yaml index 6c37b892..6ef6485f 100644 --- a/yaml/access_remote_pc.yaml +++ b/yaml/access_remote_pc.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rpcgrab.exe - - rpcsetup.exe + - rpcgrab.exe + - rpcsetup.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml + Description: Detects potential processes activity of Access Remote PC RMM tool References: [] Acknowledgement: [] diff --git a/yaml/acronic_cyber_protect_(remotix).yaml b/yaml/acronic_cyber_protect_(remotix).yaml index 978589e0..1ed06b2a 100644 --- a/yaml/acronic_cyber_protect_(remotix).yaml +++ b/yaml/acronic_cyber_protect_(remotix).yaml @@ -17,21 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - AcronisCyberProtectConnectQuickAssist*.exe - - AcronisCyberProtectConnectAgent.exe + - AcronisCyberProtectConnectQuickAssist*.exe + - AcronisCyberProtectConnectAgent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - cloud.acronis.com - - agents*-cloud.acronis.com - - gw.remotix.com - - connect.acronis.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - cloud.acronis.com + - agents*-cloud.acronis.com + - gw.remotix.com + - connect.acronis.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml + Description: Detects potential network activity of Acronic Cyber Protect (Remotix) + RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml + Description: Detects potential processes activity of Acronic Cyber Protect (Remotix) + RMM tool References: - - https://kb.acronis.com/content/47189 +- https://kb.acronis.com/content/47189 Acknowledgement: [] diff --git a/yaml/action1.yaml b/yaml/action1.yaml index 7c04ba9a..ef81cd55 100644 --- a/yaml/action1.yaml +++ b/yaml/action1.yaml @@ -1,102 +1,109 @@ Name: Action1 -Description: | - Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. - Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. +Description: "Action1 is a powerful Remote Monitoring and Management(RMM) tool that\ + \ enables users to execute commands, scripts, and binaries. \nThrough the web interface\ + \ of action1, the administrator must create a new policy or an app to establish\ + \ remote execution and then points that the agent is installed.\n" Author: '@kostastsale' Created: '2024-08-03' LastModified: '2024-08-03' Details: - Website: 'https://www.action1.com/' + Website: https://www.action1.com/ PEMetadata: - - Filename: 'action1_connector.exe' - - Filename: 'action1_remote.exe' - - Filename: 'action1_update.exe' - - Filename: 'action1_agent.exe' - OriginalFileName: 'action1_agent.exe' - Description: 'Endpoint Agent' - Privileges: 'SYSTEM' + - Filename: action1_connector.exe + - Filename: action1_remote.exe + - Filename: action1_update.exe + - Filename: action1_agent.exe + OriginalFileName: action1_agent.exe + Description: Endpoint Agent + Privileges: SYSTEM Free: 'Yes' - Verification: 'Corporate email required although temporary email services are accepted' + Verification: Corporate email required although temporary email services are accepted SupportedOS: - - 'Windows' + - Windows Capabilities: - - 'Backup and disaster recovery' - - 'Billing and invoicing' - - 'Customer portal' - - 'HelpDesk and ticketing' - - 'Mobile app' - - 'Network discovery' - - 'Patch management' - - 'Remote monitoring and management' - - 'Reporting and analytics' + - Backup and disaster recovery + - Billing and invoicing + - Customer portal + - HelpDesk and ticketing + - Mobile app + - Network discovery + - Patch management + - Remote monitoring and management + - Reporting and analytics Vulnerabilities: [] InstallationPaths: - - 'C:\Windows\Action1\*' + - C:\Windows\Action1\* Artifacts: Disk: - - File: 'C:\Windows\Action1\action1_agent.exe' - Description: Action1 service binary - OS: Windows - - File: 'C:\Windows\Action1\*' - Description: Multiple files and binaries related to Action1 installation - OS: Windows - - File: 'C:\Windows\Action1\scripts\*' - Description: Multiple scripts related to Action1 installation - OS: Windows - - File: 'C:\Windows\Action1\rule_data\*' - Description: Files related to Action1 rules - OS: Windows - - File: 'C:\Windows\Action1\action1_log_*.log' - Description: Contains history, errors, system notifications. Incoming and outgoing - connections. - OS: Windows + - File: C:\Windows\Action1\action1_agent.exe + Description: Action1 service binary + OS: Windows + - File: C:\Windows\Action1\* + Description: Multiple files and binaries related to Action1 installation + OS: Windows + - File: C:\Windows\Action1\scripts\* + Description: Multiple scripts related to Action1 installation + OS: Windows + - File: C:\Windows\Action1\rule_data\* + Description: Files related to Action1 rules + OS: Windows + - File: C:\Windows\Action1\action1_log_*.log + Description: Contains history, errors, system notifications. Incoming and outgoing + connections. + OS: Windows EventLog: - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: Action1 Agent - ImagePath: '"C:\\Windows\\Action1\\action1_agent.exe"' - Description: Service installation event as result of Action1 installation. - - EventID: 4688 - ProviderName: Microsoft-Security-Auditing - LogFile: Security.evtx - CommandLine: 'C:\Windows\Action1\action1_agent.exe service' - Description: Service installation event as result of Action1 installation. - - EventID: 4688 - ProviderName: Microsoft-Security-Auditing - LogFile: Security.evtx - CommandLine: 'C:\Windows\Action1\action1_agent.exe loggedonuser' - Description: Executing command to get logged on user. + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: Action1 Agent + ImagePath: '"C:\\Windows\\Action1\\action1_agent.exe"' + Description: Service installation event as result of Action1 installation. + - EventID: 4688 + ProviderName: Microsoft-Security-Auditing + LogFile: Security.evtx + CommandLine: C:\Windows\Action1\action1_agent.exe service + Description: Service installation event as result of Action1 installation. + - EventID: 4688 + ProviderName: Microsoft-Security-Auditing + LogFile: Security.evtx + CommandLine: C:\Windows\Action1\action1_agent.exe loggedonuser + Description: Executing command to get logged on user. Registry: - - Path: 'HKLM\System\CurrentControlSet\Services\A1Agent' - Description: 'Service installation event as result of Action1 installation.' - - Path: 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe' - Description: 'Ensures that detailed crash information is available for analysis, - which aids in maintaining the stability and reliability of the software.' - - Path: 'HKLM\SOFTWARE\WOW6432Node\Action1' - Description: 'Storing its configuration settings and other relevant information' + - Path: HKLM\System\CurrentControlSet\Services\A1Agent + Description: Service installation event as result of Action1 installation. + - Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps\action1_agent.exe + Description: Ensures that detailed crash information is available for analysis, + which aids in maintaining the stability and reliability of the software. + - Path: HKLM\SOFTWARE\WOW6432Node\Action1 + Description: Storing its configuration settings and other relevant information Network: - - Description: N/A - Domains: - - '*.action1.com' - Ports: - - 443 - - Description: N/A - Domains: - - 'a1-backend-packages.s3.amazonaws.com' - Ports: - - 443 + - Description: N/A + Domains: + - '*.action1.com' + Ports: + - 443 + - Description: N/A + Domains: + - a1-backend-packages.s3.amazonaws.com + Ports: + - 443 Detections: - - Name: Arbitrary code execution and remote sessions via Action1 RMM - Description: Threat hunting rule for detecting the execution of arbitrary code - and remote sessions via Action1 RMM - author: '@kostastsale' - Link: 'https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml' +- Name: Arbitrary code execution and remote sessions via Action1 RMM + Description: Threat hunting rule for detecting the execution of arbitrary code and + remote sessions via Action1 RMM + author: '@kostastsale' + Link: https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml + Description: Detects potential registry activity of Action1 RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml + Description: Detects potential network activity of Action1 RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml + Description: Detects potential files activity of Action1 RMM tool References: - - https://www.action1.com/documentation/firewall-configuration/ - - https://www.action1.com/documentation/ - - https://twitter.com/Kostastsale/status/1646256901506605063?s=20 - - https://ruler-project.github.io/ruler-project/RULER/remote/Action1/ +- https://www.action1.com/documentation/firewall-configuration/ +- https://www.action1.com/documentation/ +- https://twitter.com/Kostastsale/status/1646256901506605063?s=20 +- https://ruler-project.github.io/ruler-project/RULER/remote/Action1/ Acknowledgement: - - Person: "Kostas" - Handle: "@kostastsale" +- Person: Kostas + Handle: '@kostastsale' diff --git a/yaml/addigy.yaml b/yaml/addigy.yaml index 0692a574..5e7fe719 100644 --- a/yaml/addigy.yaml +++ b/yaml/addigy.yaml @@ -17,19 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - addigy-*.pkg + - addigy-*.pkg Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - prod.addigy.com - - grtmprod.addigy.com - - agents.addigy.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - prod.addigy.com + - grtmprod.addigy.com + - agents.addigy.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml + Description: Detects potential network activity of Addigy RMM tool References: - - https://addigy.com/ +- https://addigy.com/ Acknowledgement: [] diff --git a/yaml/adobe_connect.yaml b/yaml/adobe_connect.yaml index 5c496427..3a776d01 100644 --- a/yaml/adobe_connect.yaml +++ b/yaml/adobe_connect.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ConnectAppSetup*.exe - - ConnectShellSetup*.exe - - Connect.exe - - ConnectDetector.exe + - ConnectAppSetup*.exe + - ConnectShellSetup*.exe + - Connect.exe + - ConnectDetector.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.adobeconnect.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.adobeconnect.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml + Description: Detects potential network activity of Adobe Connect RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml + Description: Detects potential processes activity of Adobe Connect RMM tool References: - - https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html +- https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html Acknowledgement: [] diff --git a/yaml/aeroadmin.yaml b/yaml/aeroadmin.yaml index c7b50d2d..6bcda871 100644 --- a/yaml/aeroadmin.yaml +++ b/yaml/aeroadmin.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - aeroadmin.exe - - AeroAdmin.exe + - aeroadmin.exe + - AeroAdmin.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - auth*.aeroadmin.com - - aeroadmin.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - auth*.aeroadmin.com + - aeroadmin.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml + Description: Detects potential network activity of AeroAdmin RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml + Description: Detects potential processes activity of AeroAdmin RMM tool References: - - https://support.aeroadmin.com/kb/faq.php?id=58 +- https://support.aeroadmin.com/kb/faq.php?id=58 Acknowledgement: [] diff --git a/yaml/air_explorer.yaml b/yaml/air_explorer.yaml index 9f818ed3..badda032 100644 --- a/yaml/air_explorer.yaml +++ b/yaml/air_explorer.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\airexplorer\* - - '*\airexplorer\*' - - '*\airexplorer.exe' + - C:\Program Files\airexplorer\* + - '*\airexplorer\*' + - '*\airexplorer.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_explorer_processes_sigma.yml + Description: Detects potential processes activity of Air Explorer RMM tool References: [] Acknowledgement: [] diff --git a/yaml/air_live_drive.yaml b/yaml/air_live_drive.yaml index a2e286c3..f87bc6e4 100644 --- a/yaml/air_live_drive.yaml +++ b/yaml/air_live_drive.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\AirLiveDrive\* - - '*\AirLiveDrive\*' - - '*\AirLiveDrive.exe' + - C:\Program Files\AirLiveDrive\* + - '*\AirLiveDrive\*' + - '*\AirLiveDrive.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_live_drive_processes_sigma.yml + Description: Detects potential processes activity of Air Live Drive RMM tool References: [] Acknowledgement: [] diff --git a/yaml/aliwangwang-remote-control.yaml b/yaml/aliwangwang-remote-control.yaml index 95446818..121bb00b 100644 --- a/yaml/aliwangwang-remote-control.yaml +++ b/yaml/aliwangwang-remote-control.yaml @@ -17,17 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - alitask.exe + - alitask.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - wangwang.taobao.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - wangwang.taobao.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml + Description: Detects potential network activity of AliWangWang-remote-control RMM + tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml + Description: Detects potential processes activity of AliWangWang-remote-control + RMM tool References: - - https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale +- https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale Acknowledgement: [] diff --git a/yaml/alpemix.yaml b/yaml/alpemix.yaml index e61ddb51..134b2d67 100644 --- a/yaml/alpemix.yaml +++ b/yaml/alpemix.yaml @@ -1,89 +1,98 @@ Name: Alpemix -Description: | - Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -Author: 'Nasreddine Bencherchali' +Description: 'Alpemix is a remote monitoring and management (RMM) tool. More information + will be added as it becomes available. + + ' +Author: Nasreddine Bencherchali Created: '2024-08-05' LastModified: '2024-08-05' Details: - Website: 'https://www.alpemix.com/en/Home' - PEMetadata: - - Filename: 'Alpemix.exe' - OriginalFileName: 'Alpemix' - Description: 'Alpemix' - Product: 'Alpemix' - Description: 'Alpemix' - InternalName: 'Alpemix' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: - - Windows - - Linux - - Android - - Mac - - IOS - Capabilities: - - 5 Different Solutions for Remote Support - - Access to Unattended Computers - - Access to User Account Control (UAC) Screens - - Add Your Own Logo - - Auto Sizing - - Automatic Update - - Clipboard Transfer - - Computer Independent Licensing - - Contact List and Groups - - Encrypted Communication - - External Communication Barrier - - File Transfer - - Instant Messaging - - Multi-Platform Support - - Multiple Chat - - Multiple Connections - - No Port Forwarding Required - - Peer to Peer Connection (p2p) - - Receiving Offline Message - - Remote Restart - - ReportingRestricting The Authority - - Screen Sharing - - Sending Announcement Message - - Sharing a certain part of the screen - - Video Recording - - Voice Communication - - Who is currently supporting? - - Working in Black Screen Mode - Vulnerabilities: [] - InstallationPaths: - - C:\AlpemixService.exe - - C:\AlpemixSrvc\ + Website: https://www.alpemix.com/en/Home + PEMetadata: + - Filename: Alpemix.exe + OriginalFileName: Alpemix + Description: Alpemix + Product: Alpemix + InternalName: Alpemix + Privileges: '' + Free: '' + Verification: '' + SupportedOS: + - Windows + - Linux + - Android + - Mac + - IOS + Capabilities: + - 5 Different Solutions for Remote Support + - Access to Unattended Computers + - Access to User Account Control (UAC) Screens + - Add Your Own Logo + - Auto Sizing + - Automatic Update + - Clipboard Transfer + - Computer Independent Licensing + - Contact List and Groups + - Encrypted Communication + - External Communication Barrier + - File Transfer + - Instant Messaging + - Multi-Platform Support + - Multiple Chat + - Multiple Connections + - No Port Forwarding Required + - Peer to Peer Connection (p2p) + - Receiving Offline Message + - Remote Restart + - ReportingRestricting The Authority + - Screen Sharing + - Sending Announcement Message + - Sharing a certain part of the screen + - Video Recording + - Voice Communication + - Who is currently supporting? + - Working in Black Screen Mode + Vulnerabilities: [] + InstallationPaths: + - C:\AlpemixService.exe + - C:\AlpemixSrvc\ Artifacts: - Disk: - - File: '%localappdata%\Alpemix\Alpemix.ini' - Description: N/A - OS: Windows - EventLog: - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: AlpemixSrvc - ImagePath: '*\Alpemix.exe servicestartxxx' - Description: Service installation event as result of Alpemix installation. - Registry: - - Path: 'HKLM\SYSTEM\CurrentControlSet\Services\AlpemixSrvcx' - Description: N/A - Network: - - Domains: - - '*.alpemix.com' - Ports: - - 443 - Description: N/A - - Domains: - - '*.teknopars.com' - Ports: - - 80 - Description: N/A -Detections: [] + Disk: + - File: '%localappdata%\Alpemix\Alpemix.ini' + Description: N/A + OS: Windows + EventLog: + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: AlpemixSrvc + ImagePath: '*\Alpemix.exe servicestartxxx' + Description: Service installation event as result of Alpemix installation. + Registry: + - Path: HKLM\SYSTEM\CurrentControlSet\Services\AlpemixSrvcx + Description: N/A + Network: + - Domains: + - '*.alpemix.com' + Ports: + - 443 + Description: N/A + - Domains: + - '*.teknopars.com' + Ports: + - 80 + Description: N/A +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml + Description: Detects potential registry activity of Alpemix RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml + Description: Detects potential network activity of Alpemix RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml + Description: Detects potential files activity of Alpemix RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml + Description: Detects potential processes activity of Alpemix RMM tool References: - - https://www.alpemix.com/en/remote-access +- https://www.alpemix.com/en/remote-access Acknowledgement: - - Person: Nasreddine Bencherchali - Handle: '@nas_bench' \ No newline at end of file +- Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yaml/amazon_(cloud)_drive.yaml b/yaml/amazon_(cloud)_drive.yaml index 3e92bcdc..14af7a9d 100644 --- a/yaml/amazon_(cloud)_drive.yaml +++ b/yaml/amazon_(cloud)_drive.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Users\*\AppData\Local\Amazon\Cloud Drive\* - - '*\AppData\Local\Amazon\Cloud Drive\*' - - '*\AmazonCloudDrive.exe' + - C:\Users\*\AppData\Local\Amazon\Cloud Drive\* + - '*\AppData\Local\Amazon\Cloud Drive\*' + - '*\AmazonCloudDrive.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/amazon__cloud__drive_processes_sigma.yml + Description: Detects potential processes activity of Amazon (Cloud) Drive RMM tool References: [] Acknowledgement: [] diff --git a/yaml/any_support.yaml b/yaml/any_support.yaml index db98d3a9..ba0efeb3 100644 --- a/yaml/any_support.yaml +++ b/yaml/any_support.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ManualLauncher.exe + - ManualLauncher.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.anysupport.net' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.anysupport.net' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml + Description: Detects potential network activity of Any Support RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml + Description: Detects potential processes activity of Any Support RMM tool References: - - https://www.anysupport.net/introduce_howto.php +- https://www.anysupport.net/introduce_howto.php Acknowledgement: [] diff --git a/yaml/anydesk.yaml b/yaml/anydesk.yaml index bbd035e1..d514ba23 100644 --- a/yaml/anydesk.yaml +++ b/yaml/anydesk.yaml @@ -1,185 +1,190 @@ Name: AnyDesk Category: RMM -Description: | - AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams. -Author: 'Ali Alwashali, Nasreddine Bencherchali' +Description: 'AnyDesk is a popular remote desktop software that enables users to access + and control a computer or device from a remote location. It was developed with the + primary goal of facilitating remote work, technical support, and collaboration between + individuals and teams. + + ' +Author: Ali Alwashali, Nasreddine Bencherchali Created: '2023-09-29' LastModified: '2024-08-02' Details: Website: https://anydesk.com/en PEMetadata: - - Filename: anydesk.exe - OriginalFileName: AnyDesk.exe - Description: AnyDesk - Product: AnyDesk + - Filename: anydesk.exe + OriginalFileName: AnyDesk.exe + Description: AnyDesk + Product: AnyDesk Privileges: User Free: true Verification: false SupportedOS: - - Android - - ChromeOS - - IOS - - Linux - - Mac - - Windows + - Android + - ChromeOS + - IOS + - Linux + - Mac + - Windows Capabilities: - - File Transfer - - File System Access - - Remote Control - - GUI Support - - Command line Support + - File Transfer + - File System Access + - Remote Control + - GUI Support + - Command line Support Vulnerabilities: - - https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html + - https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html InstallationPaths: - - C:\Program Files (x86)\AnyDesk\* - - C:\Program Files\AnyDesk\* + - C:\Program Files (x86)\AnyDesk\* + - C:\Program Files\AnyDesk\* Artifacts: Disk: - - File: '%programdata%\AnyDesk\ad_svc.trace' - Description: 'AnyDesk service log file. As well as ad.trace, we can determine - the IP address of the other participant and its AnyDesk ID when a connection - is established.' - OS: Windows - Example: - - 'info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - - External address: 34.xx.xx.123:46798' - - File: '%programdata%\AnyDesk\connection_trace.txt' - Description: Incoming connection logs, contains IP Address of the remote machine - and file transfer activity. Only generated on target side. The content indicates - how the connection was approved (e.g. the local user authorized it, or a password - was used) - OS: Windows - Example: - - 'Incoming 2022-08-23, 10:23 Passwd 547911884 547911884' - - 'Incoming 2022-09-28, 12:39 User 442226597 442226597' - - File: '%APPDATA%\AnyDesk\connection_trace.txt' - Description: Incoming connection logs, contains IP Address of the remote machine - and file transfer activity. Only generated on target side. The content indicates - how the connection was approved (e.g. the local user authorized it, or a password - was used) - OS: Windows - Example: - - 'Incoming 2022-08-23, 10:23 Passwd 547911884 547911884' - - 'Incoming 2022-09-28, 12:39 User 442226597 442226597' - - File: '%APPDATA%\AnyDesk\ad.trace' - Description: 'AnyDesk user interface log file. In this log file, we can determine - the IP address of the other participant and its AnyDesk ID. It is also possible - to track events of file transfer. Below is the Client ID and external IP address - of the remote participant.' - OS: Windows - Example: - - 'info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - - Client-ID: 442226597 (FPR: 8e28a2a25b30).' - - 'info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - - Logged in from 12.xx.xx.21:59562 on relay 80e496c0.' - - File: '%APPDATA%\AnyDesk\chat\*.txt' - Description: If the chat functionality is used, its entries will be printed - in a text file in this folder. - OS: Windows - - File: '%APPDATA%\AnyDesk\user.conf' - Description: N/A - OS: Windows - - File: '%PROGRAMDATA%\AnyDesk\service.conf' - Description: Password can be set to auto-validate the session. The password - will be saved in a salted hash format. - OS: Windows - - File: '%APPDATA%\AnyDesk\service.conf' - Description: N/A - OS: Windows - - File: '%APPDATA%\AnyDesk\system.conf' - Description: N/A - OS: Windows - - File: '%PROGRAMDATA%\AnyDesk\system.conf' - Description: N/A - OS: Windows - - File: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\AnyDesk.lnk' - Description: N/A - OS: Windows - - File: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\AnyDesk\Uninstall - AnyDesk.lnk' - Description: N/A - OS: Windows - - File: 'C:\Users\*\Videos\AnyDesk\*.anydesk' - Description: N/A - OS: Windows - - File: 'C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\*' - Description: N/A - OS: Windows - - File: '~/Library/Application Support/AnyDesk/Logs/' - Description: N/A - OS: Mac - - File: '~/.config/AnyDesk/Logs/' - Description: N/A - OS: Linux + - File: '%programdata%\AnyDesk\ad_svc.trace' + Description: AnyDesk service log file. As well as ad.trace, we can determine the + IP address of the other participant and its AnyDesk ID when a connection is + established. + OS: Windows + Example: + - 'info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn + - External address: 34.xx.xx.123:46798' + - File: '%programdata%\AnyDesk\connection_trace.txt' + Description: Incoming connection logs, contains IP Address of the remote machine + and file transfer activity. Only generated on target side. The content indicates + how the connection was approved (e.g. the local user authorized it, or a password + was used) + OS: Windows + Example: + - Incoming 2022-08-23, 10:23 Passwd 547911884 547911884 + - Incoming 2022-09-28, 12:39 User 442226597 442226597 + - File: '%APPDATA%\AnyDesk\connection_trace.txt' + Description: Incoming connection logs, contains IP Address of the remote machine + and file transfer activity. Only generated on target side. The content indicates + how the connection was approved (e.g. the local user authorized it, or a password + was used) + OS: Windows + Example: + - Incoming 2022-08-23, 10:23 Passwd 547911884 547911884 + - Incoming 2022-09-28, 12:39 User 442226597 442226597 + - File: '%APPDATA%\AnyDesk\ad.trace' + Description: AnyDesk user interface log file. In this log file, we can determine + the IP address of the other participant and its AnyDesk ID. It is also possible + to track events of file transfer. Below is the Client ID and external IP address + of the remote participant. + OS: Windows + Example: + - 'info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket + - Client-ID: 442226597 (FPR: 8e28a2a25b30).' + - info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket + - Logged in from 12.xx.xx.21:59562 on relay 80e496c0. + - File: '%APPDATA%\AnyDesk\chat\*.txt' + Description: If the chat functionality is used, its entries will be printed in + a text file in this folder. + OS: Windows + - File: '%APPDATA%\AnyDesk\user.conf' + Description: N/A + OS: Windows + - File: '%PROGRAMDATA%\AnyDesk\service.conf' + Description: Password can be set to auto-validate the session. The password will + be saved in a salted hash format. + OS: Windows + - File: '%APPDATA%\AnyDesk\service.conf' + Description: N/A + OS: Windows + - File: '%APPDATA%\AnyDesk\system.conf' + Description: N/A + OS: Windows + - File: '%PROGRAMDATA%\AnyDesk\system.conf' + Description: N/A + OS: Windows + - File: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\AnyDesk.lnk' + Description: N/A + OS: Windows + - File: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\AnyDesk\Uninstall AnyDesk.lnk' + Description: N/A + OS: Windows + - File: C:\Users\*\Videos\AnyDesk\*.anydesk + Description: N/A + OS: Windows + - File: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\* + Description: N/A + OS: Windows + - File: ~/Library/Application Support/AnyDesk/Logs/ + Description: N/A + OS: Mac + - File: ~/.config/AnyDesk/Logs/ + Description: N/A + OS: Linux EventLog: - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: AnyDesk Service - ImagePath: '"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe" --service' - Description: Service installation event as result of AnyDesk installation. + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: AnyDesk Service + ImagePath: '"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe" --service' + Description: Service installation event as result of AnyDesk installation. Registry: - - Path: 'HKLM\SOFTWARE\Clients\Media\AnyDesk' - Description: N/A - - Path: 'HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk' - Description: N/A - - Path: 'HKLM\SOFTWARE\Classes\.anydesk\shell\open\command' - Description: N/A - - Path: 'HKLM\SOFTWARE\Classes\AnyDesk\shell\open\command' - Description: N/A - - Path: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\AnyDesk - Printer\*' - Description: N/A - - Path: HKLM\DRIVERS\DriverDatabase\DeviceIds\USBPRINT\AnyDesk - Description: N/A - - Path: HKLM\DRIVERS\DriverDatabase\DeviceIds\WSDPRINT\AnyDesk - Description: N/A - - Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk - Description: N/A + - Path: HKLM\SOFTWARE\Clients\Media\AnyDesk + Description: N/A + - Path: HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk + Description: N/A + - Path: HKLM\SOFTWARE\Classes\.anydesk\shell\open\command + Description: N/A + - Path: HKLM\SOFTWARE\Classes\AnyDesk\shell\open\command + Description: N/A + - Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\AnyDesk + Printer\* + Description: N/A + - Path: HKLM\DRIVERS\DriverDatabase\DeviceIds\USBPRINT\AnyDesk + Description: N/A + - Path: HKLM\DRIVERS\DriverDatabase\DeviceIds\WSDPRINT\AnyDesk + Description: N/A + - Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk + Description: N/A Network: - - Description: 'During setup the boot.net.anydesk.com domain is request over port - 443' - Domains: - - boot.net.anydesk.com - Ports: - - 443 - - Description: N/A - Domains: - - relay-[a-f0-9]{8}.net.anydesk.com:443 - Ports: - - 443 - - Description: N/A - Domains: - - '*.anydesk.com' - Ports: - - 443 + - Description: During setup the boot.net.anydesk.com domain is request over port + 443 + Domains: + - boot.net.anydesk.com + Ports: + - 443 + - Description: N/A + Domains: + - relay-[a-f0-9]{8}.net.anydesk.com:443 + Ports: + - 443 + - Description: N/A + Domains: + - '*.anydesk.com' + Ports: + - 443 Other: - - Type: User-Agent - Value: 'AnyDesk/*' - - Type: NamedPipe - Value: 'adprinterpipe' + - Type: User-Agent + Value: AnyDesk/* + - Type: NamedPipe + Value: adprinterpipe Detections: - - Sigma: - https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml - Description: Anydesk Remote Access Software Service Installation - - Sigma: - https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml - Description: N/A - - Sigma: - https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml - Description: N/A - - Sigma: - https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml - Description: Remote Access Tool - AnyDesk Silent Installation +- Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml + Description: Anydesk Remote Access Software Service Installation +- Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml + Description: N/A +- Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml + Description: N/A +- Sigma: https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml + Description: Remote Access Tool - AnyDesk Silent Installation +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml + Description: Detects potential registry activity of AnyDesk RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml + Description: Detects potential network activity of AnyDesk RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml + Description: Detects potential files activity of AnyDesk RMM tool References: - - https://support.anydesk.com/knowledge/firewall - - https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html - - https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk - - https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/ +- https://support.anydesk.com/knowledge/firewall +- https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html +- https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk +- https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/ Acknowledgement: - - Person: "Théo Letailleur" - Handle: in/theosyn - - Person: Ali Alwashali - Handle: '@ali_alwashali' - - Person: Nasreddine Bencherchali - Handle: '@nas_bench' +- Person: "Th\xE9o Letailleur" + Handle: in/theosyn +- Person: Ali Alwashali + Handle: '@ali_alwashali' +- Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yaml/anyplace_control.yaml b/yaml/anyplace_control.yaml index f1085a79..3f2e3b75 100644 --- a/yaml/anyplace_control.yaml +++ b/yaml/anyplace_control.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - apc_host.exe + - apc_host.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - anyplace-control.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - anyplace-control.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml + Description: Detects potential network activity of Anyplace Control RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml + Description: Detects potential processes activity of Anyplace Control RMM tool References: - - http://www.anyplace-control.com/anyplace-control/help/faq.htm +- http://www.anyplace-control.com/anyplace-control/help/faq.htm Acknowledgement: [] diff --git a/yaml/anyviewer.yaml b/yaml/anyviewer.yaml index 8eb09e77..bf9f901f 100644 --- a/yaml/anyviewer.yaml +++ b/yaml/anyviewer.yaml @@ -1,72 +1,74 @@ Name: AnyViewer -Description: | - AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +Description: 'AnyViewer is a remote monitoring and management (RMM) tool. More information + will be added as it becomes available. + + ' Author: '@kostastsale' Created: '2024-08-03' LastModified: '2024-08-03' Details: - Website: 'https://www.anyviewer.com/' + Website: https://www.anyviewer.com/ PEMetadata: - - Filename: 'AnyViewer.exe' - OriginalFileName: 'AnyViewer' - Description: 'Splash Window' - - Filename: 'RCClient.exe' - OriginalFileName: 'RCClient.exe' - Description: 'AnyViewer Core' - - Filename: 'ScreanCap.exe' - Description: 'Screan capture' - - Filename: 'AVCore.exe' - - Filename: 'RCService.exe' - Privileges: 'System' - Free: 'up to 10 devices' - Verification: 'None' + - Filename: AnyViewer.exe + OriginalFileName: AnyViewer + Description: Splash Window + - Filename: RCClient.exe + OriginalFileName: RCClient.exe + Description: AnyViewer Core + - Filename: ScreanCap.exe + Description: Screan capture + - Filename: AVCore.exe + - Filename: RCService.exe + Privileges: System + Free: up to 10 devices + Verification: None SupportedOS: - - 'Windows' + - Windows Capabilities: - - 'Remote desktop' - - 'Remote file transfer' - - 'Remote monitoring and management' - - 'Remote shell open' + - Remote desktop + - Remote file transfer + - Remote monitoring and management + - Remote shell open Vulnerabilities: [] InstallationPaths: - - 'C:\Program Files (x86)\AnyViewer\*' + - C:\Program Files (x86)\AnyViewer\* Artifacts: Disk: [] EventLog: - - EventID: 4688 - ProviderName: Microsoft-Security-Auditing - LogFile: Security.evtx - CommandLine: '"C:\\Program Files (x86)\\AnyViewer\\AVCore.exe" -d' - Description: Taking actions on the remote machine such as opening a command - prompt. - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: RCService - ImagePath: 'C:\\Program Files (x86)\\AnyViewer\\RCService.exe' - Description: AnyViewer service installation service. + - EventID: 4688 + ProviderName: Microsoft-Security-Auditing + LogFile: Security.evtx + CommandLine: '"C:\\Program Files (x86)\\AnyViewer\\AVCore.exe" -d' + Description: Taking actions on the remote machine such as opening a command prompt. + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: RCService + ImagePath: C:\\Program Files (x86)\\AnyViewer\\RCService.exe + Description: AnyViewer service installation service. Registry: [] Network: - - Description: N/A - Domains: - - '*.anyviewer.com' - Ports: - - 443 - - Description: N/A - Domains: - - '*.aomeisoftware.com' - Ports: - - 443 + - Description: N/A + Domains: + - '*.anyviewer.com' + Ports: + - 443 + - Description: N/A + Domains: + - '*.aomeisoftware.com' + Ports: + - 443 Detections: - - Name: Arbitrary code execution and remote sessions via Action1 RMM - Description: Threat hunting rule for detecting the execution of arbitrary code - and remote sessions via Action1 RMM - author: '@kostastsale' - Link: - https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml +- Name: Arbitrary code execution and remote sessions via Action1 RMM + Description: Threat hunting rule for detecting the execution of arbitrary code and + remote sessions via Action1 RMM + author: '@kostastsale' + Link: https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml + Description: Detects potential network activity of AnyViewer RMM tool References: - - https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html - - https://www.anyviewer.com/help/remote-technical-support.html +- https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html +- https://www.anyviewer.com/help/remote-technical-support.html Acknowledgement: - - Person: "Kostas" - Handle: "@kostastsale" +- Person: Kostas + Handle: '@kostastsale' diff --git a/yaml/apple_remote_desktop.yaml b/yaml/apple_remote_desktop.yaml index 98679f04..14af624e 100644 --- a/yaml/apple_remote_desktop.yaml +++ b/yaml/apple_remote_desktop.yaml @@ -17,17 +17,19 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ARDAgent.app + - ARDAgent.app Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml + Description: Detects potential network activity of Apple Remote Desktop RMM tool References: - - https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac +- https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac Acknowledgement: [] diff --git a/yaml/aria2.yaml b/yaml/aria2.yaml index cf4355ad..00f1d3b3 100644 --- a/yaml/aria2.yaml +++ b/yaml/aria2.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\ProgramData\CentraStage\AEMAgent\* - - '*ProgramData\CentraStage\AEMAgent\*' - - '*\Steinberg\Download Assistant\3rd Party\optional\aria2\*' - - '*\aria2c.exe' + - C:\ProgramData\CentraStage\AEMAgent\* + - '*ProgramData\CentraStage\AEMAgent\*' + - '*\Steinberg\Download Assistant\3rd Party\optional\aria2\*' + - '*\aria2c.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml + Description: Detects potential processes activity of aria2 RMM tool References: [] Acknowledgement: [] diff --git a/yaml/atera.yaml b/yaml/atera.yaml index 05498deb..84644bd1 100644 --- a/yaml/atera.yaml +++ b/yaml/atera.yaml @@ -1,213 +1,223 @@ Name: Atera -Description: | - Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement. -Created: '2024/08/03' +Description: 'Atera is a remote monitoring and management (RMM) tool. It is used by + threat actors to deploy ransomware or facilitate command execution and lateral movement. + + ' +Created: 2024/08/03 LastModified: '' Details: - Website: 'https://www.atera.com/' + Website: https://www.atera.com/ PEMetadata: - - Filename: 'AteraAgent.exe' - OriginalFileName: 'AteraAgent.exe' - Description: 'AteraAgent' - Privileges: 'SYSTEM' - Free: '30 day trial' - Verification: 'None' + - Filename: AteraAgent.exe + OriginalFileName: AteraAgent.exe + Description: AteraAgent + Privileges: SYSTEM + Free: 30 day trial + Verification: None SupportedOS: - - 'Windows' - - 'MacOS' - - 'Linux' + - Windows + - MacOS + - Linux Capabilities: - - 'Integrated remote access with Splashtop and AnyDesk' - - 'Remote monitoring and management' - - 'Patch management' - - 'Network discovery' - - 'Backup and disaster recovery' - - 'Helpdesk and ticketing' - - 'Reporting and analytics' - - 'Billing and invoicing' - - 'Customer portal' - - 'Mobile app' + - Integrated remote access with Splashtop and AnyDesk + - Remote monitoring and management + - Patch management + - Network discovery + - Backup and disaster recovery + - Helpdesk and ticketing + - Reporting and analytics + - Billing and invoicing + - Customer portal + - Mobile app Vulnerabilities: - - 'CVE-2023-26078' - - 'CVE-2023-26077' + - CVE-2023-26078 + - CVE-2023-26077 InstallationPaths: - - '*\AgentPackageNetworkDiscovery.exe' - - '*\AgentPackageTaskScheduler.exe' - - '*\ATERA Networks\AteraAgent\*' - - '*\AteraAgent.exe' - - atera_agent.exe - - atera_agent.exe - - ateraagent.exe - - C:\Program Files\ATERA Networks\AteraAgent\* - - C:\Program Files\Atera Networks - - C:\Program Files (x86)\Atera Networks - - syncrosetup.exe + - '*\AgentPackageNetworkDiscovery.exe' + - '*\AgentPackageTaskScheduler.exe' + - '*\ATERA Networks\AteraAgent\*' + - '*\AteraAgent.exe' + - atera_agent.exe + - atera_agent.exe + - ateraagent.exe + - C:\Program Files\ATERA Networks\AteraAgent\* + - C:\Program Files\Atera Networks + - C:\Program Files (x86)\Atera Networks + - syncrosetup.exe Artifacts: Disk: - - File: 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\log.txt' - Description: N/A - OS: Windows - - File: 'C:\Program Files\ATERA Networks\AteraAgent\Packages\*' - Description: N/A - OS: Windows - - File: 'C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe' - Description: Atera service binary - OS: Windows - - File: 'C:\Program Files\Atera Networks\AlphaAgent.exe' - Description: Atera service binary - OS: Windows - - File: 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe' - Description: N/A - OS: Windows - - File: 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe' - Description: N/A - OS: Windows - - File: 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe' - Description: N/A - OS: Windows - - File: 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageFileExplorer\AgentPackageFileExplorer.exe' - Description: N/A - OS: Windows - - File: 'C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\AgentPackageRunCommandInteractive.exe' - Description: N/A - OS: Windows + - File: C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\log.txt + Description: N/A + OS: Windows + - File: C:\Program Files\ATERA Networks\AteraAgent\Packages\* + Description: N/A + OS: Windows + - File: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe + Description: Atera service binary + OS: Windows + - File: C:\Program Files\Atera Networks\AlphaAgent.exe + Description: Atera service binary + OS: Windows + - File: C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe + Description: N/A + OS: Windows + - File: C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe + Description: N/A + OS: Windows + - File: C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe + Description: N/A + OS: Windows + - File: C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageFileExplorer\AgentPackageFileExplorer.exe + Description: N/A + OS: Windows + - File: C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\AgentPackageRunCommandInteractive.exe + Description: N/A + OS: Windows EventLog: - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: AteraAgent - ImagePath: '"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\AteraAgent.exe"' - Description: Service installation event as result of AteraAgent installation. - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: WinRing0_1_2_0 - ImagePath: '"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\OpenHardwareMonitorLib.sys"' - Description: Service installation event as result of Atera pakcage manager installation. - - EventID: 11707 - ProviderName: MsiInstaller - LogFile: Application.evtx - Data: 'Product: AteraAgent -- Installation completed successfully.' - Description: Service installation event as result of AteraAgent installation. - - EventID: 4688 - ProviderName: Microsoft-Security-Auditing - LogFile: Security.evtx - CommandLine: 'C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe - XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production - 443 [BASE64BLOB]' - Description: Service installation event as result of AteraAgent installation. + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: AteraAgent + ImagePath: '"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\AteraAgent.exe"' + Description: Service installation event as result of AteraAgent installation. + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: WinRing0_1_2_0 + ImagePath: '"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\OpenHardwareMonitorLib.sys"' + Description: Service installation event as result of Atera pakcage manager installation. + - EventID: 11707 + ProviderName: MsiInstaller + LogFile: Application.evtx + Data: 'Product: AteraAgent -- Installation completed successfully.' + Description: Service installation event as result of AteraAgent installation. + - EventID: 4688 + ProviderName: Microsoft-Security-Auditing + LogFile: Security.evtx + CommandLine: C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe + XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production + 443 [BASE64BLOB] + Description: Service installation event as result of AteraAgent installation. Registry: - - Path: 'HKLM\SOFTWARE\ATERA Networks\AlphaAgent' - Description: - - Path: HKLM\SYSTEM\CurrentControlSet\Services\AteraAgent - Description: - - Path: KLM\SOFTWARE\WOW6432Node\Splashtop Inc. - Description: - - Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop - Software Updater - Description: - - Path: HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AlphaAgent - Description: - - Path: HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AteraAgent - Description: - - Path: HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASAPI32 - Description: - - Path: HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASMANCS - Description: - - Path: HKLM\SOFTWARE\ATERA Networks\* - Description: + - Path: HKLM\SOFTWARE\ATERA Networks\AlphaAgent + Description: null + - Path: HKLM\SYSTEM\CurrentControlSet\Services\AteraAgent + Description: null + - Path: KLM\SOFTWARE\WOW6432Node\Splashtop Inc. + Description: null + - Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop + Software Updater + Description: null + - Path: HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AlphaAgent + Description: null + - Path: HKLM\SYSTEM\ControlSet\Services\EventLog\Application\AteraAgent + Description: null + - Path: HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASAPI32 + Description: null + - Path: HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASMANCS + Description: null + - Path: HKLM\SOFTWARE\ATERA Networks\* + Description: null Network: - - Description: N/A - Domains: - - pubsub.atera.com - Ports: - - N/A - - Description: N/A - Domains: - - pubsub.pubnub.com - Ports: - - N/A - - Description: N/A - Domains: - - agentreporting.atera.com - Ports: - - N/A - - Description: N/A - Domains: - - getalphacontrol.com - Ports: - - N/A - - Description: N/A - Domains: - - app.atera.com - Ports: - - N/A - - Description: N/A - Domains: - - agenthb.atera.com - Ports: - - N/A - - Description: N/A - Domains: - - packagesstore.blob.core.windows.net - Ports: - - N/A - - Description: N/A - Domains: - - ps.pndsn.com - Ports: - - N/A - - Description: N/A - Domains: - - agent-api.atera.com - Ports: - - N/A - - Description: N/A - Domains: - - cacerts.thawte.com - Ports: - - N/A - - Description: N/A - Domains: - - agentreportingstore.blob.core.windows.net - Ports: - - N/A - - Description: N/A - Domains: - - atera-agent-heartbeat.servicebus.windows.net - Ports: - - N/A - - Description: N/A - Domains: - - ps.atera.com - Ports: - - N/A - - Description: N/A - Domains: - - atera.pubnubapi.com - Ports: - - N/A - - Description: N/A - Domains: - - appcdn.atera.com - Ports: - - N/A + - Description: N/A + Domains: + - pubsub.atera.com + Ports: + - N/A + - Description: N/A + Domains: + - pubsub.pubnub.com + Ports: + - N/A + - Description: N/A + Domains: + - agentreporting.atera.com + Ports: + - N/A + - Description: N/A + Domains: + - getalphacontrol.com + Ports: + - N/A + - Description: N/A + Domains: + - app.atera.com + Ports: + - N/A + - Description: N/A + Domains: + - agenthb.atera.com + Ports: + - N/A + - Description: N/A + Domains: + - packagesstore.blob.core.windows.net + Ports: + - N/A + - Description: N/A + Domains: + - ps.pndsn.com + Ports: + - N/A + - Description: N/A + Domains: + - agent-api.atera.com + Ports: + - N/A + - Description: N/A + Domains: + - cacerts.thawte.com + Ports: + - N/A + - Description: N/A + Domains: + - agentreportingstore.blob.core.windows.net + Ports: + - N/A + - Description: N/A + Domains: + - atera-agent-heartbeat.servicebus.windows.net + Ports: + - N/A + - Description: N/A + Domains: + - ps.atera.com + Ports: + - N/A + - Description: N/A + Domains: + - atera.pubnubapi.com + Ports: + - N/A + - Description: N/A + Domains: + - appcdn.atera.com + Ports: + - N/A Detections: - - Sigma: 'https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml' - Name: 'AteraAgent malicious installations' - Description: 'Detects AteraAgent installations with suspicious command line arguments.' - - Sigma: 'https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml' - Name: 'Atera Agent Installation' - Description: 'Detects Atera Agent installation.' +- Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml + Name: AteraAgent malicious installations + Description: Detects AteraAgent installations with suspicious command line arguments. +- Sigma: https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml + Name: Atera Agent Installation + Description: Detects Atera Agent installation. +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml + Description: Detects potential registry activity of Atera RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml + Description: Detects potential network activity of Atera RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml + Description: Detects potential files activity of Atera RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml + Description: Detects potential processes activity of Atera RMM tool References: - - https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations - - https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent - - https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018 - - https://thedfirreport.com/?s=ateraagent +- https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations +- https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent +- https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018 +- https://thedfirreport.com/?s=ateraagent Acknowledgement: - - Person: "Théo Letailleur" - Handle: in/theosyn - - Person: "Nasreddine Bencherchali" - Handle: "@nas_bench" - - Person: "Kostas" - Handle: "@kostastsale" +- Person: "Th\xE9o Letailleur" + Handle: in/theosyn +- Person: Nasreddine Bencherchali + Handle: '@nas_bench' +- Person: Kostas + Handle: '@kostastsale' diff --git a/yaml/auvik.yaml b/yaml/auvik.yaml index 45fc9b55..ee78183f 100644 --- a/yaml/auvik.yaml +++ b/yaml/auvik.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - auvik.engine.exe - - auvik.agent.exe + - auvik.engine.exe + - auvik.agent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.my.auvik.com' - - '*.auvik.com' - - auvik.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.my.auvik.com' + - '*.auvik.com' + - auvik.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml + Description: Detects potential network activity of Auvik RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml + Description: Detects potential processes activity of Auvik RMM tool References: - - https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use +- https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use Acknowledgement: [] diff --git a/yaml/aweray.yaml b/yaml/aweray.yaml index dd667ba2..680bfc53 100644 --- a/yaml/aweray.yaml +++ b/yaml/aweray.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - aweray_remote*.exe - - AweSun.exe + - aweray_remote*.exe + - AweSun.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - asapi*.aweray.net - - client-api.aweray.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - asapi*.aweray.net + - client-api.aweray.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml + Description: Detects potential network activity of AweRay RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml + Description: Detects potential processes activity of AweRay RMM tool References: - - https://sun.aweray.com/help +- https://sun.aweray.com/help Acknowledgement: [] diff --git a/yaml/awerayawesun.yaml b/yaml/awerayawesun.yaml index a0ca8a8d..b9c1d6d6 100644 --- a/yaml/awerayawesun.yaml +++ b/yaml/awerayawesun.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - aweray_remote*.exe - - AweSun.exe + - aweray_remote*.exe + - AweSun.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - asapi-us.aweray.net - - asapi.aweray.net - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - asapi-us.aweray.net + - asapi.aweray.net + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__network_sigma.yml + Description: Detects potential network activity of AweRay (AweSun) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__processes_sigma.yml + Description: Detects potential processes activity of AweRay (AweSun) RMM tool References: [] Acknowledgement: [] diff --git a/yaml/aws-cli.yaml b/yaml/aws-cli.yaml index 60c3f349..102c9087 100644 --- a/yaml/aws-cli.yaml +++ b/yaml/aws-cli.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\Amazon\AWSCLI\* - - '*\Amazon\AWSCLI\*' - - '*\AWSCLIV*.msi' - - '*\AWSCLISetup.exe' + - C:\Program Files\Amazon\AWSCLI\* + - '*\Amazon\AWSCLI\*' + - '*\AWSCLIV*.msi' + - '*\AWSCLISetup.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aws-cli_processes_sigma.yml + Description: Detects potential processes activity of aws-cli RMM tool References: [] Acknowledgement: [] diff --git a/yaml/azure_storage_explorer.yaml b/yaml/azure_storage_explorer.yaml index 49b4eb17..5878e240 100644 --- a/yaml/azure_storage_explorer.yaml +++ b/yaml/azure_storage_explorer.yaml @@ -17,14 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Microsoft Azure Storage Explorer\* - - '*\Microsoft Azure Storage Explorer\*' - - '*\StorageExplorer.exe' + - C:\Program Files (x86)\Microsoft Azure Storage Explorer\* + - '*\Microsoft Azure Storage Explorer\*' + - '*\StorageExplorer.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/azure_storage_explorer_processes_sigma.yml + Description: Detects potential processes activity of Azure Storage Explorer RMM + tool References: [] Acknowledgement: [] diff --git a/yaml/barracuda.yaml b/yaml/barracuda.yaml index f2e3d2b5..57d33757 100644 --- a/yaml/barracuda.yaml +++ b/yaml/barracuda.yaml @@ -22,13 +22,15 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.islonline.net' - - rmm.barracudamsp.com - - barracudamsp.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.islonline.net' + - rmm.barracudamsp.com + - barracudamsp.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml + Description: Detects potential network activity of Barracuda RMM tool References: - - https://help.islonline.com/19799/166125 +- https://help.islonline.com/19799/166125 Acknowledgement: [] diff --git a/yaml/basecamp.yaml b/yaml/basecamp.yaml index 561bb194..d178ba70 100644 --- a/yaml/basecamp.yaml +++ b/yaml/basecamp.yaml @@ -22,11 +22,13 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - basecamp.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - basecamp.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml + Description: Detects potential network activity of Basecamp RMM tool References: - - basecamp.com - No specific RMM tool listed +- basecamp.com - No specific RMM tool listed Acknowledgement: [] diff --git a/yaml/beamyourscreen.yaml b/yaml/beamyourscreen.yaml index 813131b7..ec05d41d 100644 --- a/yaml/beamyourscreen.yaml +++ b/yaml/beamyourscreen.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - beamyourscreen.exe - - beamyourscreen-host.exe + - beamyourscreen.exe + - beamyourscreen-host.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - beamyourscreen.com - - '*.beamyourscreen.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - beamyourscreen.com + - '*.beamyourscreen.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml + Description: Detects potential network activity of BeamYourScreen RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml + Description: Detects potential processes activity of BeamYourScreen RMM tool References: - - beamyourscreen redirects to https://www.mikogo.com/ +- beamyourscreen redirects to https://www.mikogo.com/ Acknowledgement: [] diff --git a/yaml/beanywhere.yaml b/yaml/beanywhere.yaml index d27ddf17..5f800b0d 100644 --- a/yaml/beanywhere.yaml +++ b/yaml/beanywhere.yaml @@ -17,25 +17,29 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - basuptshelper.exe - - basupsrvcupdate.exe - - BASupApp.exe - - BASupSysInf.exe - - BASupAppSrvc.exe - - TakeControl.exe - - BASupAppElev.exe - - basupsrvc.exe + - basuptshelper.exe + - basupsrvcupdate.exe + - BASupApp.exe + - BASupSysInf.exe + - BASupAppSrvc.exe + - TakeControl.exe + - BASupAppElev.exe + - basupsrvc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - beanywhere.en.uptodown.com/windows - - beanywhere.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - beanywhere.en.uptodown.com/windows + - beanywhere.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml + Description: Detects potential network activity of BeAnyWhere RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml + Description: Detects potential processes activity of BeAnyWhere RMM tool References: - - https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx +- https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx Acknowledgement: [] diff --git a/yaml/beinsync.yaml b/yaml/beinsync.yaml index e73832ff..8f10935b 100644 --- a/yaml/beinsync.yaml +++ b/yaml/beinsync.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - Beinsync*.exe + - Beinsync*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.beinsync.net' - - '*.beinsync.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.beinsync.net' + - '*.beinsync.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml + Description: Detects potential network activity of BeInSync RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml + Description: Detects potential processes activity of BeInSync RMM tool References: - - https://en.wikipedia.org/wiki/Phoenix_Technologies +- https://en.wikipedia.org/wiki/Phoenix_Technologies Acknowledgement: [] diff --git a/yaml/beyondtrust_(bomgar).yaml b/yaml/beyondtrust_(bomgar).yaml index a9485f38..de983a34 100644 --- a/yaml/beyondtrust_(bomgar).yaml +++ b/yaml/beyondtrust_(bomgar).yaml @@ -17,23 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - bomgar-scc-*.exe - - bomgar-scc.exe - - bomgar-pac-*.exe - - bomgar-pac.exe - - bomgar-rdp.exe + - bomgar-scc-*.exe + - bomgar-scc.exe + - bomgar-pac-*.exe + - bomgar-pac.exe + - bomgar-rdp.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.beyondtrustcloud.com' - - '*.bomgarcloud.com' - - bomgarcloud.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.beyondtrustcloud.com' + - '*.bomgarcloud.com' + - bomgarcloud.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml + Description: Detects potential network activity of BeyondTrust (Bomgar) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml + Description: Detects potential processes activity of BeyondTrust (Bomgar) RMM tool References: - - https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm +- https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm Acknowledgement: [] diff --git a/yaml/beyondtrustbomgar.yaml b/yaml/beyondtrustbomgar.yaml index 6e2747bd..ab3651b9 100644 --- a/yaml/beyondtrustbomgar.yaml +++ b/yaml/beyondtrustbomgar.yaml @@ -17,23 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - bomgar-scc.exe - - bomgar-rdp.exe - - bomgar-scc-*.exe - - bomgar-pac-*.exe - - bomgar-pac.exe + - bomgar-scc.exe + - bomgar-rdp.exe + - bomgar-scc-*.exe + - bomgar-pac-*.exe + - bomgar-pac.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - bomgarcloud.com - - '*.bomgarcloud.com' - - '*.beyondtrustcloud.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - bomgarcloud.com + - '*.bomgarcloud.com' + - '*.beyondtrustcloud.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml + Description: Detects potential network activity of BeyondTrust (Bomgar) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml + Description: Detects potential processes activity of BeyondTrust (Bomgar) RMM tool References: - - https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm +- https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm Acknowledgement: [] diff --git a/yaml/bitvise_ssh_client.yaml b/yaml/bitvise_ssh_client.yaml index 89175170..7166a46e 100644 --- a/yaml/bitvise_ssh_client.yaml +++ b/yaml/bitvise_ssh_client.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Bitvise SSH Client\* - - '*\Bitvise SSH Client\*' - - '*\BvSshClient-Inst.exe' + - C:\Program Files (x86)\Bitvise SSH Client\* + - '*\Bitvise SSH Client\*' + - '*\BvSshClient-Inst.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml + Description: Detects potential processes activity of Bitvise SSH Client RMM tool References: [] Acknowledgement: [] diff --git a/yaml/bitvise_ssh_server.yaml b/yaml/bitvise_ssh_server.yaml index 0056a1a0..28730934 100644 --- a/yaml/bitvise_ssh_server.yaml +++ b/yaml/bitvise_ssh_server.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\Bitvise SSH Server\* - - '*\Bitvise SSH Server\*' - - '*\BvSshServer-Inst.exe' + - C:\Program Files\Bitvise SSH Server\* + - '*\Bitvise SSH Server\*' + - '*\BvSshServer-Inst.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml + Description: Detects potential processes activity of Bitvise SSH Server RMM tool References: [] Acknowledgement: [] diff --git a/yaml/bomgar.yaml b/yaml/bomgar.yaml index 0f2e6d04..176f5761 100644 --- a/yaml/bomgar.yaml +++ b/yaml/bomgar.yaml @@ -17,16 +17,20 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - bomgar-scc.exe + - bomgar-scc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - beyondtrust.com/brand/bomgar - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - beyondtrust.com/brand/bomgar + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_network_sigma.yml + Description: Detects potential network activity of Bomgar RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_processes_sigma.yml + Description: Detects potential processes activity of Bomgar RMM tool References: [] Acknowledgement: [] diff --git a/yaml/box.yaml b/yaml/box.yaml index 74ed5fe0..5b74807f 100644 --- a/yaml/box.yaml +++ b/yaml/box.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\Box\Box\* - - '*\Box\Box\*' - - '*\Box.exe' + - C:\Program Files\Box\Box\* + - '*\Box\Box\*' + - '*\Box.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml + Description: Detects potential processes activity of Box RMM tool References: [] Acknowledgement: [] diff --git a/yaml/carotdav.yaml b/yaml/carotdav.yaml index ffd01e74..e98fbb8e 100644 --- a/yaml/carotdav.yaml +++ b/yaml/carotdav.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Rei Software\CarotDAV\* - - '*\Rei Software\CarotDAV\*' - - '*\CarotDAV.exe' + - C:\Program Files (x86)\Rei Software\CarotDAV\* + - '*\Rei Software\CarotDAV\*' + - '*\CarotDAV.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml + Description: Detects potential processes activity of CarotDAV RMM tool References: [] Acknowledgement: [] diff --git a/yaml/centrastage_(now_datto).yaml b/yaml/centrastage_(now_datto).yaml index c8a8cab2..152452cb 100644 --- a/yaml/centrastage_(now_datto).yaml +++ b/yaml/centrastage_(now_datto).yaml @@ -17,20 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - CagService.exe - - AEMAgent.exe + - CagService.exe + - AEMAgent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.rmm.datto.com' - - '*cc.centrastage.net' - - datto.com/au/products/rmm/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.rmm.datto.com' + - '*cc.centrastage.net' + - datto.com/au/products/rmm/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml + Description: Detects potential network activity of CentraStage (Now Datto) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml + Description: Detects potential processes activity of CentraStage (Now Datto) RMM + tool References: - - https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm +- https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm Acknowledgement: [] diff --git a/yaml/centurion.yaml b/yaml/centurion.yaml index b20f302a..eb95f240 100644 --- a/yaml/centurion.yaml +++ b/yaml/centurion.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ctiserv.exe + - ctiserv.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - centuriontech.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - centuriontech.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml + Description: Detects potential network activity of Centurion RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml + Description: Detects potential processes activity of Centurion RMM tool References: - - https://data443.atlassian.net/servicedesk/customer/portal/20 +- https://data443.atlassian.net/servicedesk/customer/portal/20 Acknowledgement: [] diff --git a/yaml/chrome_remote_desktop.yaml b/yaml/chrome_remote_desktop.yaml index 8e151a74..28654113 100644 --- a/yaml/chrome_remote_desktop.yaml +++ b/yaml/chrome_remote_desktop.yaml @@ -17,23 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - remote_host.exe - - remoting_host.exe - - C:\Program Files (x86)\Google\Chrome Remote Desktop\* - - '*\Google\Chrome Remote Desktop\*' - - '*\remoting_host.exe' + - remote_host.exe + - remoting_host.exe + - C:\Program Files (x86)\Google\Chrome Remote Desktop\* + - '*\Google\Chrome Remote Desktop\*' + - '*\remoting_host.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*remotedesktop.google.com' - - '*remotedesktop-pa.googleapis.com' - - remotedesktop.google.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*remotedesktop.google.com' + - '*remotedesktop-pa.googleapis.com' + - remotedesktop.google.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml + Description: Detects potential network activity of Chrome Remote Desktop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml + Description: Detects potential processes activity of Chrome Remote Desktop RMM tool References: - - https://support.google.com/chrome/a/answer/2799701?hl=en +- https://support.google.com/chrome/a/answer/2799701?hl=en Acknowledgement: [] diff --git a/yaml/chrome_ssh_extension.yaml b/yaml/chrome_ssh_extension.yaml index 246baa6b..0843dd6b 100644 --- a/yaml/chrome_ssh_extension.yaml +++ b/yaml/chrome_ssh_extension.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd* - - '*Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*' + - C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd* + - '*Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/chromeremotedesktop.yaml b/yaml/chromeremotedesktop.yaml index e0c2f381..4a53817c 100644 --- a/yaml/chromeremotedesktop.yaml +++ b/yaml/chromeremotedesktop.yaml @@ -17,23 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - remote_host.exe - - remoting_host.exe - - C:\Program Files (x86)\Google\Chrome Remote Desktop\* - - '*\Google\Chrome Remote Desktop\*' - - '*\remoting_host.exe' + - remote_host.exe + - remoting_host.exe + - C:\Program Files (x86)\Google\Chrome Remote Desktop\* + - '*\Google\Chrome Remote Desktop\*' + - '*\remoting_host.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*remotedesktop-pa.googleapis.com' - - '*remotedesktop.google.com' - - remotedesktop.google.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*remotedesktop-pa.googleapis.com' + - '*remotedesktop.google.com' + - remotedesktop.google.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml + Description: Detects potential network activity of Chrome Remote Desktop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml + Description: Detects potential processes activity of Chrome Remote Desktop RMM tool References: - - https://support.google.com/chrome/a/answer/2799701?hl=en +- https://support.google.com/chrome/a/answer/2799701?hl=en Acknowledgement: [] diff --git a/yaml/cloud_turtle.yaml b/yaml/cloud_turtle.yaml index bd877730..33e55e12 100644 --- a/yaml/cloud_turtle.yaml +++ b/yaml/cloud_turtle.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Genie9\* - - '*\Genie9\*' + - C:\Program Files (x86)\Genie9\* + - '*\Genie9\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/cloudberry_explorer.yaml b/yaml/cloudberry_explorer.yaml index 7940d5ae..c51f4cae 100644 --- a/yaml/cloudberry_explorer.yaml +++ b/yaml/cloudberry_explorer.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\CloudBerryLab\CloudBerry Drive\* - - '*\CloudBerryLab\CloudBerry Drive\*' + - C:\Program Files\CloudBerryLab\CloudBerry Drive\* + - '*\CloudBerryLab\CloudBerry Drive\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/cloudbuckit.yaml b/yaml/cloudbuckit.yaml index 24e7eece..0a6760eb 100644 --- a/yaml/cloudbuckit.yaml +++ b/yaml/cloudbuckit.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\CloudBuckIt\* - - '*\CloudBuckIt\*' - - '*\CloudBuckIt*.exe' + - C:\Program Files (x86)\CloudBuckIt\* + - '*\CloudBuckIt\*' + - '*\CloudBuckIt*.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudbuckit_processes_sigma.yml + Description: Detects potential processes activity of CloudBuckIt RMM tool References: [] Acknowledgement: [] diff --git a/yaml/cloudflare_tunnel.yaml b/yaml/cloudflare_tunnel.yaml index 5c36977b..8741c57b 100644 --- a/yaml/cloudflare_tunnel.yaml +++ b/yaml/cloudflare_tunnel.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - cloudflared.exe + - cloudflared.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - cloudflare.com/products/tunnel/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - cloudflare.com/products/tunnel/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml + Description: Detects potential network activity of CloudFlare Tunnel RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml + Description: Detects potential processes activity of CloudFlare Tunnel RMM tool References: - - cloudflare.com/products/tunnel/ +- cloudflare.com/products/tunnel/ Acknowledgement: [] diff --git a/yaml/cloudmounter.yaml b/yaml/cloudmounter.yaml index 0a01b781..2ed2d361 100644 --- a/yaml/cloudmounter.yaml +++ b/yaml/cloudmounter.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\CloudMounter\* - - '*\CloudMounter\*' - - '*\CloudMounter\*' - - '*\cloudmounter.exe' + - C:\Program Files\CloudMounter\* + - '*\CloudMounter\*' + - '*\CloudMounter\*' + - '*\cloudmounter.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml + Description: Detects potential processes activity of CloudMounter RMM tool References: [] Acknowledgement: [] diff --git a/yaml/cloudxplorer.yaml b/yaml/cloudxplorer.yaml index 555fed82..77ca236f 100644 --- a/yaml/cloudxplorer.yaml +++ b/yaml/cloudxplorer.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\ClumsyLeaf Software\CloudXplorer\* - - '*\ClumsyLeaf Software\CloudXplorer\*' - - '*\clumsyleaf.cloudxplorer*.exe' + - C:\Program Files\ClumsyLeaf Software\CloudXplorer\* + - '*\ClumsyLeaf Software\CloudXplorer\*' + - '*\clumsyleaf.cloudxplorer*.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml + Description: Detects potential processes activity of CloudXplorer RMM tool References: [] Acknowledgement: [] diff --git a/yaml/comodo_rmm.yaml b/yaml/comodo_rmm.yaml index cc1d7ca1..ba49ab9a 100644 --- a/yaml/comodo_rmm.yaml +++ b/yaml/comodo_rmm.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - itsmagent.exe - - rviewer.exe + - itsmagent.exe + - rviewer.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.itsm-us1.comodo.com' - - '*mdmsupport.comodo.com' - - one.comodo.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.itsm-us1.comodo.com' + - '*mdmsupport.comodo.com' + - one.comodo.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml + Description: Detects potential network activity of Comodo RMM RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml + Description: Detects potential processes activity of Comodo RMM RMM tool References: - - https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html +- https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html Acknowledgement: [] diff --git a/yaml/connectwise.yaml b/yaml/connectwise.yaml index 1b650062..cdc741b6 100644 --- a/yaml/connectwise.yaml +++ b/yaml/connectwise.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\ScreenConnect Client ()\* - - '*\ScreenConnect*Client*\*' + - C:\Program Files (x86)\ScreenConnect Client ()\* + - '*\ScreenConnect*Client*\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/connectwise_automate_(labtech).yaml b/yaml/connectwise_automate_(labtech).yaml index dc79ec4c..612eace9 100644 --- a/yaml/connectwise_automate_(labtech).yaml +++ b/yaml/connectwise_automate_(labtech).yaml @@ -17,19 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ltsvc.exe - - ltsvcmon.exe - - lttray.exe + - ltsvc.exe + - ltsvcmon.exe + - lttray.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.hostedrmm.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.hostedrmm.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml + Description: Detects potential network activity of Connectwise Automate (LabTech) + RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml + Description: Detects potential processes activity of Connectwise Automate (LabTech) + RMM tool References: - - https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate +- https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate Acknowledgement: [] diff --git a/yaml/connectwise_control.yaml b/yaml/connectwise_control.yaml index afa85dd1..5dd67566 100644 --- a/yaml/connectwise_control.yaml +++ b/yaml/connectwise_control.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - connectwisechat-customer.exe - - connectwisecontrol.client.exe + - connectwisechat-customer.exe + - connectwisecontrol.client.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - control.connectwise.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - control.connectwise.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml + Description: Detects potential network activity of ConnectWise Control RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml + Description: Detects potential processes activity of ConnectWise Control RMM tool References: [] Acknowledgement: [] diff --git a/yaml/connectwisecontrol.yaml b/yaml/connectwisecontrol.yaml index de1d95f3..5f5bef11 100644 --- a/yaml/connectwisecontrol.yaml +++ b/yaml/connectwisecontrol.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - screenconnect.clientservice.exe - - connectwisecontrol.client.exe - - screenconnect.windowsclient.exe - - connectwisechat-customer.exe + - screenconnect.clientservice.exe + - connectwisecontrol.client.exe + - screenconnect.windowsclient.exe + - connectwisechat-customer.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - live.screenconnect.com - - control.connectwise.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - live.screenconnect.com + - control.connectwise.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml + Description: Detects potential network activity of ConnectWise Control RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml + Description: Detects potential processes activity of ConnectWise Control RMM tool References: [] Acknowledgement: [] diff --git a/yaml/core_ftp.yaml b/yaml/core_ftp.yaml index 790a0878..76e5a50b 100644 --- a/yaml/core_ftp.yaml +++ b/yaml/core_ftp.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\*\coreftplite.exe - - '*\coreftplite.exe' + - C:\*\coreftplite.exe + - '*\coreftplite.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml + Description: Detects potential processes activity of Core FTP RMM tool References: [] Acknowledgement: [] diff --git a/yaml/crossloop.yaml b/yaml/crossloop.yaml index c9151cbe..afe26ca5 100644 --- a/yaml/crossloop.yaml +++ b/yaml/crossloop.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - crossloopservice.exe - - CrossLoopConnect.exe - - WinVNCStub.exe + - crossloopservice.exe + - CrossLoopConnect.exe + - WinVNCStub.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.crossloop.com' - - crossloop.en.softonic.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.crossloop.com' + - crossloop.en.softonic.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml + Description: Detects potential network activity of CrossLoop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml + Description: Detects potential processes activity of CrossLoop RMM tool References: - - www.CrossLoop.com -> redirects to avast.com +- www.CrossLoop.com -> redirects to avast.com Acknowledgement: [] diff --git a/yaml/crosstec_remote_control.yaml b/yaml/crosstec_remote_control.yaml index e8b67caa..6981d45f 100644 --- a/yaml/crosstec_remote_control.yaml +++ b/yaml/crosstec_remote_control.yaml @@ -17,19 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - PCIVIDEO.EXE - - supporttool.exe + - PCIVIDEO.EXE + - supporttool.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - crosstecsoftware.com/remotecontrol - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - crosstecsoftware.com/remotecontrol + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml + Description: Detects potential network activity of CrossTec Remote Control RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml + Description: Detects potential processes activity of CrossTec Remote Control RMM + tool References: - - www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024 +- www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024 Acknowledgement: [] diff --git a/yaml/cruz.yaml b/yaml/cruz.yaml index 0d1dfdc2..1bf82391 100644 --- a/yaml/cruz.yaml +++ b/yaml/cruz.yaml @@ -22,10 +22,12 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - resources.doradosoftware.com/cruz-rmm - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - resources.doradosoftware.com/cruz-rmm + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml + Description: Detects potential network activity of Cruz RMM tool References: [] Acknowledgement: [] diff --git a/yaml/cruzcontrol.yaml b/yaml/cruzcontrol.yaml index 9b22d6fe..72afaff8 100644 --- a/yaml/cruzcontrol.yaml +++ b/yaml/cruzcontrol.yaml @@ -24,5 +24,5 @@ Artifacts: Network: [] Detections: [] References: - - https://resources.doradosoftware.com/cruz-rmm +- https://resources.doradosoftware.com/cruz-rmm Acknowledgement: [] diff --git a/yaml/cuteftp.yaml b/yaml/cuteftp.yaml index 941623da..ef266253 100644 --- a/yaml/cuteftp.yaml +++ b/yaml/cuteftp.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Globalscape\CuteFTP\* - - '*\Globalscape\CuteFTP\*' - - '*\cuteftppro.exe' + - C:\Program Files (x86)\Globalscape\CuteFTP\* + - '*\Globalscape\CuteFTP\*' + - '*\cuteftppro.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml + Description: Detects potential processes activity of CuteFTP RMM tool References: [] Acknowledgement: [] diff --git a/yaml/cyberduck.yaml b/yaml/cyberduck.yaml index 6cd9f1b4..82368f9a 100644 --- a/yaml/cyberduck.yaml +++ b/yaml/cyberduck.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\Cyberduck\* - - '*\Cyberduck\*' - - '*\Cyberduck.exe' + - C:\Program Files\Cyberduck\* + - '*\Cyberduck\*' + - '*\Cyberduck.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cyberduck_processes_sigma.yml + Description: Detects potential processes activity of Cyberduck RMM tool References: [] Acknowledgement: [] diff --git a/yaml/dameware-mini_remote_control_protocol.yaml b/yaml/dameware-mini_remote_control_protocol.yaml index 06b107b3..3df39f99 100644 --- a/yaml/dameware-mini_remote_control_protocol.yaml +++ b/yaml/dameware-mini_remote_control_protocol.yaml @@ -17,17 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - dntus*.exe - - dwrcs.exe + - dntus*.exe + - dwrcs.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - dameware.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - dameware.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml + Description: Detects potential network activity of Dameware-mini remote control + Protocol RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml + Description: Detects potential processes activity of Dameware-mini remote control + Protocol RMM tool References: [] Acknowledgement: [] diff --git a/yaml/dameware.yaml b/yaml/dameware.yaml index 6fb00273..f0146ac1 100644 --- a/yaml/dameware.yaml +++ b/yaml/dameware.yaml @@ -17,21 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - SolarWinds-Dameware-DRS*.exe - - DameWare Mini Remote Control*.exe - - "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote - Control\\*" - - dwrcs.exe - - '*\dwrcs\*' - - '*\dwrcst.exe' - - DameWare Remote Support.exe - - SolarWinds-Dameware-MRC*.exe + - SolarWinds-Dameware-DRS*.exe + - DameWare Mini Remote Control*.exe + - "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\\ + *" + - dwrcs.exe + - '*\dwrcs\*' + - '*\dwrcst.exe' + - DameWare Remote Support.exe + - SolarWinds-Dameware-MRC*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml + Description: Detects potential processes activity of DameWare RMM tool References: - - https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm +- https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm Acknowledgement: [] diff --git a/yaml/datto.yaml b/yaml/datto.yaml index 68a0fb8c..3d66d27b 100644 --- a/yaml/datto.yaml +++ b/yaml/datto.yaml @@ -22,10 +22,12 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - datto.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - datto.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml + Description: Detects potential network activity of Datto RMM tool References: [] Acknowledgement: [] diff --git a/yaml/deskday.yaml b/yaml/deskday.yaml index 5bfae364..0ad06df5 100644 --- a/yaml/deskday.yaml +++ b/yaml/deskday.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ultimate_*.exe + - ultimate_*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - deskday.ai - - app.deskday.ai - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - deskday.ai + - app.deskday.ai + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml + Description: Detects potential network activity of DeskDay RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml + Description: Detects potential processes activity of DeskDay RMM tool References: - - https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate +- https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate Acknowledgement: [] diff --git a/yaml/desknets.yaml b/yaml/desknets.yaml index 14b8d67f..5de3a9f0 100644 --- a/yaml/desknets.yaml +++ b/yaml/desknets.yaml @@ -24,5 +24,5 @@ Artifacts: Network: [] Detections: [] References: - - https://www.desknets.com/en/download.html +- https://www.desknets.com/en/download.html Acknowledgement: [] diff --git a/yaml/deskshare.yaml b/yaml/deskshare.yaml index 1fb55b75..4faeaf40 100644 --- a/yaml/deskshare.yaml +++ b/yaml/deskshare.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - TeamTaskManager.exe - - DSGuest.exe + - TeamTaskManager.exe + - DSGuest.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml + Description: Detects potential network activity of DeskShare RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml + Description: Detects potential processes activity of DeskShare RMM tool References: - - https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx +- https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx Acknowledgement: [] diff --git a/yaml/desktopcentral.yaml b/yaml/desktopcentral.yaml index 8f02320b..ad359adb 100644 --- a/yaml/desktopcentral.yaml +++ b/yaml/desktopcentral.yaml @@ -17,16 +17,20 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - dcagentservice.exe + - dcagentservice.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - desktopcentral.manageengine.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - desktopcentral.manageengine.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml + Description: Detects potential network activity of Desktop Central RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml + Description: Detects potential processes activity of Desktop Central RMM tool References: [] Acknowledgement: [] diff --git a/yaml/desktopnow.yaml b/yaml/desktopnow.yaml index 831240c9..67722f15 100644 --- a/yaml/desktopnow.yaml +++ b/yaml/desktopnow.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - desktopnow.exe + - desktopnow.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.nchuser.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.nchuser.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml + Description: Detects potential network activity of DesktopNow RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml + Description: Detects potential processes activity of DesktopNow RMM tool References: - - https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US +- https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US Acknowledgement: [] diff --git a/yaml/dev_tunnels_(aka_visual_studio_dev_tunnel).yaml b/yaml/dev_tunnels_(aka_visual_studio_dev_tunnel).yaml index da22cf0d..0dd754c1 100644 --- a/yaml/dev_tunnels_(aka_visual_studio_dev_tunnel).yaml +++ b/yaml/dev_tunnels_(aka_visual_studio_dev_tunnel).yaml @@ -22,10 +22,13 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml + Description: Detects potential network activity of Dev Tunnels (aka Visual Studio + Dev Tunnel) RMM tool References: [] Acknowledgement: [] diff --git a/yaml/distant_desktop.yaml b/yaml/distant_desktop.yaml index c8d491be..5e66a438 100644 --- a/yaml/distant_desktop.yaml +++ b/yaml/distant_desktop.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - distant-desktop.exe - - dd.exe - - ddsystem.exe + - distant-desktop.exe + - dd.exe + - ddsystem.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.distantdesktop.com' - - '*signalserver.xyz' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.distantdesktop.com' + - '*signalserver.xyz' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml + Description: Detects potential network activity of Distant Desktop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml + Description: Detects potential processes activity of Distant Desktop RMM tool References: - - https://www.distantdesktop.com/manual/first-start.htm +- https://www.distantdesktop.com/manual/first-start.htm Acknowledgement: [] diff --git a/yaml/distantdesktop.yaml b/yaml/distantdesktop.yaml index e5659df8..4ed239e7 100644 --- a/yaml/distantdesktop.yaml +++ b/yaml/distantdesktop.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ddsystem.exe - - dd.exe - - distant-desktop.exe + - ddsystem.exe + - dd.exe + - distant-desktop.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.distantdesktop.com' - - '*signalserver.xyz' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.distantdesktop.com' + - '*signalserver.xyz' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml + Description: Detects potential network activity of Distant Desktop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml + Description: Detects potential processes activity of Distant Desktop RMM tool References: - - https://www.distantdesktop.com/manual/first-start.htm +- https://www.distantdesktop.com/manual/first-start.htm Acknowledgement: [] diff --git a/yaml/domotz.yaml b/yaml/domotz.yaml index 54421039..c1c94acd 100644 --- a/yaml/domotz.yaml +++ b/yaml/domotz.yaml @@ -17,24 +17,28 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - domotz.exe - - Domotz Pro Desktop App.exe - - domotz_bash.exe - - domotz*.exe - - Domotz Pro Desktop App Setup*.exe - - domotz-windows*.exe + - domotz.exe + - Domotz Pro Desktop App.exe + - domotz_bash.exe + - domotz*.exe + - Domotz Pro Desktop App Setup*.exe + - domotz-windows*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.domotz.co' - - domotz.com - - '*cell-1.domotz.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.domotz.co' + - domotz.com + - '*cell-1.domotz.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml + Description: Detects potential network activity of Domotz RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml + Description: Detects potential processes activity of Domotz RMM tool References: - - https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/ +- https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/ Acknowledgement: [] diff --git a/yaml/dragondisk.yaml b/yaml/dragondisk.yaml index ab9c27d0..5305a56f 100644 --- a/yaml/dragondisk.yaml +++ b/yaml/dragondisk.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Almageste\DragonDisk\* - - '*\Almageste\DragonDisk\*' - - '*\DragonDisk.exe' + - C:\Program Files (x86)\Almageste\DragonDisk\* + - '*\Almageste\DragonDisk\*' + - '*\DragonDisk.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml + Description: Detects potential processes activity of DragonDisk RMM tool References: [] Acknowledgement: [] diff --git a/yaml/drivemaker.yaml b/yaml/drivemaker.yaml index cf3da485..c336b310 100644 --- a/yaml/drivemaker.yaml +++ b/yaml/drivemaker.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\*\DriveMaker.exe - - '*\DriveMaker.exe' + - C:\*\DriveMaker.exe + - '*\DriveMaker.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/drivemaker_processes_sigma.yml + Description: Detects potential processes activity of DriveMaker RMM tool References: [] Acknowledgement: [] diff --git a/yaml/dropbox.yaml b/yaml/dropbox.yaml index 0f653f54..d9323833 100644 --- a/yaml/dropbox.yaml +++ b/yaml/dropbox.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Dropbox\Client\* - - '*\Dropbox\Client\*' - - '*\Dropbox.exe' - - '*Users\*\Dropbox\bin\' + - C:\Program Files (x86)\Dropbox\Client\* + - '*\Dropbox\Client\*' + - '*\Dropbox.exe' + - '*Users\*\Dropbox\bin\' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml + Description: Detects potential processes activity of Dropbox RMM tool References: [] Acknowledgement: [] diff --git a/yaml/duplicati.yaml b/yaml/duplicati.yaml index ad61f08a..2eaa9107 100644 --- a/yaml/duplicati.yaml +++ b/yaml/duplicati.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - c:\Program Files\*\Duplicati.Server.exe - - '*\*\Duplicati.Server.exe' + - c:\Program Files\*\Duplicati.Server.exe + - '*\*\Duplicati.Server.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml + Description: Detects potential processes activity of Duplicati RMM tool References: [] Acknowledgement: [] diff --git a/yaml/dw_service.yaml b/yaml/dw_service.yaml index 1cd62854..269e67eb 100644 --- a/yaml/dw_service.yaml +++ b/yaml/dw_service.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - dwagsvc.exe - - dwagent.exe - - dwagsvc.exe + - dwagsvc.exe + - dwagent.exe + - dwagsvc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.dwservice.net' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.dwservice.net' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml + Description: Detects potential network activity of DW Service RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml + Description: Detects potential processes activity of DW Service RMM tool References: - - https://news.dwservice.net/dwservice-security-infrastructure/ +- https://news.dwservice.net/dwservice-security-infrastructure/ Acknowledgement: [] diff --git a/yaml/dwservice.yaml b/yaml/dwservice.yaml index 099cb49d..049edfed 100644 --- a/yaml/dwservice.yaml +++ b/yaml/dwservice.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - dwagent.exe - - dwagsvc.exe + - dwagent.exe + - dwagsvc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.dwservice.net' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.dwservice.net' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml + Description: Detects potential network activity of DW Service RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml + Description: Detects potential processes activity of DW Service RMM tool References: - - https://news.dwservice.net/dwservice-security-infrastructure/ +- https://news.dwservice.net/dwservice-security-infrastructure/ Acknowledgement: [] diff --git a/yaml/echoware.yaml b/yaml/echoware.yaml index 2b7056ad..16a3916f 100644 --- a/yaml/echoware.yaml +++ b/yaml/echoware.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - echoserver*.exe - - echoware.dll + - echoserver*.exe + - echoware.dll Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml + Description: Detects potential processes activity of Echoware RMM tool References: [] Acknowledgement: [] diff --git a/yaml/ehorus.yaml b/yaml/ehorus.yaml index e5fa2649..f37c6da6 100644 --- a/yaml/ehorus.yaml +++ b/yaml/ehorus.yaml @@ -17,16 +17,20 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ehorus standalone.exe + - ehorus standalone.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - ehorus.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - ehorus.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml + Description: Detects potential network activity of eHorus RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml + Description: Detects potential processes activity of eHorus RMM tool References: [] Acknowledgement: [] diff --git a/yaml/electric.yaml b/yaml/electric.yaml index d7c0f309..4d61b5f5 100644 --- a/yaml/electric.yaml +++ b/yaml/electric.yaml @@ -22,10 +22,12 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - electric.ai - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - electric.ai + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml + Description: Detects potential network activity of Electric RMM tool References: [] Acknowledgement: [] diff --git a/yaml/electric_ai_(kaseya).yaml b/yaml/electric_ai_(kaseya).yaml index af2329f0..b3fa8c52 100644 --- a/yaml/electric_ai_(kaseya).yaml +++ b/yaml/electric_ai_(kaseya).yaml @@ -24,5 +24,5 @@ Artifacts: Network: [] Detections: [] References: - - https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf +- https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf Acknowledgement: [] diff --git a/yaml/emco_remote_console.yaml b/yaml/emco_remote_console.yaml index 8a8a4040..509c301e 100644 --- a/yaml/emco_remote_console.yaml +++ b/yaml/emco_remote_console.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - remoteconsole.exe + - remoteconsole.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - emcosoftware.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - emcosoftware.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml + Description: Detects potential network activity of EMCO Remote Console RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml + Description: Detects potential processes activity of EMCO Remote Console RMM tool References: [] Acknowledgement: [] diff --git a/yaml/encapto.yaml b/yaml/encapto.yaml index 809b0498..a6677b56 100644 --- a/yaml/encapto.yaml +++ b/yaml/encapto.yaml @@ -22,11 +22,13 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - encapto.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - encapto.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml + Description: Detects potential network activity of Encapto RMM tool References: - - https://www.encapto.com - used to manage Cisco services +- https://www.encapto.com - used to manage Cisco services Acknowledgement: [] diff --git a/yaml/ericom_accessnow.yaml b/yaml/ericom_accessnow.yaml index 080f660e..b375e17b 100644 --- a/yaml/ericom_accessnow.yaml +++ b/yaml/ericom_accessnow.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - accessserver*.exe - - accessserver.exe + - accessserver*.exe + - accessserver.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - ericom.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - ericom.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml + Description: Detects potential network activity of Ericom AccessNow RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml + Description: Detects potential processes activity of Ericom AccessNow RMM tool References: - - https://www.ericom.com/connect-accessnow/ +- https://www.ericom.com/connect-accessnow/ Acknowledgement: [] diff --git a/yaml/ericom_connect.yaml b/yaml/ericom_connect.yaml index ff6182f5..3bbb5938 100644 --- a/yaml/ericom_connect.yaml +++ b/yaml/ericom_connect.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - EricomConnectRemoteHost*.exe - - ericomconnnectconfigurationtool.exe + - EricomConnectRemoteHost*.exe + - ericomconnnectconfigurationtool.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - ericom.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - ericom.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml + Description: Detects potential network activity of Ericom Connect RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml + Description: Detects potential processes activity of Ericom Connect RMM tool References: - - https://www.ericom.com/connect-accessnow/ +- https://www.ericom.com/connect-accessnow/ Acknowledgement: [] diff --git a/yaml/eset_remote_administrator.yaml b/yaml/eset_remote_administrator.yaml index e2438443..52bfdb66 100644 --- a/yaml/eset_remote_administrator.yaml +++ b/yaml/eset_remote_administrator.yaml @@ -17,22 +17,28 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - era.exe - - einstaller.exe - - ezhelp*.exe - - eratool.exe - - ERAAgent.exe + - era.exe + - einstaller.exe + - ezhelp*.exe + - eratool.exe + - ERAAgent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - eset.com/me/business/remote-management/remote-administrator/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - eset.com/me/business/remote-management/remote-administrator/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml + Description: Detects potential network activity of ESET Remote Administrator RMM + tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml + Description: Detects potential processes activity of ESET Remote Administrator RMM + tool References: - - eset.com/me/business/remote-management/remote-administrator/ +- eset.com/me/business/remote-management/remote-administrator/ Acknowledgement: [] diff --git a/yaml/esetremoteadministrator.yaml b/yaml/esetremoteadministrator.yaml index e8a82da0..718858aa 100644 --- a/yaml/esetremoteadministrator.yaml +++ b/yaml/esetremoteadministrator.yaml @@ -17,22 +17,28 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - einstaller.exe - - era.exe - - ERAAgent.exe - - ezhelp*.exe - - eratool.exe + - einstaller.exe + - era.exe + - ERAAgent.exe + - ezhelp*.exe + - eratool.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - eset.com/me/business/remote-management/remote-administrator/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - eset.com/me/business/remote-management/remote-administrator/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml + Description: Detects potential network activity of ESET Remote Administrator RMM + tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml + Description: Detects potential processes activity of ESET Remote Administrator RMM + tool References: - - eset.com/me/business/remote-management/remote-administrator/ +- eset.com/me/business/remote-management/remote-administrator/ Acknowledgement: [] diff --git a/yaml/expandrive.yaml b/yaml/expandrive.yaml index 9734947a..b2c9fd39 100644 --- a/yaml/expandrive.yaml +++ b/yaml/expandrive.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Users\*\ExpanDrive.exe - - '*\ExpanDrive.exe' + - C:\Users\*\ExpanDrive.exe + - '*\ExpanDrive.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/expandrive_processes_sigma.yml + Description: Detects potential processes activity of ExpanDrive RMM tool References: [] Acknowledgement: [] diff --git a/yaml/extraputty.yaml b/yaml/extraputty.yaml index 6802c24d..bbd1f7a2 100644 --- a/yaml/extraputty.yaml +++ b/yaml/extraputty.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe - - '*Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe' - - '*\ExtraPuTTY-0.30-2016-01-28-installer.exe' + - C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe + - '*Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe' + - '*\ExtraPuTTY-0.30-2016-01-28-installer.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml + Description: Detects potential processes activity of ExtraPuTTY RMM tool References: [] Acknowledgement: [] diff --git a/yaml/ezhelp.yaml b/yaml/ezhelp.yaml index 5db524b0..0de22810 100644 --- a/yaml/ezhelp.yaml +++ b/yaml/ezhelp.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ezhelpclientmanager.exe - - ezHelpManager.exe - - ezhelpclient.exe + - ezhelpclientmanager.exe + - ezHelpManager.exe + - ezhelpclient.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.ezhelp.co.kr' - - ezhelp.co.kr - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.ezhelp.co.kr' + - ezhelp.co.kr + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml + Description: Detects potential network activity of ezHelp RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml + Description: Detects potential processes activity of ezHelp RMM tool References: - - https://www.exhelp.co.kr +- https://www.exhelp.co.kr Acknowledgement: [] diff --git a/yaml/fastviewer.yaml b/yaml/fastviewer.yaml index 7d373ed3..f8db8ca2 100644 --- a/yaml/fastviewer.yaml +++ b/yaml/fastviewer.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - fastclient.exe - - fastmaster.exe - - FastViewer.exe + - fastclient.exe + - fastmaster.exe + - FastViewer.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.fastviewer.com' - - fastviewer.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.fastviewer.com' + - fastviewer.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml + Description: Detects potential network activity of FastViewer RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml + Description: Detects potential processes activity of FastViewer RMM tool References: - - https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf +- https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf Acknowledgement: [] diff --git a/yaml/filezilla.yaml b/yaml/filezilla.yaml index a01f86d7..e8af76e1 100644 --- a/yaml/filezilla.yaml +++ b/yaml/filezilla.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\FileZilla FTP Client\* - - '*\FileZilla FTP Client\*' - - '*\FileZilla.exe' + - C:\Program Files\FileZilla FTP Client\* + - '*\FileZilla FTP Client\*' + - '*\FileZilla.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/filezilla_processes_sigma.yml + Description: Detects potential processes activity of FileZilla RMM tool References: [] Acknowledgement: [] diff --git a/yaml/fixme.it.yaml b/yaml/fixme.it.yaml index e3218581..a9a1fc22 100644 --- a/yaml/fixme.it.yaml +++ b/yaml/fixme.it.yaml @@ -17,32 +17,36 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - FixMeit Unattended Access Setup.exe - - TiExpertStandalone.exe - - FixMeitClient*.exe - - FixMeit Client.exe - - FixMeit Expert Setup.exe - - TiExpertCore.exe - - fixmeitclient.exe - - TiClientCore.exe - - TiClientHelper*.exe - - no installation required | recommend blocking fixme[.]it SaaS portal - - no installation required | recommend blocking fixme[.]it SaaS portal - - 9380CC75B872221A7425D7503565B67580407F60 + - FixMeit Unattended Access Setup.exe + - TiExpertStandalone.exe + - FixMeitClient*.exe + - FixMeit Client.exe + - FixMeit Expert Setup.exe + - TiExpertCore.exe + - fixmeitclient.exe + - TiClientCore.exe + - TiClientHelper*.exe + - no installation required | recommend blocking fixme[.]it SaaS portal + - no installation required | recommend blocking fixme[.]it SaaS portal + - 9380CC75B872221A7425D7503565B67580407F60 Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.fixme.it' - - '*.techinline.net' - - fixme.it - - '*set.me' - - '*setme.net' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.fixme.it' + - '*.techinline.net' + - fixme.it + - '*set.me' + - '*setme.net' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml + Description: Detects potential network activity of FixMe.it RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml + Description: Detects potential processes activity of FixMe.it RMM tool References: - - https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use +- https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use Acknowledgement: [] diff --git a/yaml/fixme.yaml b/yaml/fixme.yaml index a77ce430..21f6b311 100644 --- a/yaml/fixme.yaml +++ b/yaml/fixme.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - FixMeit Client.exe - - TiExpertStandalone.exe - - FixMeitClient*.exe - - TiExpertCore.exe - - FixMeit Unattended Access Setup.exe - - FixMeit Expert Setup.exe + - FixMeit Client.exe + - TiExpertStandalone.exe + - FixMeitClient*.exe + - TiExpertCore.exe + - FixMeit Unattended Access Setup.exe + - FixMeit Expert Setup.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - fixme.it - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - fixme.it + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml + Description: Detects potential network activity of FixMe RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml + Description: Detects potential processes activity of FixMe RMM tool References: [] Acknowledgement: [] diff --git a/yaml/fleetdeck.yaml b/yaml/fleetdeck.yaml index e2b4e1c4..089d2435 100644 --- a/yaml/fleetdeck.yaml +++ b/yaml/fleetdeck.yaml @@ -17,16 +17,20 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - fleetdeck_agent_svc.exe + - fleetdeck_agent_svc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - fleetdeck.io - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - fleetdeck.io + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml + Description: Detects potential network activity of FleetDeck RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml + Description: Detects potential processes activity of FleetDeck RMM tool References: [] Acknowledgement: [] diff --git a/yaml/fleetdeckio.yaml b/yaml/fleetdeckio.yaml index 964b1c71..8014878e 100644 --- a/yaml/fleetdeckio.yaml +++ b/yaml/fleetdeckio.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - fleetdeck_agent_svc.exe - - fleetdeck_commander_svc.exe - - fleetdeck_installer.exe - - fleetdeck_commander_launcher.exe - - fleetdeck_agent.exe + - fleetdeck_agent_svc.exe + - fleetdeck_commander_svc.exe + - fleetdeck_installer.exe + - fleetdeck_commander_launcher.exe + - fleetdeck_agent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - fleetdeck.io - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - fleetdeck.io + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml + Description: Detects potential network activity of FleetDeck.io RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml + Description: Detects potential processes activity of FleetDeck.io RMM tool References: [] Acknowledgement: [] diff --git a/yaml/fleetdesk.io.yaml b/yaml/fleetdesk.io.yaml index c72b88b8..de8612ab 100644 --- a/yaml/fleetdesk.io.yaml +++ b/yaml/fleetdesk.io.yaml @@ -17,23 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - fleetdeck_agent_svc.exe - - fleetdeck_commander_svc.exe - - fleetdeck_installer.exe - - fleetdeck_agent.exe - - fleetdeck_commander_launcher.exe + - fleetdeck_agent_svc.exe + - fleetdeck_commander_svc.exe + - fleetdeck_installer.exe + - fleetdeck_agent.exe + - fleetdeck_commander_launcher.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.fleetdeck.io' - - cognito-idp.us-west-2.amazonaws.com - - fleetdeck.io - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.fleetdeck.io' + - cognito-idp.us-west-2.amazonaws.com + - fleetdeck.io + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml + Description: Detects potential network activity of FleetDesk.io RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml + Description: Detects potential processes activity of FleetDesk.io RMM tool References: - - https://fleetdeck.io/faq/ +- https://fleetdeck.io/faq/ Acknowledgement: [] diff --git a/yaml/fortra.yaml b/yaml/fortra.yaml index c7432fc9..38819584 100644 --- a/yaml/fortra.yaml +++ b/yaml/fortra.yaml @@ -22,11 +22,13 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - fortra.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - fortra.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml + Description: Detects potential network activity of Fortra RMM tool References: - - https://www.fortra.com - No free/cloud RMM softwars listed +- https://www.fortra.com - No free/cloud RMM softwars listed Acknowledgement: [] diff --git a/yaml/free_ping_tool.yaml b/yaml/free_ping_tool.yaml index 3f24420a..4c5aa33b 100644 --- a/yaml/free_ping_tool.yaml +++ b/yaml/free_ping_tool.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - can't find this one - - can't find this one + - can't find this one + - can't find this one Artifacts: Disk: [] EventLog: [] diff --git a/yaml/free_tools_launcher.yaml b/yaml/free_tools_launcher.yaml index 6f8d22f1..0c4c6da0 100644 --- a/yaml/free_tools_launcher.yaml +++ b/yaml/free_tools_launcher.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\* - - '*\ManageEngine\*' + - C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\* + - '*\ManageEngine\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/freefilesync.yaml b/yaml/freefilesync.yaml index a2b00cc7..c8cd99e1 100644 --- a/yaml/freefilesync.yaml +++ b/yaml/freefilesync.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\FreeFileSync\* - - '*\FreeFileSync\*' - - '*\FreeFileSync.exe' + - C:\Program Files\FreeFileSync\* + - '*\FreeFileSync\*' + - '*\FreeFileSync.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freefilesync_processes_sigma.yml + Description: Detects potential processes activity of FreeFileSync RMM tool References: [] Acknowledgement: [] diff --git a/yaml/freenx.yaml b/yaml/freenx.yaml index 696118df..4c88ee16 100644 --- a/yaml/freenx.yaml +++ b/yaml/freenx.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\*\nxplayer.exe - - '*\nxplayer.exe' + - C:\*\nxplayer.exe + - '*\nxplayer.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml + Description: Detects potential processes activity of FreeNX RMM tool References: [] Acknowledgement: [] diff --git a/yaml/gatherplace-desktop_sharing.yaml b/yaml/gatherplace-desktop_sharing.yaml index de476552..14cbe8a8 100644 --- a/yaml/gatherplace-desktop_sharing.yaml +++ b/yaml/gatherplace-desktop_sharing.yaml @@ -17,21 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - gp3.exe - - gp4.exe - - gp5.exe + - gp3.exe + - gp4.exe + - gp5.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.gatherplace.com' - - '*.gatherplace.net' - - gatherplace.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.gatherplace.com' + - '*.gatherplace.net' + - gatherplace.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml + Description: Detects potential network activity of GatherPlace-desktop sharing RMM + tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml + Description: Detects potential processes activity of GatherPlace-desktop sharing + RMM tool References: - - https://www.gatherplace.com/kb?id=136377 +- https://www.gatherplace.com/kb?id=136377 Acknowledgement: [] diff --git a/yaml/getscreen.yaml b/yaml/getscreen.yaml index e6f5cb04..34b47715 100644 --- a/yaml/getscreen.yaml +++ b/yaml/getscreen.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - GetScreen.exe - - getscreen.exe + - GetScreen.exe + - getscreen.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - getscreen.me - - GetScreen.me - - '*.getscreen.me' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - getscreen.me + - GetScreen.me + - '*.getscreen.me' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml + Description: Detects potential network activity of GetScreen RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml + Description: Detects potential processes activity of GetScreen RMM tool References: - - https://docs.getscreen.me/self-hosted/system-requirements/ +- https://docs.getscreen.me/self-hosted/system-requirements/ Acknowledgement: [] diff --git a/yaml/goodsync.yaml b/yaml/goodsync.yaml index f3a9546c..9a557ab9 100644 --- a/yaml/goodsync.yaml +++ b/yaml/goodsync.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - installation requires paid version of GoodSync Server - - installation requires paid version of GoodSync Server - - GoodSync-vsub-Setup.exe - - A40B81B36CDC2D24910FC58816E50DCDE21BD1A9 + - installation requires paid version of GoodSync Server + - installation requires paid version of GoodSync Server + - GoodSync-vsub-Setup.exe + - A40B81B36CDC2D24910FC58816E50DCDE21BD1A9 Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goodsync_processes_sigma.yml + Description: Detects potential processes activity of GoodSync RMM tool References: [] Acknowledgement: [] diff --git a/yaml/google_drive.yaml b/yaml/google_drive.yaml index b39d7eb7..72af7807 100644 --- a/yaml/google_drive.yaml +++ b/yaml/google_drive.yaml @@ -17,16 +17,18 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\Google\Drive File Stream\* - - '*\Google\Drive File Stream\*' - - '*Users\*\AppData\*\Google\DriveFS*' - - G:\My Drive* - - '*\GoogleDriveFS.exe' + - C:\Program Files\Google\Drive File Stream\* + - '*\Google\Drive File Stream\*' + - '*Users\*\AppData\*\Google\DriveFS*' + - G:\My Drive* + - '*\GoogleDriveFS.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/google_drive_processes_sigma.yml + Description: Detects potential processes activity of Google Drive RMM tool References: [] Acknowledgement: [] diff --git a/yaml/goto_opener.yaml b/yaml/goto_opener.yaml index d002ab6d..c82137db 100644 --- a/yaml/goto_opener.yaml +++ b/yaml/goto_opener.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\GoTo Opener - - '*\GoTo Opener' + - C:\Program Files (x86)\GoTo Opener + - '*\GoTo Opener' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/gotoassist.yaml b/yaml/gotoassist.yaml index 71da1a59..b343b736 100644 --- a/yaml/gotoassist.yaml +++ b/yaml/gotoassist.yaml @@ -17,26 +17,30 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - gotoassist.exe - - g2a*.exe - - GoTo Assist Opener.exe + - gotoassist.exe + - g2a*.exe + - GoTo Assist Opener.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - goto.com - - '*.getgo.com' - - '*.fastsupport.com' - - '*.gotoassist.com' - - helpme.net - - '*.gotoassist.me' - - '*.gotoassist.at' - - '*.desktopstreaming.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - goto.com + - '*.getgo.com' + - '*.fastsupport.com' + - '*.gotoassist.com' + - helpme.net + - '*.gotoassist.me' + - '*.gotoassist.at' + - '*.desktopstreaming.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml + Description: Detects potential network activity of GoToAssist RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml + Description: Detects potential processes activity of GoToAssist RMM tool References: - - https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5 +- https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5 Acknowledgement: [] diff --git a/yaml/gotoassist_(goto_resolve).yaml b/yaml/gotoassist_(goto_resolve).yaml index 8652d850..5b911dff 100644 --- a/yaml/gotoassist_(goto_resolve).yaml +++ b/yaml/gotoassist_(goto_resolve).yaml @@ -17,9 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\ProgramFiles*\GoTo Machine Installer\* - - '*\GoTo Machine Installer\*' - - '*\GoTo\*' + - C:\ProgramFiles*\GoTo Machine Installer\* + - '*\GoTo Machine Installer\*' + - '*\GoTo\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/gotoassist_agent_desktop_console.yaml b/yaml/gotoassist_agent_desktop_console.yaml index 8dfc3c3a..bba9a36e 100644 --- a/yaml/gotoassist_agent_desktop_console.yaml +++ b/yaml/gotoassist_agent_desktop_console.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\*\G2RDesktopConsole-x64.msi - - '*\G2RDesktopConsole-x64.msi' + - C:\*\G2RDesktopConsole-x64.msi + - '*\G2RDesktopConsole-x64.msi' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/gotohttp.yaml b/yaml/gotohttp.yaml index 7e7fd08c..0c5f931d 100644 --- a/yaml/gotohttp.yaml +++ b/yaml/gotohttp.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - GotoHTTP_x64.exe - - gotohttp.exe - - GotoHTTP*.exe + - GotoHTTP_x64.exe + - gotohttp.exe + - GotoHTTP*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.gotohttp.com' - - gotohttp.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.gotohttp.com' + - gotohttp.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml + Description: Detects potential network activity of GotoHTTP RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml + Description: Detects potential processes activity of GotoHTTP RMM tool References: - - https://gotohttp.com/goto/help.12x +- https://gotohttp.com/goto/help.12x Acknowledgement: [] diff --git a/yaml/gotomypc.yaml b/yaml/gotomypc.yaml index 7b47b98b..1e4b982d 100644 --- a/yaml/gotomypc.yaml +++ b/yaml/gotomypc.yaml @@ -1,53 +1,55 @@ Name: GoToMyPC -Description: | - GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -Author: 'Nasreddine Bencherchali' +Description: 'GoToMyPC is a remote monitoring and management (RMM) tool. More information + will be added as it becomes available. + + ' +Author: Nasreddine Bencherchali Created: '2024-08-05' LastModified: '2024-08-05' Details: Website: '' PEMetadata: - - Filename: 'AppCore.exe' - - Filename: 'g2comm.exe' - - Filename: 'g2file*.exe' - - Filename: 'g2fileh.exe' - - Filename: 'g2host.exe' - - Filename: 'g2m_download.exe' - - Filename: 'g2mainh.exe' - - Filename: 'G2MChat.exe' - - Filename: 'G2MCodecInstExtractor.exe' - - Filename: 'G2MComm.exe' - - Filename: 'G2MCoreInstExtractor.exe' - - Filename: 'G2MFeedback.exe' - - Filename: 'G2MHost.exee' - - Filename: 'G2MInstaller.exe' - - Filename: 'G2MInstallerExtractor.exe' - - Filename: 'G2MInstHigh.exe' - - Filename: 'G2MLauncher.exe' - - Filename: 'G2MMatchMaking.exe' - - Filename: 'G2MMaterials.exe' - - Filename: 'G2MPolling.exe' - - Filename: 'G2MQandA.exe' - - Filename: 'G2MRecorder.exe' - - Filename: 'G2MScrUtil64.exe' - - Filename: 'G2MSessionControl.exe' - - Filename: 'G2MStart.exe' - - Filename: 'G2MTesting.exe' - - Filename: 'G2MTranscoder.exe' - - Filename: 'G2MUI.exe' - - Filename: 'G2MUninstall.exe' - - Filename: 'g2mupload.exe' - - Filename: 'g2mvideoconference.exe' - - Filename: 'G2MView.exe' - - Filename: 'g2printh.exe' - - Filename: 'g2quick.exe' - - Filename: 'g2svc.exe' - - Filename: 'g2tray.exe' - - Filename: 'gopcsrv.exe' - - Filename: 'GoToScrUtils.exe' - - Filename: 'GoTo.exe' - OriginalFileName: '' - Description: '' + - Filename: AppCore.exe + - Filename: g2comm.exe + - Filename: g2file*.exe + - Filename: g2fileh.exe + - Filename: g2host.exe + - Filename: g2m_download.exe + - Filename: g2mainh.exe + - Filename: G2MChat.exe + - Filename: G2MCodecInstExtractor.exe + - Filename: G2MComm.exe + - Filename: G2MCoreInstExtractor.exe + - Filename: G2MFeedback.exe + - Filename: G2MHost.exee + - Filename: G2MInstaller.exe + - Filename: G2MInstallerExtractor.exe + - Filename: G2MInstHigh.exe + - Filename: G2MLauncher.exe + - Filename: G2MMatchMaking.exe + - Filename: G2MMaterials.exe + - Filename: G2MPolling.exe + - Filename: G2MQandA.exe + - Filename: G2MRecorder.exe + - Filename: G2MScrUtil64.exe + - Filename: G2MSessionControl.exe + - Filename: G2MStart.exe + - Filename: G2MTesting.exe + - Filename: G2MTranscoder.exe + - Filename: G2MUI.exe + - Filename: G2MUninstall.exe + - Filename: g2mupload.exe + - Filename: g2mvideoconference.exe + - Filename: G2MView.exe + - Filename: g2printh.exe + - Filename: g2quick.exe + - Filename: g2svc.exe + - Filename: g2tray.exe + - Filename: gopcsrv.exe + - Filename: GoToScrUtils.exe + - Filename: GoTo.exe + OriginalFileName: '' + Description: '' Privileges: '' Free: '' Verification: '' @@ -55,35 +57,41 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - 'C:\Program Files (x86)\GoToMyPC\*' + - C:\Program Files (x86)\GoToMyPC\* Artifacts: Disk: - - File: '%AppData%\GoTo\Logs\goto.log' - Description: N/A - OS: Windows + - File: '%AppData%\GoTo\Logs\goto.log' + Description: N/A + OS: Windows EventLog: [] Registry: - - Path: 'HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc' - Description: 'Configuration settings including registration email' - - Path: 'HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc\GuestInvite' - Description: 'Guest invites send to connect' - - Path: 'HKEY_CURRENT_USER\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history' - Description: 'hostname of the computer making connections and location of transferred - files' - - Path: 'HKEY_USERS\\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history' - Description: 'hostname of the computer making connections and location of transferred - files' + - Path: HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc + Description: Configuration settings including registration email + - Path: HKEY_LOCAL_MACHINE\WOW6432Node\Citrix\GoToMyPc\GuestInvite + Description: Guest invites send to connect + - Path: HKEY_CURRENT_USER\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history + Description: hostname of the computer making connections and location of transferred + files + - Path: HKEY_USERS\\SOFTWARE\Citrix\GoToMyPc\FileTransfer\history + Description: hostname of the computer making connections and location of transferred + files Network: - - Description: N/A - Domains: - - '*.GoToMyPC.com' - Ports: - - N/A -Detections: [] + - Description: N/A + Domains: + - '*.GoToMyPC.com' + Ports: + - N/A +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml + Description: Detects potential registry activity of GoToMyPC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml + Description: Detects potential network activity of GoToMyPC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml + Description: Detects potential files activity of GoToMyPC RMM tool References: - - https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations# - - https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls - - https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/ +- https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations# +- https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls +- https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/ Acknowledgement: - - Person: "Phill Moore" - Handle: "@phillmoore" +- Person: Phill Moore + Handle: '@phillmoore' diff --git a/yaml/goverlan.yaml b/yaml/goverlan.yaml index 3237fec3..053e4f00 100644 --- a/yaml/goverlan.yaml +++ b/yaml/goverlan.yaml @@ -17,25 +17,29 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - goverrmc.exe - - govsrv*.exe - - GovAgentInstallHelper.exe - - GovAgentx64.exe - - GovReachClient.exe - - C:\Program Files (x86)\PJ Technologies\GOVsrv\* - - '*\PJ Technologies\GOVsrv\*' - - '*\GovSrv.exe' + - goverrmc.exe + - govsrv*.exe + - GovAgentInstallHelper.exe + - GovAgentx64.exe + - GovReachClient.exe + - C:\Program Files (x86)\PJ Technologies\GOVsrv\* + - '*\PJ Technologies\GOVsrv\*' + - '*\GovSrv.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - goverlan.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - goverlan.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml + Description: Detects potential network activity of Goverlan RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml + Description: Detects potential processes activity of Goverlan RMM tool References: - - https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf +- https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf Acknowledgement: [] diff --git a/yaml/guacamole.yaml b/yaml/guacamole.yaml index 386f6b3d..b70ad57d 100644 --- a/yaml/guacamole.yaml +++ b/yaml/guacamole.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - guacd.exe + - guacd.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - guacamole.apache.org - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - guacamole.apache.org + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml + Description: Detects potential network activity of Guacamole RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml + Description: Detects potential processes activity of Guacamole RMM tool References: - - guacamole.apache.org +- guacamole.apache.org Acknowledgement: [] diff --git a/yaml/helpbeam.yaml b/yaml/helpbeam.yaml index bd283bcb..1fb30da9 100644 --- a/yaml/helpbeam.yaml +++ b/yaml/helpbeam.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - helpbeam*.exe + - helpbeam*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - helpbeam.software.informer.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - helpbeam.software.informer.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml + Description: Detects potential network activity of HelpBeam RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml + Description: Detects potential processes activity of HelpBeam RMM tool References: - - https://www.helpbeam.com domain for sale in 2024 +- https://www.helpbeam.com domain for sale in 2024 Acknowledgement: [] diff --git a/yaml/helpu.yaml b/yaml/helpu.yaml index dc1d05cb..2d3a88e6 100644 --- a/yaml/helpu.yaml +++ b/yaml/helpu.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - helpu_install.exe - - HelpuUpdater.exe - - HelpuManager.exe + - helpu_install.exe + - HelpuUpdater.exe + - HelpuManager.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - helpu.co.kr - - '*.helpu.co.kr' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - helpu.co.kr + - '*.helpu.co.kr' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml + Description: Detects potential network activity of HelpU RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml + Description: Detects potential processes activity of HelpU RMM tool References: - - https://helpu.co.kr/ +- https://helpu.co.kr/ Acknowledgement: [] diff --git a/yaml/i'm_intouch.yaml b/yaml/i'm_intouch.yaml index 6908b941..62254639 100644 --- a/yaml/i'm_intouch.yaml +++ b/yaml/i'm_intouch.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - iit.exe - - intouch.exe - - I'm InTouch Go Installer.exe + - iit.exe + - intouch.exe + - I'm InTouch Go Installer.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.01com.com' - - 01com.com/imintouch-remote-pc-desktop - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.01com.com' + - 01com.com/imintouch-remote-pc-desktop + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml + Description: Detects potential network activity of I'm InTouch RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml + Description: Detects potential processes activity of I'm InTouch RMM tool References: - - https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/ +- https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/ Acknowledgement: [] diff --git a/yaml/imperoconnect.yaml b/yaml/imperoconnect.yaml index 4510ebd0..46cd3503 100644 --- a/yaml/imperoconnect.yaml +++ b/yaml/imperoconnect.yaml @@ -17,16 +17,20 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ImperoClientSVC.exe + - ImperoClientSVC.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - imperosoftware.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - imperosoftware.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml + Description: Detects potential network activity of Impero Connect RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml + Description: Detects potential processes activity of Impero Connect RMM tool References: [] Acknowledgement: [] diff --git a/yaml/instant_housecall.yaml b/yaml/instant_housecall.yaml index a348b5ad..9f5deb91 100644 --- a/yaml/instant_housecall.yaml +++ b/yaml/instant_housecall.yaml @@ -17,23 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - hsloader.exe - - ihcserver.exe - - instanthousecall.exe - - instanthousecall.exe + - hsloader.exe + - ihcserver.exe + - instanthousecall.exe + - instanthousecall.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.instanthousecall.com' - - '*.instanthousecall.net' - - instanthousecall.com - - secure.instanthousecall.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.instanthousecall.com' + - '*.instanthousecall.net' + - instanthousecall.com + - secure.instanthousecall.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml + Description: Detects potential network activity of Instant Housecall RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml + Description: Detects potential processes activity of Instant Housecall RMM tool References: - - https://instanthousecall.com/features/ +- https://instanthousecall.com/features/ Acknowledgement: [] diff --git a/yaml/instanthousecall.yaml b/yaml/instanthousecall.yaml index d822e997..252ff163 100644 --- a/yaml/instanthousecall.yaml +++ b/yaml/instanthousecall.yaml @@ -17,23 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - hsloader.exe - - InstantHousecall.exe - - ihcserver.exe - - instanthousecall.exe + - hsloader.exe + - InstantHousecall.exe + - ihcserver.exe + - instanthousecall.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.instanthousecall.com' - - secure.instanthousecall.com - - '*.instanthousecall.net' - - instanthousecall.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.instanthousecall.com' + - secure.instanthousecall.com + - '*.instanthousecall.net' + - instanthousecall.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml + Description: Detects potential network activity of Instant Housecall RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml + Description: Detects potential processes activity of Instant Housecall RMM tool References: - - https://instanthousecall.com/features/ +- https://instanthousecall.com/features/ Acknowledgement: [] diff --git a/yaml/insync.yaml b/yaml/insync.yaml index ac9296fa..a924b3a9 100644 --- a/yaml/insync.yaml +++ b/yaml/insync.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe - - '*Users\*\AppData\Roaming\Insync\App\Insync.exe' - - '*\Insync.exe' + - C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe + - '*Users\*\AppData\Roaming\Insync\App\Insync.exe' + - '*\Insync.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml + Description: Detects potential processes activity of Insync RMM tool References: [] Acknowledgement: [] diff --git a/yaml/intelliadmin_remote_control.yaml b/yaml/intelliadmin_remote_control.yaml index 09ded1e9..17033d57 100644 --- a/yaml/intelliadmin_remote_control.yaml +++ b/yaml/intelliadmin_remote_control.yaml @@ -17,23 +17,29 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - iadmin.exe - - intelliadmin.exe - - agent32.exe - - agent64.exe - - agent_setup_5.exe + - iadmin.exe + - intelliadmin.exe + - agent32.exe + - agent64.exe + - agent_setup_5.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - '*.intelliadmin.com' - - intelliadmin.com/remote-control - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - '*.intelliadmin.com' + - intelliadmin.com/remote-control + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml + Description: Detects potential network activity of IntelliAdmin Remote Control RMM + tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml + Description: Detects potential processes activity of IntelliAdmin Remote Control + RMM tool References: - - intelliadmin.com/remote-control +- intelliadmin.com/remote-control Acknowledgement: [] diff --git a/yaml/iperius_remote.yaml b/yaml/iperius_remote.yaml index f08d91b6..103edd22 100644 --- a/yaml/iperius_remote.yaml +++ b/yaml/iperius_remote.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - iperius.exe - - iperiusremote.exe + - iperius.exe + - iperiusremote.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.iperiusremote.com' - - '*.iperius.com' - - '*.iperius-rs.com' - - iperiusremote.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.iperiusremote.com' + - '*.iperius.com' + - '*.iperius-rs.com' + - iperiusremote.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml + Description: Detects potential network activity of Iperius Remote RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml + Description: Detects potential processes activity of Iperius Remote RMM tool References: - - https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx +- https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx Acknowledgement: [] diff --git a/yaml/isl_light.yaml b/yaml/isl_light.yaml index d5be185b..306a2c41 100644 --- a/yaml/isl_light.yaml +++ b/yaml/isl_light.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - islalwaysonmonitor.exe - - isllight.exe - - isllightservice.exe + - islalwaysonmonitor.exe + - isllight.exe + - isllightservice.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - islonline.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - islonline.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml + Description: Detects potential network activity of ISL Light RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml + Description: Detects potential processes activity of ISL Light RMM tool References: [] Acknowledgement: [] diff --git a/yaml/isl_online.yaml b/yaml/isl_online.yaml index 5e3385c5..9ad38091 100644 --- a/yaml/isl_online.yaml +++ b/yaml/isl_online.yaml @@ -17,24 +17,28 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - islalwaysonmonitor.exe - - isllight.exe - - isllightservice.exe - - ISLLightClient.exe - - C:\Program Files (x86)\ISL Online\ISL Light* - - '*\ISL Online\ISL Light*' - - '*\ISLLight.exe' + - islalwaysonmonitor.exe + - isllight.exe + - isllightservice.exe + - ISLLightClient.exe + - C:\Program Files (x86)\ISL Online\ISL Light* + - '*\ISL Online\ISL Light*' + - '*\ISLLight.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.islonline.com' - - '*.islonline.net' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.islonline.com' + - '*.islonline.net' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml + Description: Detects potential network activity of ISL Online RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml + Description: Detects potential processes activity of ISL Online RMM tool References: - - https://help.islonline.com/19818/165940 +- https://help.islonline.com/19818/165940 Acknowledgement: [] diff --git a/yaml/islonline.yaml b/yaml/islonline.yaml index 5c42475a..6bd6d02f 100644 --- a/yaml/islonline.yaml +++ b/yaml/islonline.yaml @@ -17,25 +17,29 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - '*\ISLLight.exe' - - isllight.exe - - ISLLightClient.exe - - C:\Program Files (x86)\ISL Online\ISL Light* - - '*\ISL Online\ISL Light*' - - ISLLight.exe - - isllightservice.exe - - islalwaysonmonitor.exe + - '*\ISLLight.exe' + - isllight.exe + - ISLLightClient.exe + - C:\Program Files (x86)\ISL Online\ISL Light* + - '*\ISL Online\ISL Light*' + - ISLLight.exe + - isllightservice.exe + - islalwaysonmonitor.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.islonline.com' - - '*.islonline.net' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.islonline.com' + - '*.islonline.net' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml + Description: Detects potential network activity of ISL Online RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml + Description: Detects potential processes activity of ISL Online RMM tool References: - - https://help.islonline.com/19818/165940 +- https://help.islonline.com/19818/165940 Acknowledgement: [] diff --git a/yaml/itarian.yaml b/yaml/itarian.yaml index 486424d0..3bf72ad0 100644 --- a/yaml/itarian.yaml +++ b/yaml/itarian.yaml @@ -17,30 +17,34 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ITSMAgent.exe - - RViewer.exe - - ItsmRsp.exe - - RAccess.exe - - RmmService.exe - - ITarianRemoteAccessSetup.exe - - RDesktop.exe - - ComodoRemoteControl.exe - - ITSMService.exe - - RHost.exe + - ITSMAgent.exe + - RViewer.exe + - ItsmRsp.exe + - RAccess.exe + - RmmService.exe + - ITarianRemoteAccessSetup.exe + - RDesktop.exe + - ComodoRemoteControl.exe + - ITSMService.exe + - RHost.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - mdmsupport.comodo.com - - '*.itsm-us1.comodo.com' - - '*.cmdm.comodo.com' - - remoteaccess.itarian.com - - servicedesk.itarian.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - mdmsupport.comodo.com + - '*.itsm-us1.comodo.com' + - '*.cmdm.comodo.com' + - remoteaccess.itarian.com + - servicedesk.itarian.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml + Description: Detects potential network activity of Itarian RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml + Description: Detects potential processes activity of Itarian RMM tool References: - - https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html +- https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html Acknowledgement: [] diff --git a/yaml/itsupport247_(connectwise).yaml b/yaml/itsupport247_(connectwise).yaml index aaa83b6c..a629865c 100644 --- a/yaml/itsupport247_(connectwise).yaml +++ b/yaml/itsupport247_(connectwise).yaml @@ -17,17 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - saazapsc.exe + - saazapsc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.itsupport247.net' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.itsupport247.net' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml + Description: Detects potential network activity of ITSupport247 (ConnectWise) RMM + tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml + Description: Detects potential processes activity of ITSupport247 (ConnectWise) + RMM tool References: - - https://control.itsupport247.net/ +- https://control.itsupport247.net/ Acknowledgement: [] diff --git a/yaml/itsupport247connectwise.yaml b/yaml/itsupport247connectwise.yaml index 825a413f..5de35624 100644 --- a/yaml/itsupport247connectwise.yaml +++ b/yaml/itsupport247connectwise.yaml @@ -17,18 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - saazapsc.exe + - saazapsc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.itsupport247.net' - - itsupport247.net - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.itsupport247.net' + - itsupport247.net + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml + Description: Detects potential network activity of ITSupport247 (ConnectWise) RMM + tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml + Description: Detects potential processes activity of ITSupport247 (ConnectWise) + RMM tool References: - - https://control.itsupport247.net/ +- https://control.itsupport247.net/ Acknowledgement: [] diff --git a/yaml/ivanti_remote_control.yaml b/yaml/ivanti_remote_control.yaml index 808b6e78..54df8f18 100644 --- a/yaml/ivanti_remote_control.yaml +++ b/yaml/ivanti_remote_control.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - IvantiRemoteControl.exe - - ArcUI.exe - - AgentlessRC.exe + - IvantiRemoteControl.exe + - ArcUI.exe + - AgentlessRC.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.ivanticloud.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.ivanticloud.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml + Description: Detects potential network activity of Ivanti Remote Control RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml + Description: Detects potential processes activity of Ivanti Remote Control RMM tool References: - - https://rc1.ivanticloud.com/ +- https://rc1.ivanticloud.com/ Acknowledgement: [] diff --git a/yaml/jump_cloud.yaml b/yaml/jump_cloud.yaml index 367afbe3..722397e4 100644 --- a/yaml/jump_cloud.yaml +++ b/yaml/jump_cloud.yaml @@ -17,18 +17,20 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - 'JumpCloud*.exe ' + - 'JumpCloud*.exe ' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.api.jumpcloud.com' - - '*.assist.jumpcloud.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.api.jumpcloud.com' + - '*.assist.jumpcloud.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml + Description: Detects potential network activity of Jump Cloud RMM tool References: - - https://jumpcloud.com/support/understand-remote-assist-agent +- https://jumpcloud.com/support/understand-remote-assist-agent Acknowledgement: [] diff --git a/yaml/jump_desktop.yaml b/yaml/jump_desktop.yaml index e5e11fc4..4ec6d4c0 100644 --- a/yaml/jump_desktop.yaml +++ b/yaml/jump_desktop.yaml @@ -17,24 +17,28 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - jumpclient.exe - - jumpdesktop.exe - - jumpservice.exe - - jumpconnect.exe - - jumpupdater.exe + - jumpclient.exe + - jumpdesktop.exe + - jumpservice.exe + - jumpconnect.exe + - jumpupdater.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.jumpdesktop.com' - - jumpdesktop.com - - jumpto.me - - '*.jumpto.me' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.jumpdesktop.com' + - jumpdesktop.com + - jumpto.me + - '*.jumpto.me' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml + Description: Detects potential network activity of Jump Desktop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml + Description: Detects potential processes activity of Jump Desktop RMM tool References: - - https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect +- https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect Acknowledgement: [] diff --git a/yaml/kabuto.yaml b/yaml/kabuto.yaml index 9cf009d3..013f87ec 100644 --- a/yaml/kabuto.yaml +++ b/yaml/kabuto.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - Kabuto.App.Runner.exe + - Kabuto.App.Runner.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.kabuto.io' - - repairtechsolutions.com/kabuto/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.kabuto.io' + - repairtechsolutions.com/kabuto/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml + Description: Detects potential network activity of Kabuto RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml + Description: Detects potential processes activity of Kabuto RMM tool References: - - https://www.repairtechsolutions.com/documentation/kabuto/ +- https://www.repairtechsolutions.com/documentation/kabuto/ Acknowledgement: [] diff --git a/yaml/kaseya.yaml b/yaml/kaseya.yaml index 4b47a6a3..6bc3ae38 100644 --- a/yaml/kaseya.yaml +++ b/yaml/kaseya.yaml @@ -1,17 +1,19 @@ Name: Kaseya (VSA) -Description: | - Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -Author: 'Nasreddine Bencherchali' +Description: 'Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) + tool. More information will be added as it becomes available. + + ' +Author: Nasreddine Bencherchali Created: '2024-08-05' LastModified: '2024-08-05' Details: Website: '' PEMetadata: - - Filename: 'agentmon.exe' - - Filename: 'KaUpdHlp.exe' - - Filename: 'KaUsrTsk.exe' - OriginalFileName: '' - Description: '' + - Filename: agentmon.exe + - Filename: KaUpdHlp.exe + - Filename: KaUsrTsk.exe + OriginalFileName: '' + Description: '' Privileges: '' Free: '' Verification: '' @@ -19,71 +21,75 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Kaseya\ - - C:\ProgramData\Kaseya\ + - C:\Program Files (x86)\Kaseya\ + - C:\ProgramData\Kaseya\ Artifacts: Disk: - - File: '%localappdata%\Kaseya\Log\KaseyaLiveConnect\*' - Description: 'Kaseya Live Connect logs' - OS: Windows - - File: '~/Library/Logs/com.kaseya/KaseyaLiveConnect/*' - Description: 'Kaseya Live Connect logs' - OS: MacOS - - File: 'C:\ProgramData\Kaseya\Log\Endpoint\*' - Description: 'Kaseya Endpoint logs' - OS: Windows - - File: 'C:\Program Files*\Kaseya\*\agentmon.log' - Description: 'Kaseya Agent Monitor log' - - File: '/var/log/system.log' - Description: 'Kaseya Agent Monitor log' - OS: MacOS 32bit - - File: ' ~/opt/kaseya/*/logs*' - Description: 'Kaseya Agent Monitor log' - OS: MacOS 64bit - - File: 'C:\Users\*\AppData\Local\Temp\KASetup.log' - Description: 'Kaseya Setup log in user temp directory' - OS: Windows - - File: 'C:\Windows\Temp\KASetup.log' - Description: 'Kaseya Setup log in Windows temp directory' - OS: Windows - - File: 'C:\ProgramData\Kaseya\Log\KaseyaEdgeServices\*' - Description: 'Kaseya Edge Services logs' - OS: Windows - - File: 'C:\Kaseya\api\v1.0\logs\' - Description: 'Kaseya API logs' - OS: Windows - - File: 'C:\Kaseya\api\v1.5\endpoint\logs' - Description: 'Kaseya API logs' - OS: Windows - - File: 'C:\Kaseya\api\v1.5\endpoints\logs' - Description: 'Kaseya API logs' - OS: Windows - - File: 'C:\Windows\System32\config\systemprofile\AppData\Local\Kaseya\Log\MakeSelfSignedCert.exe\' - Description: 'Certificate creation' - OS: Windows - - File: 'C:\Kaseya\WebPages\install\makecert.txt' - Description: 'Certificate creation' - OS: Windows - - File: 'C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\KaseyaEndpoint*' - Description: 'Endpoint service logs' - OS: Windows - - File: 'C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\Session_*' - Description: 'Session logs' - OS: Windows + - File: '%localappdata%\Kaseya\Log\KaseyaLiveConnect\*' + Description: Kaseya Live Connect logs + OS: Windows + - File: ~/Library/Logs/com.kaseya/KaseyaLiveConnect/* + Description: Kaseya Live Connect logs + OS: MacOS + - File: C:\ProgramData\Kaseya\Log\Endpoint\* + Description: Kaseya Endpoint logs + OS: Windows + - File: C:\Program Files*\Kaseya\*\agentmon.log + Description: Kaseya Agent Monitor log + - File: /var/log/system.log + Description: Kaseya Agent Monitor log + OS: MacOS 32bit + - File: ' ~/opt/kaseya/*/logs*' + Description: Kaseya Agent Monitor log + OS: MacOS 64bit + - File: C:\Users\*\AppData\Local\Temp\KASetup.log + Description: Kaseya Setup log in user temp directory + OS: Windows + - File: C:\Windows\Temp\KASetup.log + Description: Kaseya Setup log in Windows temp directory + OS: Windows + - File: C:\ProgramData\Kaseya\Log\KaseyaEdgeServices\* + Description: Kaseya Edge Services logs + OS: Windows + - File: C:\Kaseya\api\v1.0\logs\ + Description: Kaseya API logs + OS: Windows + - File: C:\Kaseya\api\v1.5\endpoint\logs + Description: Kaseya API logs + OS: Windows + - File: C:\Kaseya\api\v1.5\endpoints\logs + Description: Kaseya API logs + OS: Windows + - File: C:\Windows\System32\config\systemprofile\AppData\Local\Kaseya\Log\MakeSelfSignedCert.exe\ + Description: Certificate creation + OS: Windows + - File: C:\Kaseya\WebPages\install\makecert.txt + Description: Certificate creation + OS: Windows + - File: C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\KaseyaEndpoint* + Description: Endpoint service logs + OS: Windows + - File: C:\ProgramData\Kaseya\Log\Endpoint\Instance_*\Session_* + Description: Session logs + OS: Windows EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - deploy01.kaseya.com - - '*managedsupport.kaseya.net' - - '*.kaseya.net' - - kaseya.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - deploy01.kaseya.com + - '*managedsupport.kaseya.net' + - '*.kaseya.net' + - kaseya.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml + Description: Detects potential network activity of Kaseya (VSA) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml + Description: Detects potential files activity of Kaseya (VSA) RMM tool References: - - https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements - - https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations - - https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/ - - https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations +- https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements +- https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations +- https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/ +- https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations Acknowledgement: [] diff --git a/yaml/khelpdesk.yaml b/yaml/khelpdesk.yaml index f2e93f99..0b532638 100644 --- a/yaml/khelpdesk.yaml +++ b/yaml/khelpdesk.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - KHelpDesk.exe + - KHelpDesk.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.khelpdesk.com.br' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.khelpdesk.com.br' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml + Description: Detects potential network activity of KHelpDesk RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml + Description: Detects potential processes activity of KHelpDesk RMM tool References: - - https://www.khelpdesk.com.br/en-us +- https://www.khelpdesk.com.br/en-us Acknowledgement: [] diff --git a/yaml/kickidler.yaml b/yaml/kickidler.yaml index 030143c9..006c796b 100644 --- a/yaml/kickidler.yaml +++ b/yaml/kickidler.yaml @@ -17,19 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - grabberEM.*msi - - grabberTT*.msi + - grabberEM.*msi + - grabberTT*.msi Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - 'kickidler.com' - - 'my.kickidler.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - kickidler.com + - my.kickidler.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml + Description: Detects potential network activity of KickIdler RMM tool References: - - https://www.kickidler.com/for-it/faq/ +- https://www.kickidler.com/for-it/faq/ Acknowledgement: [] diff --git a/yaml/kitty.yaml b/yaml/kitty.yaml index e24f5ded..e87948db 100644 --- a/yaml/kitty.yaml +++ b/yaml/kitty.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\*\kitty.exe - - '*\kitty.exe' + - C:\*\kitty.exe + - '*\kitty.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml + Description: Detects potential processes activity of KiTTY RMM tool References: [] Acknowledgement: [] diff --git a/yaml/labteachconnectwiseautomate.yaml b/yaml/labteachconnectwiseautomate.yaml index 5d78c7f2..c35b2671 100644 --- a/yaml/labteachconnectwiseautomate.yaml +++ b/yaml/labteachconnectwiseautomate.yaml @@ -17,12 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ltsvc.exe + - ltsvc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml + Description: Detects potential processes activity of LabTeach (Connectwise Automate) + RMM tool References: [] Acknowledgement: [] diff --git a/yaml/labtech_rmm_(now_connectwise_automate).yaml b/yaml/labtech_rmm_(now_connectwise_automate).yaml index f27e1f53..cb8489af 100644 --- a/yaml/labtech_rmm_(now_connectwise_automate).yaml +++ b/yaml/labtech_rmm_(now_connectwise_automate).yaml @@ -17,18 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ltsvc.exe - - ltsvcmon.exe - - lttray.exe + - ltsvc.exe + - ltsvcmon.exe + - lttray.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - connectwise.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - connectwise.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml + Description: Detects potential network activity of LabTech RMM (Now ConnectWise + Automate) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml + Description: Detects potential processes activity of LabTech RMM (Now ConnectWise + Automate) RMM tool References: [] Acknowledgement: [] diff --git a/yaml/landesk.yaml b/yaml/landesk.yaml index bbdde70d..c5ae47e5 100644 --- a/yaml/landesk.yaml +++ b/yaml/landesk.yaml @@ -17,28 +17,32 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - issuser.exe - - landeskagentbootstrap.exe - - LANDeskPortalManager.exe - - ldinv32.exe - - ldsensors.exe - - C:\Program Files (x86)\LANDesk\* - - '*\LANDesk\*' - - '*\issuser.exe' - - '*\softmon.exe' - - '*\tmcsvc.exe' + - issuser.exe + - landeskagentbootstrap.exe + - LANDeskPortalManager.exe + - ldinv32.exe + - ldsensors.exe + - C:\Program Files (x86)\LANDesk\* + - '*\LANDesk\*' + - '*\issuser.exe' + - '*\softmon.exe' + - '*\tmcsvc.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.ivanticloud.com' - - '*.ivanti.com' - - ivanti.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.ivanticloud.com' + - '*.ivanti.com' + - ivanti.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml + Description: Detects potential network activity of LANDesk RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml + Description: Detects potential processes activity of LANDesk RMM tool References: - - https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US +- https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US Acknowledgement: [] diff --git a/yaml/laplink_everywhere.yaml b/yaml/laplink_everywhere.yaml index 65eec0a9..f1f50a32 100644 --- a/yaml/laplink_everywhere.yaml +++ b/yaml/laplink_everywhere.yaml @@ -17,24 +17,28 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - laplink.exe - - laplink-everywhere-setup*.exe - - laplinkeverywhere.exe - - llrcservice.exe - - serverproxyservice.exe - - OOSysAgent.exe + - laplink.exe + - laplink-everywhere-setup*.exe + - laplinkeverywhere.exe + - llrcservice.exe + - serverproxyservice.exe + - OOSysAgent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - everywhere.laplink.com - - le.laplink.com - - atled.syspectr.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - everywhere.laplink.com + - le.laplink.com + - atled.syspectr.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml + Description: Detects potential network activity of Laplink Everywhere RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml + Description: Detects potential processes activity of Laplink Everywhere RMM tool References: - - https://everywhere.laplink.com/docs +- https://everywhere.laplink.com/docs Acknowledgement: [] diff --git a/yaml/laplink_gold.yaml b/yaml/laplink_gold.yaml index 78d31ac6..9435800b 100644 --- a/yaml/laplink_gold.yaml +++ b/yaml/laplink_gold.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - tsircusr.exe - - laplink.exe + - tsircusr.exe + - laplink.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - wen.laplink.com/product/laplink-gold - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - wen.laplink.com/product/laplink-gold + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml + Description: Detects potential network activity of Laplink Gold RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml + Description: Detects potential processes activity of Laplink Gold RMM tool References: - - wen.laplink.com/product/laplink-gold +- wen.laplink.com/product/laplink-gold Acknowledgement: [] diff --git a/yaml/level.io.yaml b/yaml/level.io.yaml index 44870b84..1d1f2887 100644 --- a/yaml/level.io.yaml +++ b/yaml/level.io.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - level-windows-amd64.exe - - level.exe - - level-remote-control-ffmpeg.exe + - level-windows-amd64.exe + - level.exe + - level-remote-control-ffmpeg.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - level.io - - '*.level.io' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - level.io + - '*.level.io' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml + Description: Detects potential network activity of Level.io RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml + Description: Detects potential processes activity of Level.io RMM tool References: - - https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues +- https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues Acknowledgement: [] diff --git a/yaml/level.yaml b/yaml/level.yaml index 09abfd2b..53c77e79 100644 --- a/yaml/level.yaml +++ b/yaml/level.yaml @@ -22,10 +22,12 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - level.io - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - level.io + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml + Description: Detects potential network activity of Level RMM tool References: [] Acknowledgement: [] diff --git a/yaml/levelio.yaml b/yaml/levelio.yaml index 44870b84..1d1f2887 100644 --- a/yaml/levelio.yaml +++ b/yaml/levelio.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - level-windows-amd64.exe - - level.exe - - level-remote-control-ffmpeg.exe + - level-windows-amd64.exe + - level.exe + - level-remote-control-ffmpeg.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - level.io - - '*.level.io' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - level.io + - '*.level.io' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml + Description: Detects potential network activity of Level.io RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml + Description: Detects potential processes activity of Level.io RMM tool References: - - https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues +- https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues Acknowledgement: [] diff --git a/yaml/lite_manager.yaml b/yaml/lite_manager.yaml index 2349677a..ac680a2d 100644 --- a/yaml/lite_manager.yaml +++ b/yaml/lite_manager.yaml @@ -17,9 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - "C:\\Program Files\\LiteManager Pro – Viewer\\*" - - "*\\LiteManager Pro – Viewer\\*" - - '*\LMNoIpServer.exe.' + - "C:\\Program Files\\LiteManager Pro \u2013 Viewer\\*" + - "*\\LiteManager Pro \u2013 Viewer\\*" + - '*\LMNoIpServer.exe.' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/litemanager.yaml b/yaml/litemanager.yaml index 0b2632f4..5d95d9b1 100644 --- a/yaml/litemanager.yaml +++ b/yaml/litemanager.yaml @@ -17,24 +17,28 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - lmnoipserver.exe - - ROMFUSClient.exe - - romfusclient.exe - - romviewer.exe - - romserver.exe - - ROMServer.exe + - lmnoipserver.exe + - ROMFUSClient.exe + - romfusclient.exe + - romviewer.exe + - romserver.exe + - ROMServer.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.litemanager.ru' - - '*.litemanager.com' - - litemanager.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.litemanager.ru' + - '*.litemanager.com' + - litemanager.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml + Description: Detects potential network activity of LiteManager RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml + Description: Detects potential processes activity of LiteManager RMM tool References: - - https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/ +- https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/ Acknowledgement: [] diff --git a/yaml/logmein.yaml b/yaml/logmein.yaml index f12d16c2..ae7ea1f6 100644 --- a/yaml/logmein.yaml +++ b/yaml/logmein.yaml @@ -1,66 +1,68 @@ Name: LogMeIn -Description: | - LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -Author: 'Nasreddine Bencherchali' +Description: 'LogMeIn is a remote monitoring and management (RMM) tool. More information + will be added as it becomes available. + + ' +Author: Nasreddine Bencherchali Created: '2024-08-05' LastModified: '2024-08-05' Details: - Website: 'https://www.logmein.com/' + Website: https://www.logmein.com/ PEMetadata: - - Filename: 'lmiguardiansvc.exe' - - Filename: 'lmiignition.exe' - - Filename: 'logmeinsystray.exe' - - Filename: 'logmein.exe' - OriginalFileName: '' - Company: 'LogMeIn, Inc.' - Description: 'LMIGuardianSvc' - Product: 'LMIGuardianSvc' + - Filename: lmiguardiansvc.exe + - Filename: lmiignition.exe + - Filename: logmeinsystray.exe + - Filename: logmein.exe + OriginalFileName: '' + Company: LogMeIn, Inc. + Description: LMIGuardianSvc + Product: LMIGuardianSvc Privileges: '' Free: '' Verification: '' SupportedOS: [] Capabilities: [] Vulnerabilities: [] - InstallationPaths: + InstallationPaths: null Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: N/A - Domains: - - 'logmein-gateway.com' - Ports: - - 443 - - Description: N/A - Domains: - - '*.logmein.com' - Ports: - - 443 - - Description: N/A - Domains: - - '*.logmein.eu' - Ports: - - 443 - - Description: N/A - Domains: - - 'logmeinrescue.com' - Ports: - - 443 - - Description: N/A - Domains: - - '*.logmeininc.com' - Ports: - - 443 + - Description: N/A + Domains: + - logmein-gateway.com + Ports: + - 443 + - Description: N/A + Domains: + - '*.logmein.com' + Ports: + - 443 + - Description: N/A + Domains: + - '*.logmein.eu' + Ports: + - 443 + - Description: N/A + Domains: + - logmeinrescue.com + Ports: + - 443 + - Description: N/A + Domains: + - '*.logmeininc.com' + Ports: + - 443 Detections: - - Sigma: - https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml - Description: DNS Query To Remote Access Software Domain From Non-Browser App - - Sigma: - https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml - Description: Remote Access Tool - LogMeIn Execution +- Sigma: https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml + Description: DNS Query To Remote Access Software Domain From Non-Browser App +- Sigma: https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml + Description: Remote Access Tool - LogMeIn Execution +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml + Description: Detects potential network activity of LogMeIn RMM tool References: - - https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration +- https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration Acknowledgement: - - Person: Nasreddine Bencherchali - Handle: '@nas_bench' +- Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yaml/logmein_rescue.yaml b/yaml/logmein_rescue.yaml index cda1a6f3..ee642779 100644 --- a/yaml/logmein_rescue.yaml +++ b/yaml/logmein_rescue.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - support-logmeinrescue*.exe - - support-logmeinrescue.exe - - lmi_rescue.exe + - support-logmeinrescue*.exe + - support-logmeinrescue.exe + - lmi_rescue.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.logmeinrescue.com' - - '*.logmeinrescue.eu' - - logmeinrescue.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.logmeinrescue.com' + - '*.logmeinrescue.eu' + - logmeinrescue.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml + Description: Detects potential network activity of LogMeIn rescue RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml + Description: Detects potential processes activity of LogMeIn rescue RMM tool References: - - https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue +- https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue Acknowledgement: [] diff --git a/yaml/manage_engine_(desktop_central).yaml b/yaml/manage_engine_(desktop_central).yaml index 89b16e70..2e5f1249 100644 --- a/yaml/manage_engine_(desktop_central).yaml +++ b/yaml/manage_engine_(desktop_central).yaml @@ -17,23 +17,29 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - dcagentservice.exe - - dcagentregister.exe + - dcagentservice.exe + - dcagentregister.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - desktopcentral.manageengine.com - - desktopcentral.manageengine.com.eu - - desktopcentral.manageengine.cn - - '*.dms.zoho.com' - - '*.dms.zoho.com.eu' - - '*.-dms.zoho.com.cn' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - desktopcentral.manageengine.com + - desktopcentral.manageengine.com.eu + - desktopcentral.manageengine.cn + - '*.dms.zoho.com' + - '*.dms.zoho.com.eu' + - '*.-dms.zoho.com.cn' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml + Description: Detects potential network activity of Manage Engine (Desktop Central) + RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml + Description: Detects potential processes activity of Manage Engine (Desktop Central) + RMM tool References: - - https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html +- https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html Acknowledgement: [] diff --git a/yaml/manageengine.yaml b/yaml/manageengine.yaml index e79e3ce0..f091b099 100644 --- a/yaml/manageengine.yaml +++ b/yaml/manageengine.yaml @@ -17,16 +17,18 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - InstallShield Setup.exe - - ManageEngine_Remote_Access_Plus.exe - - '*\dcagentservice.exe' - - C:\Program Files (x86)\DesktopCentral_Agent\bin\* - - '*\DesktopCentral_Agent\bin\*' + - InstallShield Setup.exe + - ManageEngine_Remote_Access_Plus.exe + - '*\dcagentservice.exe' + - C:\Program Files (x86)\DesktopCentral_Agent\bin\* + - '*\DesktopCentral_Agent\bin\*' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml + Description: Detects potential processes activity of ManageEngine RMM tool References: [] Acknowledgement: [] diff --git a/yaml/manageengine_rmm_central.yaml b/yaml/manageengine_rmm_central.yaml index 94763613..958406d3 100644 --- a/yaml/manageengine_rmm_central.yaml +++ b/yaml/manageengine_rmm_central.yaml @@ -22,10 +22,13 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - manageengine.com/remote-monitoring-management/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - manageengine.com/remote-monitoring-management/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml + Description: Detects potential network activity of ManageEngine RMM Central RMM + tool References: [] Acknowledgement: [] diff --git a/yaml/megasync.yaml b/yaml/megasync.yaml index c2f60f8f..6922ab39 100644 --- a/yaml/megasync.yaml +++ b/yaml/megasync.yaml @@ -17,17 +17,19 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Users\*\AppData\Local\MEGAsync\* - - '*Users\*\AppData\Local\MEGAsync\*' - - '*Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*' - - '*ProgramData\MEGAsync\*' - - '*\MEGAsyncSetup64.exe' - - '*\MEGAupdater.exe' + - C:\Users\*\AppData\Local\MEGAsync\* + - '*Users\*\AppData\Local\MEGAsync\*' + - '*Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*' + - '*ProgramData\MEGAsync\*' + - '*\MEGAsyncSetup64.exe' + - '*\MEGAupdater.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml + Description: Detects potential processes activity of MEGAsync RMM tool References: [] Acknowledgement: [] diff --git a/yaml/meshcentral.yaml b/yaml/meshcentral.yaml index c3f3737a..7b496f1d 100644 --- a/yaml/meshcentral.yaml +++ b/yaml/meshcentral.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - meshcentral*.exe - - mesh*.exe + - meshcentral*.exe + - mesh*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - meshcentral.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - meshcentral.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml + Description: Detects potential network activity of MeshCentral RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml + Description: Detects potential processes activity of MeshCentral RMM tool References: - - https://ylianst.github.io/MeshCentral/meshcentral/ +- https://ylianst.github.io/MeshCentral/meshcentral/ Acknowledgement: [] diff --git a/yaml/microsoft_quick_assist.yaml b/yaml/microsoft_quick_assist.yaml index 1b3e5447..5104da16 100644 --- a/yaml/microsoft_quick_assist.yaml +++ b/yaml/microsoft_quick_assist.yaml @@ -17,17 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - quickassist.exe + - quickassist.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml + Description: Detects potential network activity of Microsoft Quick Assist RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml + Description: Detects potential processes activity of Microsoft Quick Assist RMM + tool References: - - https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca +- https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca Acknowledgement: [] diff --git a/yaml/microsoft_rdp.yaml b/yaml/microsoft_rdp.yaml index eabc8802..e0e0c380 100644 --- a/yaml/microsoft_rdp.yaml +++ b/yaml/microsoft_rdp.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - mstsc.exe + - mstsc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml + Description: Detects potential processes activity of Microsoft RDP RMM tool References: - - https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows +- https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows Acknowledgement: [] diff --git a/yaml/microsoft_tsc.yaml b/yaml/microsoft_tsc.yaml index da39983b..393b9f50 100644 --- a/yaml/microsoft_tsc.yaml +++ b/yaml/microsoft_tsc.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - termsrv.exe + - termsrv.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml + Description: Detects potential processes activity of Microsoft TSC RMM tool References: - - https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application Acknowledgement: [] diff --git a/yaml/microsoftrdp.yaml b/yaml/microsoftrdp.yaml index 8b015e38..03ef749c 100644 --- a/yaml/microsoftrdp.yaml +++ b/yaml/microsoftrdp.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - termsrv.exe - - mstsc.exe - - Microsoft Remote Desktop + - termsrv.exe + - mstsc.exe + - Microsoft Remote Desktop Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml + Description: Detects potential processes activity of Microsoft RDP RMM tool References: - - https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows +- https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows Acknowledgement: [] diff --git a/yaml/microsofttsc.yaml b/yaml/microsofttsc.yaml index 1384e70c..8f46d55d 100644 --- a/yaml/microsofttsc.yaml +++ b/yaml/microsofttsc.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - termsrv.exe - - mstsc.exe + - termsrv.exe + - mstsc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml + Description: Detects potential processes activity of Microsoft TSC RMM tool References: - - https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application +- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application Acknowledgement: [] diff --git a/yaml/mikogo.yaml b/yaml/mikogo.yaml index 27c4cf8c..fd6684f7 100644 --- a/yaml/mikogo.yaml +++ b/yaml/mikogo.yaml @@ -17,27 +17,31 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - mikogo.exe - - mikogo-starter.exe - - mikogo-service.exe - - mikogolauncher.exe - - C:\Users\*\AppData\Roaming\Mikogo\* - - '*Users\*\AppData\Roaming\Mikogo\*' - - '*\Mikogo-Service.exe' - - '*\Mikogo-Screen-Service.exe' + - mikogo.exe + - mikogo-starter.exe + - mikogo-service.exe + - mikogolauncher.exe + - C:\Users\*\AppData\Roaming\Mikogo\* + - '*Users\*\AppData\Roaming\Mikogo\*' + - '*\Mikogo-Service.exe' + - '*\Mikogo-Screen-Service.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.real-time-collaboration.com' - - '*.mikogo4.com' - - '*.mikogo.com' - - mikogo.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.real-time-collaboration.com' + - '*.mikogo4.com' + - '*.mikogo.com' + - mikogo.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml + Description: Detects potential network activity of Mikogo RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml + Description: Detects potential processes activity of Mikogo RMM tool References: - - https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services +- https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services Acknowledgement: [] diff --git a/yaml/mionet_(also_known_as_wd_anywhere_access).yaml b/yaml/mionet_(also_known_as_wd_anywhere_access).yaml index 9bb026e5..3443b644 100644 --- a/yaml/mionet_(also_known_as_wd_anywhere_access).yaml +++ b/yaml/mionet_(also_known_as_wd_anywhere_access).yaml @@ -17,13 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - mionet.exe - - mionetmanager.exe + - mionet.exe + - mionetmanager.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml + Description: Detects potential processes activity of MioNet (Also known as WD Anywhere + Access) RMM tool References: [] Acknowledgement: [] diff --git a/yaml/mionet_(wd_anywhere_access).yaml b/yaml/mionet_(wd_anywhere_access).yaml index 92c3df3d..713b70fd 100644 --- a/yaml/mionet_(wd_anywhere_access).yaml +++ b/yaml/mionet_(wd_anywhere_access).yaml @@ -17,14 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - mionet.exe - - mionetmanager.exe + - mionet.exe + - mionetmanager.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml + Description: Detects potential processes activity of MioNet (WD Anywhere Access) + RMM tool References: - - https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016 +- https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016 Acknowledgement: [] diff --git a/yaml/mobaxterm.yaml b/yaml/mobaxterm.yaml index c804ad63..8862fe71 100644 --- a/yaml/mobaxterm.yaml +++ b/yaml/mobaxterm.yaml @@ -17,9 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\*\MobaXterm_installer_12.1.msi - - '*\MobaXterm_installer_*.msi' - - '*\Mobatek\MobaXterm\*' + - C:\*\MobaXterm_installer_12.1.msi + - '*\MobaXterm_installer_*.msi' + - '*\Mobatek\MobaXterm\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/mocha_vnc_lite.yaml b/yaml/mocha_vnc_lite.yaml index b9d6fc91..96b14c76 100644 --- a/yaml/mocha_vnc_lite.yaml +++ b/yaml/mocha_vnc_lite.yaml @@ -17,9 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - This installs a modified VNC and cannot be blocked by path separate from VNC - - This installs a modified VNC and cannot be blocked by path separate from VNC - - '*\RealVNC\VNC4\*' + - This installs a modified VNC and cannot be blocked by path separate from VNC + - This installs a modified VNC and cannot be blocked by path separate from VNC + - '*\RealVNC\VNC4\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/mremoteng.yaml b/yaml/mremoteng.yaml index 7a0433e1..c7af5aed 100644 --- a/yaml/mremoteng.yaml +++ b/yaml/mremoteng.yaml @@ -17,34 +17,40 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - mRemoteNG.exe - - C:\Program Files (x86)\mRemoteNG\* - - '*\mRemoteNG\*' - - '*\mRemoteNG.exe' - - c:\Program Files (x86)%\mRemoteNG - - '*%\mRemoteNG' - - mRemoteNG-Installer-*.msi - - '*\mRemoteNG.exe' + - mRemoteNG.exe + - C:\Program Files (x86)\mRemoteNG\* + - '*\mRemoteNG\*' + - '*\mRemoteNG.exe' + - c:\Program Files (x86)%\mRemoteNG + - '*%\mRemoteNG' + - mRemoteNG-Installer-*.msi + - '*\mRemoteNG.exe' Artifacts: Disk: - - File: 'C:\Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log' - Description: 'mRemoteNG log file' - OS: Windows - - File: 'C:\Users\*\AppData\Roaming\mRemoteNG\confCons.xml' - Description: 'mRemoteNG configuration file' - OS: Windows - - File: 'C:\Users\*\AppData\*\mRemoteNG\**10\user.config' - Description: 'mRemoteNG user configuration file' - OS: Windows + - File: C:\Users\*\AppData\Roaming\mRemoteNG\mRemoteNG.log + Description: mRemoteNG log file + OS: Windows + - File: C:\Users\*\AppData\Roaming\mRemoteNG\confCons.xml + Description: mRemoteNG configuration file + OS: Windows + - File: C:\Users\*\AppData\*\mRemoteNG\**10\user.config + Description: mRemoteNG user configuration file + OS: Windows EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - mremoteng.org - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - mremoteng.org + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml + Description: Detects potential network activity of mRemoteNG RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml + Description: Detects potential files activity of mRemoteNG RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml + Description: Detects potential processes activity of mRemoteNG RMM tool References: - - https://github.com/mRemoteNG/mRemoteNG +- https://github.com/mRemoteNG/mRemoteNG Acknowledgement: [] diff --git a/yaml/msp360.yaml b/yaml/msp360.yaml index bca5aaa2..e2138426 100644 --- a/yaml/msp360.yaml +++ b/yaml/msp360.yaml @@ -17,30 +17,34 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - Online Backup.exe - - CBBackupPlan.exe - - Cloud.Backup.Scheduler.exe - - Cloud.Backup.RM.Service.exe - - cbb.exe - - CloudRaService.exe - - CloudRaSd.exe - - CloudRaCmd.exe - - CloudRaUtilities.exe - - Remote Desktop.exe - - Connect.exe + - Online Backup.exe + - CBBackupPlan.exe + - Cloud.Backup.Scheduler.exe + - Cloud.Backup.RM.Service.exe + - cbb.exe + - CloudRaService.exe + - CloudRaSd.exe + - CloudRaCmd.exe + - CloudRaUtilities.exe + - Remote Desktop.exe + - Connect.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.cloudberrylab.com' - - '*.msp360.com' - - '*.mspbackups.com' - - msp360.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.cloudberrylab.com' + - '*.msp360.com' + - '*.mspbackups.com' + - msp360.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml + Description: Detects potential network activity of MSP360 RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml + Description: Detects potential processes activity of MSP360 RMM tool References: - - https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration# +- https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration# Acknowledgement: [] diff --git a/yaml/mstsc.yaml b/yaml/mstsc.yaml index c3594689..97de3bb4 100644 --- a/yaml/mstsc.yaml +++ b/yaml/mstsc.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Windows\System32\mstsc.exe - - '*Windows\System32\mstsc.exe' + - C:\Windows\System32\mstsc.exe + - '*Windows\System32\mstsc.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml + Description: Detects potential processes activity of mstsc RMM tool References: [] Acknowledgement: [] diff --git a/yaml/multcloud.yaml b/yaml/multcloud.yaml index 3ee90c8f..a9af78ea 100644 --- a/yaml/multcloud.yaml +++ b/yaml/multcloud.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - requires sign up - - requires sign up + - requires sign up + - requires sign up Artifacts: Disk: [] EventLog: [] diff --git a/yaml/mygreenpc.yaml b/yaml/mygreenpc.yaml index 86693496..7b131164 100644 --- a/yaml/mygreenpc.yaml +++ b/yaml/mygreenpc.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - mygreenpc.exe + - mygreenpc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*mygreenpc.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*mygreenpc.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml + Description: Detects potential network activity of MyGreenPC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml + Description: Detects potential processes activity of MyGreenPC RMM tool References: - - http://www.mygreenpc.com/ +- http://www.mygreenpc.com/ Acknowledgement: [] diff --git a/yaml/myivo.yaml b/yaml/myivo.yaml index 86587763..64f42a69 100644 --- a/yaml/myivo.yaml +++ b/yaml/myivo.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - myivomgr.exe - - myivomanager.exe + - myivomgr.exe + - myivomanager.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - myivo-server.software.informer.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - myivo-server.software.informer.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml + Description: Detects potential network activity of MyIVO RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml + Description: Detects potential processes activity of MyIVO RMM tool References: - - myivo.com - DOA as of 2024 +- myivo.com - DOA as of 2024 Acknowledgement: [] diff --git a/yaml/n-able_advanced_monitoring_agent.yaml b/yaml/n-able_advanced_monitoring_agent.yaml index 753b01f7..deb3221c 100644 --- a/yaml/n-able_advanced_monitoring_agent.yaml +++ b/yaml/n-able_advanced_monitoring_agent.yaml @@ -17,32 +17,38 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - Agent_*_RW.exe - - BASEClient.exe - - BASupApp.exe - - BASupSrvc.exe - - BASupSrvcCnfg.exe - - BASupTSHelper.exe + - Agent_*_RW.exe + - BASEClient.exe + - BASupApp.exe + - BASupSrvc.exe + - BASupSrvcCnfg.exe + - BASupTSHelper.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*remote.management' - - '*.logicnow.com' - - '*systemmonitor.us' - - '*systemmonitor.eu.com' - - '*system-monitor.com' - - 'systemmonitor.us.cdn.cloudflare.net' - - '*cloudbackup.management' - - '*systemmonitor.co.uk' - - '*.n-able.com' - - '*.beanywhere.com ' - - '*.swi-tc.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*remote.management' + - '*.logicnow.com' + - '*systemmonitor.us' + - '*systemmonitor.eu.com' + - '*system-monitor.com' + - systemmonitor.us.cdn.cloudflare.net + - '*cloudbackup.management' + - '*systemmonitor.co.uk' + - '*.n-able.com' + - '*.beanywhere.com ' + - '*.swi-tc.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml + Description: Detects potential network activity of N-Able Advanced Monitoring Agent + RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml + Description: Detects potential processes activity of N-Able Advanced Monitoring + Agent RMM tool References: - - https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm +- https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm Acknowledgement: [] diff --git a/yaml/n-able_remote_access_software.yaml b/yaml/n-able_remote_access_software.yaml index 4fea2fd9..13199618 100644 --- a/yaml/n-able_remote_access_software.yaml +++ b/yaml/n-able_remote_access_software.yaml @@ -22,10 +22,13 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - n-able.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - n-able.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml + Description: Detects potential network activity of N-ABLE Remote Access Software + RMM tool References: [] Acknowledgement: [] diff --git a/yaml/n-ableadvancedmonitoringagent.yaml b/yaml/n-ableadvancedmonitoringagent.yaml index 0a1db73d..a0157db6 100644 --- a/yaml/n-ableadvancedmonitoringagent.yaml +++ b/yaml/n-ableadvancedmonitoringagent.yaml @@ -17,41 +17,47 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - BASupSrvc.exe - - winagent.exe - - BASupApp.exe - - BASupTSHelper.exe - - Agent_*_RW.exe - - BASEClient.exe - - BASupSrvcCnfg.exe + - BASupSrvc.exe + - winagent.exe + - BASupApp.exe + - BASupTSHelper.exe + - Agent_*_RW.exe + - BASEClient.exe + - BASupSrvcCnfg.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.beanywhere.com ' - - systemmonitor.co.uk - - '*system-monitor.com' - - cloudbackup.management - - '*systemmonitor.co.uk' - - n-able.com - - systemmonitor.us - - '*systemmonitor.eu.com' - - '*.logicnow.com' - - '*.swi-tc.com' - - '*remote.management' - - systemmonitor.us.cdn.cloudflare.net - - '*cloudbackup.management' - - remote.management - - logicnow.com - - system-monitor.com - - '*systemmonitor.us' - - systemmonitor.eu.com - - '*.n-able.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.beanywhere.com ' + - systemmonitor.co.uk + - '*system-monitor.com' + - cloudbackup.management + - '*systemmonitor.co.uk' + - n-able.com + - systemmonitor.us + - '*systemmonitor.eu.com' + - '*.logicnow.com' + - '*.swi-tc.com' + - '*remote.management' + - systemmonitor.us.cdn.cloudflare.net + - '*cloudbackup.management' + - remote.management + - logicnow.com + - system-monitor.com + - '*systemmonitor.us' + - systemmonitor.eu.com + - '*.n-able.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml + Description: Detects potential network activity of N-Able Advanced Monitoring Agent + RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml + Description: Detects potential processes activity of N-Able Advanced Monitoring + Agent RMM tool References: - - https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm +- https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm Acknowledgement: [] diff --git a/yaml/nateon-desktop_sharing.yaml b/yaml/nateon-desktop_sharing.yaml index 2e1d88a9..f1c780d9 100644 --- a/yaml/nateon-desktop_sharing.yaml +++ b/yaml/nateon-desktop_sharing.yaml @@ -17,19 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - nateon*.exe - - nateon.exe - - nateonmain.exe + - nateon*.exe + - nateon.exe + - nateonmain.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.nate.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.nate.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml + Description: Detects potential network activity of NateOn-desktop sharing RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml + Description: Detects potential processes activity of NateOn-desktop sharing RMM + tool References: - - http://rsupport.nate.com/rview/r8/main/index.aspx +- http://rsupport.nate.com/rview/r8/main/index.aspx Acknowledgement: [] diff --git a/yaml/naverisk.yaml b/yaml/naverisk.yaml index be3a8134..44c3434f 100644 --- a/yaml/naverisk.yaml +++ b/yaml/naverisk.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - AgentSetup-*.exe + - AgentSetup-*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - naverisk.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - naverisk.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml + Description: Detects potential network activity of Naverisk RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml + Description: Detects potential processes activity of Naverisk RMM tool References: - - http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents +- http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents Acknowledgement: [] diff --git a/yaml/netop.yaml b/yaml/netop.yaml index bcff98c6..4398e67c 100644 --- a/yaml/netop.yaml +++ b/yaml/netop.yaml @@ -17,9 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\Danware Data\NetOp Packn Deploy\* - - '*\Danware Data\NetOp Packn Deploy\*' - - '*\Netop Remote Control\*' + - C:\Program Files\Danware Data\NetOp Packn Deploy\* + - '*\Danware Data\NetOp Packn Deploy\*' + - '*\Netop Remote Control\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/netop_remote_control_(aka_impero_connect).yaml b/yaml/netop_remote_control_(aka_impero_connect).yaml index 583006a9..371faa76 100644 --- a/yaml/netop_remote_control_(aka_impero_connect).yaml +++ b/yaml/netop_remote_control_(aka_impero_connect).yaml @@ -17,19 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - nhostsvc.exe - - nhstw32.exe - - nldrw32.exe - - rmserverconsolemediator.exe + - nhostsvc.exe + - nhstw32.exe + - nldrw32.exe + - rmserverconsolemediator.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - imperosoftware.com/impero-connect/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - imperosoftware.com/impero-connect/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml + Description: Detects potential network activity of Netop Remote Control (aka Impero + Connect) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml + Description: Detects potential processes activity of Netop Remote Control (aka Impero + Connect) RMM tool References: [] Acknowledgement: [] diff --git a/yaml/netop_remote_control_(impero_connect).yaml b/yaml/netop_remote_control_(impero_connect).yaml index 72466bd0..6bc9ceb3 100644 --- a/yaml/netop_remote_control_(impero_connect).yaml +++ b/yaml/netop_remote_control_(impero_connect).yaml @@ -17,26 +17,32 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - nhostsvc.exe - - nhstw32.exe - - ngstw32.exe - - Netop Ondemand.exe - - nldrw32.exe - - rmserverconsolemediator.exe - - ImperoInit.exe - - Connect.Backdrop.cloud*.exe - - ImperoClientSVC.exe + - nhostsvc.exe + - nhstw32.exe + - ngstw32.exe + - Netop Ondemand.exe + - nldrw32.exe + - rmserverconsolemediator.exe + - ImperoInit.exe + - Connect.Backdrop.cloud*.exe + - ImperoClientSVC.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.connect.backdrop.cloud' - - '*.netop.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.connect.backdrop.cloud' + - '*.netop.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml + Description: Detects potential network activity of Netop Remote Control (Impero + Connect) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml + Description: Detects potential processes activity of Netop Remote Control (Impero + Connect) RMM tool References: - - https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html +- https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html Acknowledgement: [] diff --git a/yaml/netreo.yaml b/yaml/netreo.yaml index c8aa0c03..cca6afa9 100644 --- a/yaml/netreo.yaml +++ b/yaml/netreo.yaml @@ -22,14 +22,16 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - charon.netreo.net - - activation.netreo.net - - '*.api.netreo.com' - - netreo.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - charon.netreo.net + - activation.netreo.net + - '*.api.netreo.com' + - netreo.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml + Description: Detects potential network activity of Netreo RMM tool References: - - https://solutions.netreo.com/docs/firewall-requirements +- https://solutions.netreo.com/docs/firewall-requirements Acknowledgement: [] diff --git a/yaml/netsupport_manager.yaml b/yaml/netsupport_manager.yaml index 50691ce7..d00c59e7 100644 --- a/yaml/netsupport_manager.yaml +++ b/yaml/netsupport_manager.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - pcictlui.exe - - pcicfgui.exe - - client32.exe + - pcictlui.exe + - pcicfgui.exe + - client32.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.netsupportmanager.com' - - netsupportmanager.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.netsupportmanager.com' + - netsupportmanager.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml + Description: Detects potential network activity of NetSupport Manager RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml + Description: Detects potential processes activity of NetSupport Manager RMM tool References: - - https://www.netsupportmanager.com/resources/ +- https://www.netsupportmanager.com/resources/ Acknowledgement: [] diff --git a/yaml/netsupportmanager.yaml b/yaml/netsupportmanager.yaml index e910a50b..f24ba7d0 100644 --- a/yaml/netsupportmanager.yaml +++ b/yaml/netsupportmanager.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - pcictlui.exe - - client32.exe - - pcicfgui.exe + - pcictlui.exe + - client32.exe + - pcicfgui.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - geo.netsupportsoftware.com - - netsupportmanager.com - - '*.netsupportmanager.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - geo.netsupportsoftware.com + - netsupportmanager.com + - '*.netsupportmanager.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml + Description: Detects potential network activity of NetSupport Manager RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml + Description: Detects potential processes activity of NetSupport Manager RMM tool References: - - https://www.netsupportmanager.com/resources/ +- https://www.netsupportmanager.com/resources/ Acknowledgement: [] diff --git a/yaml/neturo.yaml b/yaml/neturo.yaml index 0539315f..9d8e64ce 100644 --- a/yaml/neturo.yaml +++ b/yaml/neturo.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - neturo*.exe - - ntrntservice.exe - - neturo.exe + - neturo*.exe + - ntrntservice.exe + - neturo.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - neturo.uplus.co.kr - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - neturo.uplus.co.kr + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml + Description: Detects potential network activity of Neturo RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml + Description: Detects potential processes activity of Neturo RMM tool References: - - 'Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2' +- 'Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2' Acknowledgement: [] diff --git a/yaml/netviewer.yaml b/yaml/netviewer.yaml index 9d582c4d..08f4319d 100644 --- a/yaml/netviewer.yaml +++ b/yaml/netviewer.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - netviewer*.exe - - netviewer.exe + - netviewer*.exe + - netviewer.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - download.cnet.com/Net-Viewer/3000-2370_4-10034828.html - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - download.cnet.com/Net-Viewer/3000-2370_4-10034828.html + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml + Description: Detects potential network activity of Netviewer RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml + Description: Detects potential processes activity of Netviewer RMM tool References: [] Acknowledgement: [] diff --git a/yaml/netviewer_(gotomeet).yaml b/yaml/netviewer_(gotomeet).yaml index 6aa95aff..d376b9c8 100644 --- a/yaml/netviewer_(gotomeet).yaml +++ b/yaml/netviewer_(gotomeet).yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - nvClient.exe - - netviewer.exe + - nvClient.exe + - netviewer.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml + Description: Detects potential processes activity of Netviewer (GoToMeet) RMM tool References: - - 'Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html' +- 'Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html' Acknowledgement: [] diff --git a/yaml/ngrok.yaml b/yaml/ngrok.yaml index c8dbb8f8..b7ffc84d 100644 --- a/yaml/ngrok.yaml +++ b/yaml/ngrok.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ngrok.exe - - C:\*\ngrok.zip - - '*\ngrok*' + - ngrok.exe + - C:\*\ngrok.zip + - '*\ngrok*' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - ngrok.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - ngrok.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml + Description: Detects potential network activity of ngrok RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml + Description: Detects potential processes activity of ngrok RMM tool References: - - https://ngrok.com/docs/guides/running-behind-firewalls/ +- https://ngrok.com/docs/guides/running-behind-firewalls/ Acknowledgement: [] diff --git a/yaml/ninjaone_(formerly_ninjarmm).yaml b/yaml/ninjaone_(formerly_ninjarmm).yaml index 55ac0849..24573726 100644 --- a/yaml/ninjaone_(formerly_ninjarmm).yaml +++ b/yaml/ninjaone_(formerly_ninjarmm).yaml @@ -17,7 +17,7 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - '*ProgramData\NinjaRMMAgent\*' + - '*ProgramData\NinjaRMMAgent\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/ninjarmm.yaml b/yaml/ninjarmm.yaml index f1234d85..0a3a32bf 100644 --- a/yaml/ninjarmm.yaml +++ b/yaml/ninjarmm.yaml @@ -17,23 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ninjarmmagent.exe - - NinjaRMMAgent.exe - - NinjaRMMAgenPatcher.exe - - ninjarmm-cli.exe + - ninjarmmagent.exe + - NinjaRMMAgent.exe + - NinjaRMMAgenPatcher.exe + - ninjarmm-cli.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.ninjarmm.com' - - '*.ninjaone.com' - - resources.ninjarmm.com - - ninjaone.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.ninjarmm.com' + - '*.ninjaone.com' + - resources.ninjarmm.com + - ninjaone.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml + Description: Detects potential network activity of NinjaRMM RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml + Description: Detects potential processes activity of NinjaRMM RMM tool References: - - https://www.ninjaone.com/faq/ +- https://www.ninjaone.com/faq/ Acknowledgement: [] diff --git a/yaml/nomachine.yaml b/yaml/nomachine.yaml index 94c835e0..265f5da8 100644 --- a/yaml/nomachine.yaml +++ b/yaml/nomachine.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - nomachine*.exe - - nxservice*.ese - - nxd.exe + - nomachine*.exe + - nxservice*.ese + - nxd.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - nomachine.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - nomachine.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml + Description: Detects potential network activity of NoMachine RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml + Description: Detects potential processes activity of NoMachine RMM tool References: - - https://kb.nomachine.com/AR04S01122 +- https://kb.nomachine.com/AR04S01122 Acknowledgement: [] diff --git a/yaml/noteon-desktop_sharing.yaml b/yaml/noteon-desktop_sharing.yaml index b48e185a..984af90c 100644 --- a/yaml/noteon-desktop_sharing.yaml +++ b/yaml/noteon-desktop_sharing.yaml @@ -17,14 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - nateon*.exe - - nateon.exe - - nateonmain.exe + - nateon*.exe + - nateon.exe + - nateonmain.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml + Description: Detects potential processes activity of NoteOn-desktop sharing RMM + tool References: [] Acknowledgement: [] diff --git a/yaml/ntr_remote.yaml b/yaml/ntr_remote.yaml index b36bbc0f..06fe9af6 100644 --- a/yaml/ntr_remote.yaml +++ b/yaml/ntr_remote.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - NTRsupportPro_EN.exe + - NTRsupportPro_EN.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.ntrsupport.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.ntrsupport.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml + Description: Detects potential network activity of NTR Remote RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml + Description: Detects potential processes activity of NTR Remote RMM tool References: - - DOA as of 2024 +- DOA as of 2024 Acknowledgement: [] diff --git a/yaml/ocs_inventory.yaml b/yaml/ocs_inventory.yaml index 50f0328a..8ae78c84 100644 --- a/yaml/ocs_inventory.yaml +++ b/yaml/ocs_inventory.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ocsinventory.exe - - ocsservice.exe + - ocsinventory.exe + - ocsservice.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - ocsinventory-ng.org - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - ocsinventory-ng.org + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml + Description: Detects potential network activity of OCS inventory RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml + Description: Detects potential processes activity of OCS inventory RMM tool References: - - https://ocsinventory-ng.org/?page_id=878&lang=en +- https://ocsinventory-ng.org/?page_id=878&lang=en Acknowledgement: [] diff --git a/yaml/odrive.yaml b/yaml/odrive.yaml index c6881d71..62fa4b3c 100644 --- a/yaml/odrive.yaml +++ b/yaml/odrive.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Users\*\current\ - - '*Users\*\.odrive' - - '*\Odriveapp.exe' + - C:\Users\*\current\ + - '*Users\*\.odrive' + - '*\Odriveapp.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/odrive_processes_sigma.yml + Description: Detects potential processes activity of ODrive RMM tool References: [] Acknowledgement: [] diff --git a/yaml/onionshare.yaml b/yaml/onionshare.yaml index 23aef882..1510cd92 100644 --- a/yaml/onionshare.yaml +++ b/yaml/onionshare.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\OnionShare\* - - '*\OnionShare\*' - - '*\onionshare*.exe' - - OnionShare-win*.msi + - C:\Program Files (x86)\OnionShare\* + - '*\OnionShare\*' + - '*\onionshare*.exe' + - OnionShare-win*.msi Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml + Description: Detects potential processes activity of Onionshare RMM tool References: [] Acknowledgement: [] diff --git a/yaml/optitune.yaml b/yaml/optitune.yaml index 7a33dde6..21b31d9f 100644 --- a/yaml/optitune.yaml +++ b/yaml/optitune.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - OTService.exe - - OTPowerShell.exe + - OTService.exe + - OTPowerShell.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.optitune.us' - - '*.opti-tune.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.optitune.us' + - '*.opti-tune.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml + Description: Detects potential network activity of OptiTune RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml + Description: Detects potential processes activity of OptiTune RMM tool References: - - https://www.bravurasoftware.com/optitune/support/faq.aspx +- https://www.bravurasoftware.com/optitune/support/faq.aspx Acknowledgement: [] diff --git a/yaml/pandora_rc_(ehorus).yaml b/yaml/pandora_rc_(ehorus).yaml index 2837d973..91f1e1da 100644 --- a/yaml/pandora_rc_(ehorus).yaml +++ b/yaml/pandora_rc_(ehorus).yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ehorus standalone.exe - - ehorus_agent.exe + - ehorus standalone.exe + - ehorus_agent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - portal.ehorus.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - portal.ehorus.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml + Description: Detects potential network activity of Pandora RC (eHorus) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml + Description: Detects potential processes activity of Pandora RC (eHorus) RMM tool References: - - https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction +- https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction Acknowledgement: [] diff --git a/yaml/panorama9.yaml b/yaml/panorama9.yaml index a57c2da3..32deb5fa 100644 --- a/yaml/panorama9.yaml +++ b/yaml/panorama9.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - p9agent*.exe + - p9agent*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - trusted.panorama9.com - - changes.panorama9.com - - panorama9.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - trusted.panorama9.com + - changes.panorama9.com + - panorama9.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml + Description: Detects potential network activity of Panorama9 RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml + Description: Detects potential processes activity of Panorama9 RMM tool References: - - https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with +- https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with Acknowledgement: [] diff --git a/yaml/parallelsaccess.yaml b/yaml/parallelsaccess.yaml index 41d8d22c..6eda315b 100644 --- a/yaml/parallelsaccess.yaml +++ b/yaml/parallelsaccess.yaml @@ -17,22 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - parallelsaccess-*.exe - - TSClient.exe - - prl_deskctl_agent.exe - - prl_deskctl_wizard.exe - - prl_pm_service.exe + - parallelsaccess-*.exe + - TSClient.exe + - prl_deskctl_agent.exe + - prl_deskctl_wizard.exe + - prl_pm_service.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.parallels.com' - - parallels.com/products/ras/try - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.parallels.com' + - parallels.com/products/ras/try + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml + Description: Detects potential network activity of Parallels Access RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml + Description: Detects potential processes activity of Parallels Access RMM tool References: - - https://kb.parallels.com/en/129097 +- https://kb.parallels.com/en/129097 Acknowledgement: [] diff --git a/yaml/pcanywhere.yaml b/yaml/pcanywhere.yaml index c5a0ccdd..9bb0ccf3 100644 --- a/yaml/pcanywhere.yaml +++ b/yaml/pcanywhere.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - awhost32.exe - - awrem32.exe - - pcaquickconnect.exe - - winaw32.exe + - awhost32.exe + - awrem32.exe + - pcaquickconnect.exe + - winaw32.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml + Description: Detects potential network activity of pcAnywhere RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml + Description: Detects potential processes activity of pcAnywhere RMM tool References: - - https://en.wikipedia.org/wiki/PcAnywhere +- https://en.wikipedia.org/wiki/PcAnywhere Acknowledgement: [] diff --git a/yaml/pcloud.yaml b/yaml/pcloud.yaml index 513258d4..1c885f9d 100644 --- a/yaml/pcloud.yaml +++ b/yaml/pcloud.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\pCloud Drive\ - - '*\pCloud Drive\' - - '*\pCloud.exe' + - C:\Program Files (x86)\pCloud Drive\ + - '*\pCloud Drive\' + - '*\pCloud.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcloud_processes_sigma.yml + Description: Detects potential processes activity of pCloud RMM tool References: [] Acknowledgement: [] diff --git a/yaml/pcnow.yaml b/yaml/pcnow.yaml index 18b33c52..86d1469f 100644 --- a/yaml/pcnow.yaml +++ b/yaml/pcnow.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - mwcliun.exe - - pcnmgr.exe - - webexpcnow.exe + - mwcliun.exe + - pcnmgr.exe + - webexpcnow.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - au.pcmag.com/utilities/21470/webex-pcnow - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - au.pcmag.com/utilities/21470/webex-pcnow + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml + Description: Detects potential network activity of Pcnow RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml + Description: Detects potential processes activity of Pcnow RMM tool References: - - http://pcnow.webex.com/ - DOA as of 2024 +- http://pcnow.webex.com/ - DOA as of 2024 Acknowledgement: [] diff --git a/yaml/pcvisit.yaml b/yaml/pcvisit.yaml index 1ec4cef1..bae13403 100644 --- a/yaml/pcvisit.yaml +++ b/yaml/pcvisit.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - pcvisit.exe - - pcvisit_client.exe - - pcvisit-easysupport.exe - - pcvisit_service_client.exe + - pcvisit.exe + - pcvisit_client.exe + - pcvisit-easysupport.exe + - pcvisit_service_client.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.pcvisit.de' - - pcvisit.de - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.pcvisit.de' + - pcvisit.de + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml + Description: Detects potential network activity of Pcvisit RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml + Description: Detects potential processes activity of Pcvisit RMM tool References: - - https://www.pcvisit.de/ +- https://www.pcvisit.de/ Acknowledgement: [] diff --git a/yaml/pdq_connect.yaml b/yaml/pdq_connect.yaml index fe24f89a..8e28af69 100644 --- a/yaml/pdq_connect.yaml +++ b/yaml/pdq_connect.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - pdq-connect*.exe + - pdq-connect*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - app.pdq.com - - cfcdn.pdq.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - app.pdq.com + - cfcdn.pdq.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml + Description: Detects potential network activity of PDQ Connect RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml + Description: Detects potential processes activity of PDQ Connect RMM tool References: - - https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements +- https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements Acknowledgement: [] diff --git a/yaml/pilixo.yaml b/yaml/pilixo.yaml index 106be439..961cee2c 100644 --- a/yaml/pilixo.yaml +++ b/yaml/pilixo.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rdp.exe - - Pilixo_Installer*.exe + - rdp.exe + - Pilixo_Installer*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - pilixo.com - - download.pilixo.com - - '*.pilixo.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - pilixo.com + - download.pilixo.com + - '*.pilixo.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml + Description: Detects potential network activity of Pilixo RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml + Description: Detects potential processes activity of Pilixo RMM tool References: - - https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls +- https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls Acknowledgement: [] diff --git a/yaml/pocket_cloud_(wyse).yaml b/yaml/pocket_cloud_(wyse).yaml index 93397937..221babd9 100644 --- a/yaml/pocket_cloud_(wyse).yaml +++ b/yaml/pocket_cloud_(wyse).yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - pocketcloud*.exe - - pocketcloudservice.exe + - pocketcloud*.exe + - pocketcloudservice.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml + Description: Detects potential processes activity of Pocket Cloud (Wyse) RMM tool References: - - https://wyse-pocketcloud.informer.com/2.1/ +- https://wyse-pocketcloud.informer.com/2.1/ Acknowledgement: [] diff --git a/yaml/pocket_controller.yaml b/yaml/pocket_controller.yaml index 4dd0a4ed..725becf7 100644 --- a/yaml/pocket_controller.yaml +++ b/yaml/pocket_controller.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - pocketcontroller.exe - - pocketcloudservice.exe - - wysebrowser.exe + - pocketcontroller.exe + - pocketcloudservice.exe + - wysebrowser.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - soti.net/products/soti-pocket-controller - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - soti.net/products/soti-pocket-controller + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml + Description: Detects potential network activity of Pocket Controller RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml + Description: Detects potential processes activity of Pocket Controller RMM tool References: [] Acknowledgement: [] diff --git a/yaml/pocket_controller_(soti_xsight).yaml b/yaml/pocket_controller_(soti_xsight).yaml index 6293b86a..56c8600f 100644 --- a/yaml/pocket_controller_(soti_xsight).yaml +++ b/yaml/pocket_controller_(soti_xsight).yaml @@ -17,19 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - pocketcontroller.exe - - wysebrowser.exe - - XSightService.exe + - pocketcontroller.exe + - wysebrowser.exe + - XSightService.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*soti.net' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*soti.net' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml + Description: Detects potential network activity of Pocket Controller (Soti Xsight) + RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml + Description: Detects potential processes activity of Pocket Controller (Soti Xsight) + RMM tool References: - - https://pulse.soti.net/support/soti-xsight/help/ +- https://pulse.soti.net/support/soti-xsight/help/ Acknowledgement: [] diff --git a/yaml/psexec.yaml b/yaml/psexec.yaml index 6a05ba59..ecf58598 100644 --- a/yaml/psexec.yaml +++ b/yaml/psexec.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - psexec.exe - - psexecsvc.exe + - psexec.exe + - psexecsvc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml + Description: Detects potential network activity of PSEXEC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml + Description: Detects potential processes activity of PSEXEC RMM tool References: - - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec +- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec Acknowledgement: [] diff --git a/yaml/psexec_(clone).yaml b/yaml/psexec_(clone).yaml index 71f0ae05..8277285b 100644 --- a/yaml/psexec_(clone).yaml +++ b/yaml/psexec_(clone).yaml @@ -17,23 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - paexec.exe - - PAExec-*.exe - - 'csexec.exe ' - - remcom.exe - - remcomsvc.exe - - xcmd.exe - - xcmdsvc.exe + - paexec.exe + - PAExec-*.exe + - 'csexec.exe ' + - remcom.exe + - remcomsvc.exe + - xcmd.exe + - xcmdsvc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml + Description: Detects potential network activity of PSEXEC (Clone) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml + Description: Detects potential processes activity of PSEXEC (Clone) RMM tool References: - - https://www.poweradmin.com/paexec/ +- https://www.poweradmin.com/paexec/ Acknowledgement: [] diff --git a/yaml/pulseway.yaml b/yaml/pulseway.yaml index 9ae3ebaa..a9b34eeb 100644 --- a/yaml/pulseway.yaml +++ b/yaml/pulseway.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - PCMonitorManager.exe - - pcmonitorsrv.exe + - PCMonitorManager.exe + - pcmonitorsrv.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - pulseway.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - pulseway.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml + Description: Detects potential network activity of Pulseway RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml + Description: Detects potential processes activity of Pulseway RMM tool References: - - https://intercom.help/pulseway/en/ +- https://intercom.help/pulseway/en/ Acknowledgement: [] diff --git a/yaml/putty_tray.yaml b/yaml/putty_tray.yaml index 23d52461..55b8a17e 100644 --- a/yaml/putty_tray.yaml +++ b/yaml/putty_tray.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\*\puttytray.exe - - '*\puttytray.exe' + - C:\*\puttytray.exe + - '*\puttytray.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml + Description: Detects potential processes activity of PuTTY Tray RMM tool References: [] Acknowledgement: [] diff --git a/yaml/qq_im-remote_assistance.yaml b/yaml/qq_im-remote_assistance.yaml index 5fe6ddec..ec0daf0d 100644 --- a/yaml/qq_im-remote_assistance.yaml +++ b/yaml/qq_im-remote_assistance.yaml @@ -17,22 +17,27 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - qq.exe - - QQProtect.exe - - qqpcmgr.exe + - qq.exe + - QQProtect.exe + - qqpcmgr.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.mdt.qq.com' - - '*.desktop.qq.com' - - upload_data.qq.com - - qq-messenger.en.softonic.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.mdt.qq.com' + - '*.desktop.qq.com' + - upload_data.qq.com + - qq-messenger.en.softonic.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml + Description: Detects potential network activity of QQ IM-remote assistance RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml + Description: Detects potential processes activity of QQ IM-remote assistance RMM + tool References: - - https://en.wikipedia.org/wiki/Tencent_QQ +- https://en.wikipedia.org/wiki/Tencent_QQ Acknowledgement: [] diff --git a/yaml/quest_kace_agent_(formerly_dell_kace).yaml b/yaml/quest_kace_agent_(formerly_dell_kace).yaml index 3dbe0378..a763ec4b 100644 --- a/yaml/quest_kace_agent_(formerly_dell_kace).yaml +++ b/yaml/quest_kace_agent_(formerly_dell_kace).yaml @@ -17,18 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - konea.exe + - konea.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.kace.com' - - www.quest.com/kace/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.kace.com' + - www.quest.com/kace/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml + Description: Detects potential network activity of Quest KACE Agent (formerly Dell + KACE) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml + Description: Detects potential processes activity of Quest KACE Agent (formerly + Dell KACE) RMM tool References: - - https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function +- https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function Acknowledgement: [] diff --git a/yaml/quick_assist.yaml b/yaml/quick_assist.yaml index bccf98ca..eac7728d 100644 --- a/yaml/quick_assist.yaml +++ b/yaml/quick_assist.yaml @@ -17,12 +17,14 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - quickassist.exe + - quickassist.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml + Description: Detects potential processes activity of Quick Assist RMM tool References: [] Acknowledgement: [] diff --git a/yaml/quickassist.yaml b/yaml/quickassist.yaml index b3067c24..207c91a3 100644 --- a/yaml/quickassist.yaml +++ b/yaml/quickassist.yaml @@ -17,16 +17,20 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - quickassist.exe + - quickassist.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.support.services.microsoft.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.support.services.microsoft.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml + Description: Detects potential network activity of Quick Assist RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml + Description: Detects potential processes activity of Quick Assist RMM tool References: [] Acknowledgement: [] diff --git a/yaml/radmin.yaml b/yaml/radmin.yaml index 2101dd7e..3edd32dc 100644 --- a/yaml/radmin.yaml +++ b/yaml/radmin.yaml @@ -1,73 +1,81 @@ Name: RAdmin -Description: | - RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -Author: 'Nasreddine Bencherchali' +Description: 'RAdmin is a remote monitoring and management (RMM) tool. More information + will be added as it becomes available. + + ' +Author: Nasreddine Bencherchali Created: '2024-08-05' LastModified: '2024-08-05' Details: - Website: 'https://www.radmin.com/' + Website: https://www.radmin.com/ PEMetadata: - - Filename: 'RServer3.exe' - OriginalFileName: 'RServer3.exe' - InternalName: 'RServer3' - Description: 'Radmin Server' - Product: 'Radmin Server' - Comments: 'Radmin - Remote Control Server' - - Filename: 'Radmin.exe' - OriginalFileName: 'Radmin.exe' - InternalName: 'Radmin' - Description: 'Radmin Viewer' - Product: 'Radmin Viewer' - Comments: 'Radmin Viewer' + - Filename: RServer3.exe + OriginalFileName: RServer3.exe + InternalName: RServer3 + Description: Radmin Server + Product: Radmin Server + Comments: Radmin - Remote Control Server + - Filename: Radmin.exe + OriginalFileName: Radmin.exe + InternalName: Radmin + Description: Radmin Viewer + Product: Radmin Viewer + Comments: Radmin Viewer Privileges: '' Free: '' Verification: '' SupportedOS: - - Windows + - Windows Capabilities: [] Vulnerabilities: [] InstallationPaths: - - 'C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe' - - 'C:\Windows\SysWOW64\rserver30\rserver3.exe' - - 'C:\Windows\SysWOW64\rserver30\FamItrfc' - - 'C:\Windows\SysWOW64\rserver30\FamItrf2' + - C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe + - C:\Windows\SysWOW64\rserver30\rserver3.exe + - C:\Windows\SysWOW64\rserver30\FamItrfc + - C:\Windows\SysWOW64\rserver30\FamItrf2 Artifacts: Disk: - - File: 'C:\Windows\SysWOW64\rserver30\Radm_log.htm' - Description: 'RAdmin log file (32-bit)' - OS: Windows - - File: 'C:\Windows\System32\rserver30\Radm_log.htm' - Description: 'RAdmin log file (64-bit)' - OS: Windows - - File: 'C:\Windows\System32\rserver30\CHATLOGS\*\*.htm' - Description: 'RAdmin chat logs' - OS: Windows - - File: 'C:\Users\*\Documents\ChatLogs\*\*.htm' - Description: 'RAdmin user chat logs' - OS: Windows + - File: C:\Windows\SysWOW64\rserver30\Radm_log.htm + Description: RAdmin log file (32-bit) + OS: Windows + - File: C:\Windows\System32\rserver30\Radm_log.htm + Description: RAdmin log file (64-bit) + OS: Windows + - File: C:\Windows\System32\rserver30\CHATLOGS\*\*.htm + Description: RAdmin chat logs + OS: Windows + - File: C:\Users\*\Documents\ChatLogs\*\*.htm + Description: RAdmin user chat logs + OS: Windows EventLog: [] Registry: - - Path: 'HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin - Security' - Description: N/A + - Path: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin + Security + Description: N/A Network: - - Description: N/A - Domains: - - 'radmin.com' - Ports: - - 443 + - Description: N/A + Domains: + - radmin.com + Ports: + - 443 Detections: - - Sigma: - https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml - Description: PUA - Radmin Viewer Utility Execution - - Sigma: - https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml - Description: Enumeration for 3rd Party Creds From CLI +- Sigma: https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml + Description: PUA - Radmin Viewer Utility Execution +- Sigma: https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml + Description: Enumeration for 3rd Party Creds From CLI +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml + Description: Detects potential registry activity of RAdmin RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml + Description: Detects potential network activity of RAdmin RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml + Description: Detects potential files activity of RAdmin RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml + Description: Detects potential processes activity of RAdmin RMM tool References: - - https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/ - - https://helpdesk.radmin.com/radmin3help/ - - https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm - - https://helpdesk.radmin.com/radmin3help/files/cmd.htm +- https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/ +- https://helpdesk.radmin.com/radmin3help/ +- https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm +- https://helpdesk.radmin.com/radmin3help/files/cmd.htm Acknowledgement: - - Person: Nasreddine Bencherchali - Handle: '@nas_bench' +- Person: Nasreddine Bencherchali + Handle: '@nas_bench' diff --git a/yaml/raidrive.yaml b/yaml/raidrive.yaml index cf01a22e..7c7e0b19 100644 --- a/yaml/raidrive.yaml +++ b/yaml/raidrive.yaml @@ -17,10 +17,10 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\*\OpenBoxLab\RaiDrive\* - - '*\OpenBoxLab\RaiDrive\*' - - service = raidrive_* - - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenBoxLab\RaiDrive\Drives + - C:\*\OpenBoxLab\RaiDrive\* + - '*\OpenBoxLab\RaiDrive\*' + - service = raidrive_* + - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenBoxLab\RaiDrive\Drives Artifacts: Disk: [] EventLog: [] diff --git a/yaml/rapid7.yaml b/yaml/rapid7.yaml index 10a7818f..51011ec0 100644 --- a/yaml/rapid7.yaml +++ b/yaml/rapid7.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ir_agent.exe - - rapid7_agent_core.exe - - rapid7_endpoint_broker.exe + - ir_agent.exe + - rapid7_agent_core.exe + - rapid7_endpoint_broker.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.analytics.insight.rapid7.com' - - '*.endpoint.ingress.rapid7.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.analytics.insight.rapid7.com' + - '*.endpoint.ingress.rapid7.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml + Description: Detects potential network activity of Rapid7 RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml + Description: Detects potential processes activity of Rapid7 RMM tool References: - - https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/ +- https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/ Acknowledgement: [] diff --git a/yaml/rclone.yaml b/yaml/rclone.yaml index 42dd8842..dd18a136 100644 --- a/yaml/rclone.yaml +++ b/yaml/rclone.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - portable tool. No install path - - portable tool. No install path - - rclone*.zip - - '*\rclone.exe' + - portable tool. No install path + - portable tool. No install path + - rclone*.zip + - '*\rclone.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rclone_processes_sigma.yml + Description: Detects potential processes activity of rclone RMM tool References: [] Acknowledgement: [] diff --git a/yaml/rdp2tcp.yaml b/yaml/rdp2tcp.yaml index cf2beac9..2cabd5bd 100644 --- a/yaml/rdp2tcp.yaml +++ b/yaml/rdp2tcp.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - tdp2tcp.exe - - rdp2tcp.py + - tdp2tcp.exe + - rdp2tcp.py Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - github.com/V-E-O/rdp2tcp - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - github.com/V-E-O/rdp2tcp + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml + Description: Detects potential network activity of rdp2tcp RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml + Description: Detects potential processes activity of rdp2tcp RMM tool References: - - github.com/V-E-O/rdp2tcp +- github.com/V-E-O/rdp2tcp Acknowledgement: [] diff --git a/yaml/rdpview.yaml b/yaml/rdpview.yaml index 2fe45703..36a0fbe3 100644 --- a/yaml/rdpview.yaml +++ b/yaml/rdpview.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - dwrcs.exe + - dwrcs.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - systemmanager.ru/dntu.en/rdp_view.htm - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - systemmanager.ru/dntu.en/rdp_view.htm + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml + Description: Detects potential network activity of RDPView RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml + Description: Detects potential processes activity of RDPView RMM tool References: - - systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware +- systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware Acknowledgement: [] diff --git a/yaml/rdpwrap.yaml b/yaml/rdpwrap.yaml index 5b3b8d7a..ad1553ec 100644 --- a/yaml/rdpwrap.yaml +++ b/yaml/rdpwrap.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - RDPWInst.exe - - RDPCheck.exe - - RDPConf.exe + - RDPWInst.exe + - RDPCheck.exe + - RDPConf.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - github.com/stascorp/rdpwrap - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - github.com/stascorp/rdpwrap + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml + Description: Detects potential network activity of rdpwrap RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml + Description: Detects potential processes activity of rdpwrap RMM tool References: - - github.com/stascorp/rdpwrap +- github.com/stascorp/rdpwrap Acknowledgement: [] diff --git a/yaml/remcos.yaml b/yaml/remcos.yaml index 6ad36a03..b3a1c6c6 100644 --- a/yaml/remcos.yaml +++ b/yaml/remcos.yaml @@ -17,12 +17,14 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - remcos*.exe + - remcos*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml + Description: Detects potential processes activity of Remcos RMM tool References: [] Acknowledgement: [] diff --git a/yaml/remobo.yaml b/yaml/remobo.yaml index c5d0f3dc..5c472e3a 100644 --- a/yaml/remobo.yaml +++ b/yaml/remobo.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - remobo.exe - - remobo_client.exe - - remobo_tracker.exe + - remobo.exe + - remobo_client.exe + - remobo_tracker.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - remobo.en.softonic.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - remobo.en.softonic.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml + Description: Detects potential network activity of Remobo RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml + Description: Detects potential processes activity of Remobo RMM tool References: - - https://www.remobo.com - DOA as of 2024 +- https://www.remobo.com - DOA as of 2024 Acknowledgement: [] diff --git a/yaml/remote.it.yaml b/yaml/remote.it.yaml index 75969a7d..e96c773c 100644 --- a/yaml/remote.it.yaml +++ b/yaml/remote.it.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - remote-it-installer.exe - - remote.it.exe - - remoteit.exe + - remote-it-installer.exe + - remote.it.exe + - remoteit.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - auth.api.remote.it - - api.remote.it - - remote.it - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - auth.api.remote.it + - api.remote.it + - remote.it + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml + Description: Detects potential network activity of Remote.it RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml + Description: Detects potential processes activity of Remote.it RMM tool References: - - https://docs.remote.it/introduction/get-started +- https://docs.remote.it/introduction/get-started Acknowledgement: [] diff --git a/yaml/remote_desktop_plus.yaml b/yaml/remote_desktop_plus.yaml index c7f407b6..d7a4e410 100644 --- a/yaml/remote_desktop_plus.yaml +++ b/yaml/remote_desktop_plus.yaml @@ -17,17 +17,21 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rdp.exe + - rdp.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - donkz.nl - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - donkz.nl + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml + Description: Detects potential network activity of Remote Desktop Plus RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml + Description: Detects potential processes activity of Remote Desktop Plus RMM tool References: - - https://www.donkz.nl/ +- https://www.donkz.nl/ Acknowledgement: [] diff --git a/yaml/remote_manipulator_system.yaml b/yaml/remote_manipulator_system.yaml index f07c40a6..f664331e 100644 --- a/yaml/remote_manipulator_system.yaml +++ b/yaml/remote_manipulator_system.yaml @@ -17,19 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rfusclient.exe - - rutserv.exe + - rfusclient.exe + - rutserv.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.internetid.ru' - - rmansys.ru - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.internetid.ru' + - rmansys.ru + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml + Description: Detects potential network activity of Remote Manipulator System RMM + tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml + Description: Detects potential processes activity of Remote Manipulator System RMM + tool References: - - https://rmansys.ru/files/ +- https://rmansys.ru/files/ Acknowledgement: [] diff --git a/yaml/remote_utilities.yaml b/yaml/remote_utilities.yaml index 8462f6f6..c52e1818 100644 --- a/yaml/remote_utilities.yaml +++ b/yaml/remote_utilities.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rutview.exe - - rutserv.exe + - rutview.exe + - rutserv.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.internetid.ru' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.internetid.ru' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml + Description: Detects potential network activity of Remote Utilities RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml + Description: Detects potential processes activity of Remote Utilities RMM tool References: - - https://www.remoteutilities.com/download/ +- https://www.remoteutilities.com/download/ Acknowledgement: [] diff --git a/yaml/remotecall.yaml b/yaml/remotecall.yaml index f029e7f9..655bd19b 100644 --- a/yaml/remotecall.yaml +++ b/yaml/remotecall.yaml @@ -17,25 +17,29 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rcengmgru.exe - - rcmgrsvc.exe - - rxstartsupport.exe - - rcstartsupport.exe - - raautoup.exe - - agentu.exe - - remotesupportplayeru.exe + - rcengmgru.exe + - rcmgrsvc.exe + - rxstartsupport.exe + - rcstartsupport.exe + - raautoup.exe + - agentu.exe + - remotesupportplayeru.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.remotecall.com' - - '*.startsupport.com' - - remotecall.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.remotecall.com' + - '*.startsupport.com' + - remotecall.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml + Description: Detects potential network activity of RemoteCall RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml + Description: Detects potential processes activity of RemoteCall RMM tool References: - - https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall +- https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall Acknowledgement: [] diff --git a/yaml/remotepass.yaml b/yaml/remotepass.yaml index 1b903aac..5a85ee74 100644 --- a/yaml/remotepass.yaml +++ b/yaml/remotepass.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - remotepass-access.exe - - rpaccess.exe - - rpwhostscr.exe + - remotepass-access.exe + - rpaccess.exe + - rpwhostscr.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - remotepass.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - remotepass.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml + Description: Detects potential network activity of RemotePass RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml + Description: Detects potential processes activity of RemotePass RMM tool References: - - https://www.remotepass.com/rpaccess.html - DOA as of 2024 +- https://www.remotepass.com/rpaccess.html - DOA as of 2024 Acknowledgement: [] diff --git a/yaml/remotepc.yaml b/yaml/remotepc.yaml index d90b87b5..2cef5061 100644 --- a/yaml/remotepc.yaml +++ b/yaml/remotepc.yaml @@ -17,29 +17,33 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\RemotePC\* - - Idrive.File-Transfer - - '*\RemotePC\*' - - remotepcservice.exe - - RemotePC.exe - - remotepchost.exe - - idrive.RemotePCAgent - - rpcsuite.exe - - '*\RemotePCService.exe' - - RemotePCService.exe + - C:\Program Files (x86)\RemotePC\* + - Idrive.File-Transfer + - '*\RemotePC\*' + - remotepcservice.exe + - RemotePC.exe + - remotepchost.exe + - idrive.RemotePCAgent + - rpcsuite.exe + - '*\RemotePCService.exe' + - RemotePCService.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.remotedesktop.com' - - '*.remotepc.com' - - www.remotepc.com - - remotepc.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.remotedesktop.com' + - '*.remotepc.com' + - www.remotepc.com + - remotepc.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml + Description: Detects potential network activity of RemotePC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml + Description: Detects potential processes activity of RemotePC RMM tool References: - - https://www.remotedesktop.com/helpdesk/faq-firewall +- https://www.remotedesktop.com/helpdesk/faq-firewall Acknowledgement: [] diff --git a/yaml/remoteutilities.yaml b/yaml/remoteutilities.yaml index c81b269f..c1713246 100644 --- a/yaml/remoteutilities.yaml +++ b/yaml/remoteutilities.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rutview.exe - - '*\Remote Manipulator System - Server\*' - - C:\Program Files\Remote Utilities\* - - '*\Remote Utilities\*' - - rutserv.exe - - '*\rutserv.exe' + - rutview.exe + - '*\Remote Manipulator System - Server\*' + - C:\Program Files\Remote Utilities\* + - '*\Remote Utilities\*' + - rutserv.exe + - '*\rutserv.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - remoteutilities.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - remoteutilities.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml + Description: Detects potential network activity of RemoteUtilities RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml + Description: Detects potential processes activity of RemoteUtilities RMM tool References: [] Acknowledgement: [] diff --git a/yaml/remoteview.yaml b/yaml/remoteview.yaml index 81c65e05..e0a6ac84 100644 --- a/yaml/remoteview.yaml +++ b/yaml/remoteview.yaml @@ -17,22 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - remoteview.exe - - rv.exe - - rvagent.exe - - rvagtray.exe + - remoteview.exe + - rv.exe + - rvagent.exe + - rvagtray.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*content.rview.com' - - '*.rview.com' - - content.rview.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*content.rview.com' + - '*.rview.com' + - content.rview.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml + Description: Detects potential network activity of RemoteView RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml + Description: Detects potential processes activity of RemoteView RMM tool References: - - https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall +- https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall Acknowledgement: [] diff --git a/yaml/res_automation_manager.yaml b/yaml/res_automation_manager.yaml index 96cf0a2d..7b8dbbaa 100644 --- a/yaml/res_automation_manager.yaml +++ b/yaml/res_automation_manager.yaml @@ -17,21 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - wisshell*.exe - - wmc.exe - - wmc_deployer.exe - - wmcsvc.exe + - wisshell*.exe + - wmc.exe + - wmc_deployer.exe + - wmcsvc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - ivanti.com/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - ivanti.com/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml + Description: Detects potential network activity of RES Automation Manager RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml + Description: Detects potential processes activity of RES Automation Manager RMM + tool References: - - https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1 +- https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1 Acknowledgement: [] diff --git a/yaml/rocketremotedesktop.yaml b/yaml/rocketremotedesktop.yaml index ddc27db2..5973e155 100644 --- a/yaml/rocketremotedesktop.yaml +++ b/yaml/rocketremotedesktop.yaml @@ -17,13 +17,15 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - RDConsole.exe - - RocketRemoteDesktop_Setup.exe + - RDConsole.exe + - RocketRemoteDesktop_Setup.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml + Description: Detects potential processes activity of Rocket Remote Desktop RMM tool References: [] Acknowledgement: [] diff --git a/yaml/royal_apps.yaml b/yaml/royal_apps.yaml index 162549b4..6d10a386 100644 --- a/yaml/royal_apps.yaml +++ b/yaml/royal_apps.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - royalserver.exe - - royalts.exe + - royalserver.exe + - royalts.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml + Description: Detects potential network activity of Royal Apps RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml + Description: Detects potential processes activity of Royal Apps RMM tool References: - - https://www.royalapps.com/ts/win/download +- https://www.royalapps.com/ts/win/download Acknowledgement: [] diff --git a/yaml/royal_server.yaml b/yaml/royal_server.yaml index 1b85bee0..79995608 100644 --- a/yaml/royal_server.yaml +++ b/yaml/royal_server.yaml @@ -22,10 +22,12 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - royalapps.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - royalapps.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml + Description: Detects potential network activity of Royal Server RMM tool References: [] Acknowledgement: [] diff --git a/yaml/royal_ts.yaml b/yaml/royal_ts.yaml index 2afe2d5a..06ae1dad 100644 --- a/yaml/royal_ts.yaml +++ b/yaml/royal_ts.yaml @@ -17,16 +17,20 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - royalts.exe + - royalts.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - royalapps.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - royalapps.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml + Description: Detects potential network activity of Royal TS RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml + Description: Detects potential processes activity of Royal TS RMM tool References: [] Acknowledgement: [] diff --git a/yaml/rport.yaml b/yaml/rport.yaml index 518522fd..ed43c966 100644 --- a/yaml/rport.yaml +++ b/yaml/rport.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rport.exe + - rport.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - rport.io - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - rport.io + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml + Description: Detects potential network activity of RPort RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml + Description: Detects potential processes activity of RPort RMM tool References: - - https://kb.rport.io/using-the-remote-access +- https://kb.rport.io/using-the-remote-access Acknowledgement: [] diff --git a/yaml/rudesktop.yaml b/yaml/rudesktop.yaml index 2fe94782..b53d3ec3 100644 --- a/yaml/rudesktop.yaml +++ b/yaml/rudesktop.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rd.exe - - rudesktop*.exe + - rd.exe + - rudesktop*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.rudesktop.ru' - - rudesktop.ru - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.rudesktop.ru' + - rudesktop.ru + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml + Description: Detects potential network activity of RuDesktop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml + Description: Detects potential processes activity of RuDesktop RMM tool References: - - https://rudesktop.ru +- https://rudesktop.ru Acknowledgement: [] diff --git a/yaml/runsmart.yaml b/yaml/runsmart.yaml index 6e256c20..1fd7e926 100644 --- a/yaml/runsmart.yaml +++ b/yaml/runsmart.yaml @@ -22,10 +22,12 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - runsmart.io - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - runsmart.io + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml + Description: Detects potential network activity of RunSmart RMM tool References: [] Acknowledgement: [] diff --git a/yaml/rustdesk.yaml b/yaml/rustdesk.yaml index fdb388dc..f140b015 100644 --- a/yaml/rustdesk.yaml +++ b/yaml/rustdesk.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rustdesk*.exe - - rustdesk.exe + - rustdesk*.exe + - rustdesk.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - rustdesk.com - - user_managed - - web.rustdesk.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - rustdesk.com + - user_managed + - web.rustdesk.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml + Description: Detects potential network activity of RustDesk RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml + Description: Detects potential processes activity of RustDesk RMM tool References: - - https://rustdesk.com/docs/en/ +- https://rustdesk.com/docs/en/ Acknowledgement: [] diff --git a/yaml/s3_browser.yaml b/yaml/s3_browser.yaml index d0fe676d..73a1cae9 100644 --- a/yaml/s3_browser.yaml +++ b/yaml/s3_browser.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\S3 Browser\* - - '*\S3 Browser\*' - - '*\s3browser*.exe' + - C:\Program Files (x86)\S3 Browser\* + - '*\S3 Browser\*' + - '*\s3browser*.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml + Description: Detects potential processes activity of S3 Browser RMM tool References: [] Acknowledgement: [] diff --git a/yaml/screenconnect.yaml b/yaml/screenconnect.yaml index 8064e8a8..9d27ba16 100644 --- a/yaml/screenconnect.yaml +++ b/yaml/screenconnect.yaml @@ -1,71 +1,77 @@ Name: ScreenConnect Description: ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -Author: 'Ali Alwashali, Nasreddine Bencherchali' +Author: Ali Alwashali, Nasreddine Bencherchali Created: '2023-10-01' LastModified: '2024-08-03' Details: - Website: 'https://www.connectwise.com' + Website: https://www.connectwise.com PEMetadata: - - Filename: '' - OriginalFileName: '' - Description: '' + - Filename: '' + OriginalFileName: '' + Description: '' Privileges: '' - Free: '14-Days Free Trial' + Free: 14-Days Free Trial Verification: '' SupportedOS: - - Android - - IOS - - Linux - - Mac - - Windows + - Android + - IOS + - Linux + - Mac + - Windows Capabilities: - - Command Line Support - - File Transfer - - Install Windows updates - - Receive notification when user performs a predefined event - - Remote Command Line - - Remote Control - - Sound Capture - - Start / Stop services - - View event logs + - Command Line Support + - File Transfer + - Install Windows updates + - Receive notification when user performs a predefined event + - Remote Command Line + - Remote Control + - Sound Capture + - Start / Stop services + - View event logs Vulnerabilities: [] InstallationPaths: - - 'C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe' - - 'Remote Workforce Client.exe' - - '*\*\ScreenConnect.ClientService.exe' - - 'C:\Program Files (x86)\ScreenConnect Client ()\*' - - '*\ScreenConnect Client*\*' - - '*\*\ScreenConnect.WindowsClient.exe' - - 'screenconnect*.exe' - - 'screenconnect.windowsclient.exe' - - 'Remote Workforce Client.exe' - - 'screenconnect*.exe' - - 'ConnectWiseControl*.exe' - - 'connectwise*.exe' - - 'screenconnect.windowsclient.exe' - - 'screenconnect.clientservice.exe' + - C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe + - Remote Workforce Client.exe + - '*\*\ScreenConnect.ClientService.exe' + - C:\Program Files (x86)\ScreenConnect Client ()\* + - '*\ScreenConnect Client*\*' + - '*\*\ScreenConnect.WindowsClient.exe' + - screenconnect*.exe + - screenconnect.windowsclient.exe + - Remote Workforce Client.exe + - screenconnect*.exe + - ConnectWiseControl*.exe + - connectwise*.exe + - screenconnect.windowsclient.exe + - screenconnect.clientservice.exe Artifacts: Disk: - - File: 'C:\Program Files*\ScreenConnect\App_Data\Session.db' - Description: 'ScreenConnect session database' - OS: Windows - - File: 'C:\Program Files*\ScreenConnect\App_Data\User.xml' - Description: 'ScreenConnect user configuration' - OS: Windows - - File: 'C:\ProgramData\ScreenConnect Client*\user.config' - Description: 'ScreenConnect client user configuration' - OS: Windows + - File: C:\Program Files*\ScreenConnect\App_Data\Session.db + Description: ScreenConnect session database + OS: Windows + - File: C:\Program Files*\ScreenConnect\App_Data\User.xml + Description: ScreenConnect user configuration + OS: Windows + - File: C:\ProgramData\ScreenConnect Client*\user.config + Description: ScreenConnect client user configuration + OS: Windows EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - control.connectwise.com - - '*.connectwise.com' - - '*.screenconnect.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - control.connectwise.com + - '*.connectwise.com' + - '*.screenconnect.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml + Description: Detects potential network activity of ScreenConnect RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml + Description: Detects potential files activity of ScreenConnect RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml + Description: Detects potential processes activity of ScreenConnect RMM tool References: - - https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/ +- https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/ Acknowledgement: [] diff --git a/yaml/screenmeet.yaml b/yaml/screenmeet.yaml index 30c199d4..e99f804e 100644 --- a/yaml/screenmeet.yaml +++ b/yaml/screenmeet.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - ScreenMeetSupport.exe - - ScreenMeet.Support.exe + - ScreenMeetSupport.exe + - ScreenMeet.Support.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.screenmeet.com' - - '*.scrn.mt' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.screenmeet.com' + - '*.scrn.mt' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml + Description: Detects potential network activity of ScreenMeet RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml + Description: Detects potential processes activity of ScreenMeet RMM tool References: - - https://docs.screenmeet.com/docs/firewall-white-list +- https://docs.screenmeet.com/docs/firewall-white-list Acknowledgement: [] diff --git a/yaml/securecrt.yaml b/yaml/securecrt.yaml index b67b0a7d..838f603c 100644 --- a/yaml/securecrt.yaml +++ b/yaml/securecrt.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\*\SecureCRT.EXE - - '*\SecureCRT.EXE' - - '*\VanDyke Software\ClientPack\*' + - C:\*\SecureCRT.EXE + - '*\SecureCRT.EXE' + - '*\VanDyke Software\ClientPack\*' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml + Description: Detects potential processes activity of SecureCRT RMM tool References: [] Acknowledgement: [] diff --git a/yaml/seetrol.yaml b/yaml/seetrol.yaml index 84da47da..18f3fc95 100644 --- a/yaml/seetrol.yaml +++ b/yaml/seetrol.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - seetrolcenter.exe - - seetrolclient.exe - - seetrolmyservice.exe - - seetrolremote.exe - - seetrolsetting.exe + - seetrolcenter.exe + - seetrolclient.exe + - seetrolmyservice.exe + - seetrolremote.exe + - seetrolsetting.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - seetrol.co.kr - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - seetrol.co.kr + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml + Description: Detects potential network activity of Seetrol RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml + Description: Detects potential processes activity of Seetrol RMM tool References: - - http://www.seetrol.com/en/features/features3.php +- http://www.seetrol.com/en/features/features3.php Acknowledgement: [] diff --git a/yaml/senso.cloud.yaml b/yaml/senso.cloud.yaml index dc7c3865..9b22c0a4 100644 --- a/yaml/senso.cloud.yaml +++ b/yaml/senso.cloud.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - SensoClient.exe - - SensoService.exe - - aadg.exe + - SensoClient.exe + - SensoService.exe + - aadg.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.senso.cloud' - - senso.cloud - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.senso.cloud' + - senso.cloud + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml + Description: Detects potential network activity of Senso.cloud RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml + Description: Detects potential processes activity of Senso.cloud RMM tool References: - - https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration +- https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration Acknowledgement: [] diff --git a/yaml/servereye.yaml b/yaml/servereye.yaml index 3a3f0972..fbbb0b16 100644 --- a/yaml/servereye.yaml +++ b/yaml/servereye.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - servereye*.exe - - ServiceProxyLocalSys.exe + - servereye*.exe + - ServiceProxyLocalSys.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.server-eye.de' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.server-eye.de' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml + Description: Detects potential network activity of ServerEye RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml + Description: Detects potential processes activity of ServerEye RMM tool References: - - https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf +- https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf Acknowledgement: [] diff --git a/yaml/showmypc.yaml b/yaml/showmypc.yaml index 03a607fb..d82f1234 100644 --- a/yaml/showmypc.yaml +++ b/yaml/showmypc.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - SMPCSetup.exe - - showmypc*.exe - - showmypc.exe - - smpcsetup.exe + - SMPCSetup.exe + - showmypc*.exe + - showmypc.exe + - smpcsetup.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.showmypc.com' - - showmypc.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.showmypc.com' + - showmypc.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml + Description: Detects potential network activity of ShowMyPC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml + Description: Detects potential processes activity of ShowMyPC RMM tool References: - - https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf +- https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf Acknowledgement: [] diff --git a/yaml/simplehelp.yaml b/yaml/simplehelp.yaml index de6b144a..d485f850 100644 --- a/yaml/simplehelp.yaml +++ b/yaml/simplehelp.yaml @@ -17,22 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - simplehelpcustomer.exe - - simpleservice.exe - - simplegatewayservice.exe - - remote access.exe - - windowslauncher.exe + - simplehelpcustomer.exe + - simpleservice.exe + - simplegatewayservice.exe + - remote access.exe + - windowslauncher.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - simple-help.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - simple-help.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml + Description: Detects potential network activity of SimpleHelp RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml + Description: Detects potential processes activity of SimpleHelp RMM tool References: - - https://simple-help.com/remote-support +- https://simple-help.com/remote-support Acknowledgement: [] diff --git a/yaml/site24x7.yaml b/yaml/site24x7.yaml index 1e6f0246..49f67596 100644 --- a/yaml/site24x7.yaml +++ b/yaml/site24x7.yaml @@ -17,25 +17,29 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - MEAgentHelper.exe - - MonitoringAgent.exe - - Site24x7WindowsAgentTrayIcon.exe - - Site24x7PluginAgent.exe + - MEAgentHelper.exe + - MonitoringAgent.exe + - Site24x7WindowsAgentTrayIcon.exe + - Site24x7PluginAgent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - plus*.site24x7.com - - plus*.site24x7.eu - - plus*.site24x7.in - - plus*.site24x7.cn - - plus*.site24x7.net.au - - site24x7.com/msp - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - plus*.site24x7.com + - plus*.site24x7.eu + - plus*.site24x7.in + - plus*.site24x7.cn + - plus*.site24x7.net.au + - site24x7.com/msp + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml + Description: Detects potential network activity of Site24x7 RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml + Description: Detects potential processes activity of Site24x7 RMM tool References: - - https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent +- https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent Acknowledgement: [] diff --git a/yaml/skyfex.yaml b/yaml/skyfex.yaml index 3bd64b86..fa3ef5eb 100644 --- a/yaml/skyfex.yaml +++ b/yaml/skyfex.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - Deskroll.exe - - DeskRollUA.exe + - Deskroll.exe + - DeskRollUA.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - skyfex.com - - deskroll.com - - '*.deskroll.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - skyfex.com + - deskroll.com + - '*.deskroll.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml + Description: Detects potential network activity of SkyFex RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml + Description: Detects potential processes activity of SkyFex RMM tool References: - - https://skyfex.com/ +- https://skyfex.com/ Acknowledgement: [] diff --git a/yaml/smartcode_web_vnc.yaml b/yaml/smartcode_web_vnc.yaml index 6aa9dd53..4178266f 100644 --- a/yaml/smartcode_web_vnc.yaml +++ b/yaml/smartcode_web_vnc.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\TightVNC\* - - '*\TightVNC\*' + - C:\Program Files\TightVNC\* + - '*\TightVNC\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/smartftp.yaml b/yaml/smartftp.yaml index 7e7f052a..a2a5bb0c 100644 --- a/yaml/smartftp.yaml +++ b/yaml/smartftp.yaml @@ -17,9 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\SmartFTP Client\en-US\ - - '*\SmartFTP Client\*' - - '*\SfShellTools.dll.mui' + - C:\Program Files (x86)\SmartFTP Client\en-US\ + - '*\SmartFTP Client\*' + - '*\SfShellTools.dll.mui' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/smartty.yaml b/yaml/smartty.yaml index 2dff1cdc..292e81bc 100644 --- a/yaml/smartty.yaml +++ b/yaml/smartty.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - c:\Program Files (x86)\Sysprogs\SmarTTY\* - - '*\Sysprogs\SmarTTY\*' - - '*\SmarTTY.exe' + - c:\Program Files (x86)\Sysprogs\SmarTTY\* + - '*\Sysprogs\SmarTTY\*' + - '*\SmarTTY.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml + Description: Detects potential processes activity of SmarTTY RMM tool References: [] Acknowledgement: [] diff --git a/yaml/solar-putty.yaml b/yaml/solar-putty.yaml index 7153ee7e..225a6f84 100644 --- a/yaml/solar-putty.yaml +++ b/yaml/solar-putty.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\Solar-Putty-v4\* - - '*\Solar-Putty-v4\*' - - '*\Solar-PuTTY.exe' + - C:\Program Files\Solar-Putty-v4\* + - '*\Solar-Putty-v4\*' + - '*\Solar-PuTTY.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml + Description: Detects potential processes activity of Solar-PuTTY RMM tool References: [] Acknowledgement: [] diff --git a/yaml/sophos-remote_management_system.yaml b/yaml/sophos-remote_management_system.yaml index d93f4fca..e9e3aef0 100644 --- a/yaml/sophos-remote_management_system.yaml +++ b/yaml/sophos-remote_management_system.yaml @@ -17,22 +17,28 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - clientmrinit.exe - - mgntsvc.exe - - routernt.exe + - clientmrinit.exe + - mgntsvc.exe + - routernt.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.sophos.com' - - '*.sophosupd.com' - - '*.sophosupd.net' - - community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.sophos.com' + - '*.sophosupd.com' + - '*.sophosupd.net' + - community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml + Description: Detects potential network activity of Sophos-Remote Management System + RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml + Description: Detects potential processes activity of Sophos-Remote Management System + RMM tool References: - - community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system +- community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system Acknowledgement: [] diff --git a/yaml/sorillus.yaml b/yaml/sorillus.yaml index 1f86e935..5eb8646b 100644 --- a/yaml/sorillus.yaml +++ b/yaml/sorillus.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - Sorillus-Launcher*.exe - - Sorillus Launcher.exe + - Sorillus-Launcher*.exe + - Sorillus Launcher.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.sorillus.com' - - sorillus.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.sorillus.com' + - sorillus.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml + Description: Detects potential network activity of Sorillus RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml + Description: Detects potential processes activity of Sorillus RMM tool References: - - https://sorillus.com/ +- https://sorillus.com/ Acknowledgement: [] diff --git a/yaml/splashtop.yaml b/yaml/splashtop.yaml index a407ff3f..2bcfebe2 100644 --- a/yaml/splashtop.yaml +++ b/yaml/splashtop.yaml @@ -1,7 +1,7 @@ Name: Splashtop Description: Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -Author: 'Nasreddine Bencherchali' +Author: Nasreddine Bencherchali Created: '' LastModified: '' Details: @@ -17,109 +17,117 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Splashtop\* - - '*\Splashtop\Splashtop Remote\Client for RMM\*' - - strwinclt.exe + - C:\Program Files (x86)\Splashtop\* + - '*\Splashtop\Splashtop Remote\Client for RMM\*' + - strwinclt.exe Artifacts: Disk: - - File: 'C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Status%4Operational.evtx' - Description: N/A - OS: Windows - - File: 'C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx' - Description: N/A - OS: Windows - - File: '%PROGRAMDATA%\Splashtop\Temp\log\FTCLog.txt' - Description: N/A - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\agent_log.txt' - Description: N/A - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\SPLog.txt' - Description: N/A - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\svcinfo.txt' - Description: N/A - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\sysinfo.txt' - Description: N/A - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe' - Description: 'Splashtop Remote Service' - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe' - Description: 'SplashTop Remote Agent' - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUAgent.exe' - Description: 'Splashtop Updater' - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe' - Description: N/A - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe' - Description: N/A - OS: Windows - - File: 'C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3' - Description: N/A - OS: Windows + - File: C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Status%4Operational.evtx + Description: N/A + OS: Windows + - File: C:\windows\System32\winevt\Logs\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx + Description: N/A + OS: Windows + - File: '%PROGRAMDATA%\Splashtop\Temp\log\FTCLog.txt' + Description: N/A + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\agent_log.txt + Description: N/A + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\SPLog.txt + Description: N/A + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\svcinfo.txt + Description: N/A + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\sysinfo.txt + Description: N/A + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe + Description: Splashtop Remote Service + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe + Description: SplashTop Remote Agent + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUAgent.exe + Description: Splashtop Updater + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe + Description: N/A + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe + Description: N/A + OS: Windows + - File: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3 + Description: N/A + OS: Windows EventLog: - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: Splashtop Software Updater Service - ImagePath: '"C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUService.exe"' - Description: Service installation event as result of Splashtop Software Updater - Service installation. - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: Splashtop® Remote Service - ImagePath: '"C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"' - Description: Service installation event as result of Splashtop Remote Service - installation. - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: SplashtopRemoteService - ImagePath: '"C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"' - Description: Service installation event as result of Splashtop Remote Service - installation. + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: Splashtop Software Updater Service + ImagePath: '"C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUService.exe"' + Description: Service installation event as result of Splashtop Software Updater + Service installation. + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: "Splashtop\xAE Remote Service" + ImagePath: '"C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"' + Description: Service installation event as result of Splashtop Remote Service + installation. + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: SplashtopRemoteService + ImagePath: '"C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"' + Description: Service installation event as result of Splashtop Remote Service + installation. Registry: - - Path: 'KLM\SOFTWARE\WOW6432Node\Splashtop Inc.\*' - Description: 'Splashtop Inc. registry key' - - Path: 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop - Software Updater' - Description: 'Splashtop Software Updater uninstall key' - - Path: 'HKLM\SYSTEM\CurrentControlSet\Services\SplashtopRemoteService' - Description: 'Splashtop Remote Service registry key' - - Path: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop - Streamer-Remote Session/Operational' - Description: 'Splashtop Streamer Remote Session event log channel' - - Path: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop - Streamer-Status/Operational' - Description: 'Splashtop Streamer Status event log channel' - - Path: 'HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop - Software Updater\InstallRefCount' - Description: 'Splashtop Software Updater install reference count' - - Path: 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SplashtopRemoteService' - Description: 'Splashtop Remote Service safe boot configuration' - - Path: 'HKU\.DEFAULT\Software\Splashtop Inc.\*' - Description: 'Default user Splashtop Inc. registry key' - - Path: 'HKU\SID\Software\Splashtop Inc.\*' - Description: 'User-specific Splashtop Inc. registry key' - - Path: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Splashtop - PDF Remote Printer' - Description: 'Splashtop PDF Remote Printer configuration' - - Path: 'HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\*' - Description: 'Splashtop Remote Server client information' + - Path: KLM\SOFTWARE\WOW6432Node\Splashtop Inc.\* + Description: Splashtop Inc. registry key + - Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop + Software Updater + Description: Splashtop Software Updater uninstall key + - Path: HKLM\SYSTEM\CurrentControlSet\Services\SplashtopRemoteService + Description: Splashtop Remote Service registry key + - Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop + Streamer-Remote Session/Operational + Description: Splashtop Streamer Remote Session event log channel + - Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop + Streamer-Status/Operational + Description: Splashtop Streamer Status event log channel + - Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop + Software Updater\InstallRefCount + Description: Splashtop Software Updater install reference count + - Path: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SplashtopRemoteService + Description: Splashtop Remote Service safe boot configuration + - Path: HKU\.DEFAULT\Software\Splashtop Inc.\* + Description: Default user Splashtop Inc. registry key + - Path: HKU\SID\Software\Splashtop Inc.\* + Description: User-specific Splashtop Inc. registry key + - Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Splashtop + PDF Remote Printer + Description: Splashtop PDF Remote Printer configuration + - Path: HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\* + Description: Splashtop Remote Server client information Network: - - Description: N/A - Domains: - - '*.splashtop.com' - Ports: - - N/A -Detections: [] + - Description: N/A + Domains: + - '*.splashtop.com' + Ports: + - N/A +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml + Description: Detects potential registry activity of Splashtop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml + Description: Detects potential network activity of Splashtop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml + Description: Detects potential files activity of Splashtop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml + Description: Detects potential processes activity of Splashtop RMM tool References: - - https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html +- https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html Acknowledgement: - - Person: "Théo Letailleur" - Handle: in/theosyn +- Person: "Th\xE9o Letailleur" + Handle: in/theosyn diff --git a/yaml/splashtop_remote.yaml b/yaml/splashtop_remote.yaml index aa15eba9..971c0d68 100644 --- a/yaml/splashtop_remote.yaml +++ b/yaml/splashtop_remote.yaml @@ -17,26 +17,30 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - strwinclt.exe - - Splashtop_Streamer_Windows*.exe - - SplashtopSOS.exe - - sragent.exe - - srmanager.exe - - srserver.exe - - srservice.exe + - strwinclt.exe + - Splashtop_Streamer_Windows*.exe + - SplashtopSOS.exe + - sragent.exe + - srmanager.exe + - srserver.exe + - srservice.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - splashtop.com - - '*.api.splashtop.com' - - '*.relay.splashtop.com' - - '*.api.splashtop.eu' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - splashtop.com + - '*.api.splashtop.com' + - '*.relay.splashtop.com' + - '*.api.splashtop.eu' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml + Description: Detects potential network activity of Splashtop Remote RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml + Description: Detects potential processes activity of Splashtop Remote RMM tool References: - - https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services +- https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services Acknowledgement: [] diff --git a/yaml/splashtopbeta.yaml b/yaml/splashtopbeta.yaml index 273c1724..6e700d82 100644 --- a/yaml/splashtopbeta.yaml +++ b/yaml/splashtopbeta.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - SRServer.exe - - SplashtopSOS.exe - - Splashtop_Streamer_Windows*.exe - - SRManager.exe + - SRServer.exe + - SplashtopSOS.exe + - Splashtop_Streamer_Windows*.exe + - SRManager.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - splashtop.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - splashtop.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml + Description: Detects potential network activity of Splashtop (Beta) RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml + Description: Detects potential processes activity of Splashtop (Beta) RMM tool References: [] Acknowledgement: [] diff --git a/yaml/spyanywhere.yaml b/yaml/spyanywhere.yaml index b3140e4d..195e8c4c 100644 --- a/yaml/spyanywhere.yaml +++ b/yaml/spyanywhere.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - sysdiag.exe + - sysdiag.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.spytech-web.com' - - spyanywhere.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.spytech-web.com' + - spyanywhere.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml + Description: Detects potential network activity of SpyAnywhere RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml + Description: Detects potential processes activity of SpyAnywhere RMM tool References: - - https://www.spyanywhere.com/support.shtml +- https://www.spyanywhere.com/support.shtml Acknowledgement: [] diff --git a/yaml/sunlogin.yaml b/yaml/sunlogin.yaml index dcb9d165..2c06daf4 100644 --- a/yaml/sunlogin.yaml +++ b/yaml/sunlogin.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - OrayRemoteShell.exe - - OrayRemoteService.exe - - sunlogin*.exe + - OrayRemoteShell.exe + - OrayRemoteService.exe + - sunlogin*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - sunlogin.oray.com - - client.oray.net - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - sunlogin.oray.com + - client.oray.net + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml + Description: Detects potential network activity of SunLogin RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml + Description: Detects potential processes activity of SunLogin RMM tool References: - - https://sunlogin.oray.com/en/embed/software.html +- https://sunlogin.oray.com/en/embed/software.html Acknowledgement: [] diff --git a/yaml/superops.yaml b/yaml/superops.yaml index c39fc44c..ebb907e2 100644 --- a/yaml/superops.yaml +++ b/yaml/superops.yaml @@ -17,22 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - superopsticket.exe - - superops.exe + - superopsticket.exe + - superops.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.superopsbeta.com' - - superops.ai - - serv.superopsalpha.com - - '*.superops.ai' - - '*.superopsalpha.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.superopsbeta.com' + - superops.ai + - serv.superopsalpha.com + - '*.superops.ai' + - '*.superopsalpha.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml + Description: Detects potential network activity of SuperOps RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml + Description: Detects potential processes activity of SuperOps RMM tool References: - - https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent +- https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent Acknowledgement: [] diff --git a/yaml/superputty.yaml b/yaml/superputty.yaml index 1d8a50da..b6bbfe43 100644 --- a/yaml/superputty.yaml +++ b/yaml/superputty.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Downloads\SuperPuTTY\* - - '*Downloads\SuperPuTTY\*' - - '*\superputty.exe' - - '*\SuperPuTTY\*' + - C:\Downloads\SuperPuTTY\* + - '*Downloads\SuperPuTTY\*' + - '*\superputty.exe' + - '*\SuperPuTTY\*' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml + Description: Detects potential processes activity of SuperPuTTY RMM tool References: [] Acknowledgement: [] diff --git a/yaml/supremo.yaml b/yaml/supremo.yaml index e376b853..49db5e1f 100644 --- a/yaml/supremo.yaml +++ b/yaml/supremo.yaml @@ -17,22 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - supremo.exe - - supremoservice.exe - - supremosystem.exe - - supremohelper.exe + - supremo.exe + - supremoservice.exe + - supremosystem.exe + - supremohelper.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - supremocontrol.com - - '*.supremocontrol.com' - - '* .nanosystems.it' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - supremocontrol.com + - '*.supremocontrol.com' + - '* .nanosystems.it' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml + Description: Detects potential network activity of Supremo RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml + Description: Detects potential processes activity of Supremo RMM tool References: - - https://www.supremocontrol.com/frequently-asked-questions/ +- https://www.supremocontrol.com/frequently-asked-questions/ Acknowledgement: [] diff --git a/yaml/syncro.yaml b/yaml/syncro.yaml index 5ce2e389..e5ee5793 100644 --- a/yaml/syncro.yaml +++ b/yaml/syncro.yaml @@ -17,36 +17,40 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - Syncro.Installer.exe - - Kabuto.App.Runner.exe - - Syncro.Overmind.Service.exe - - Kabuto.Installer.exe - - KabutoSetup.exe - - Syncro.Service.exe - - Kabuto.Service.Runner.exe - - Syncro.App.Runner.exe - - SyncroLive.Service.exe - - SyncroLive.Agent.exe + - Syncro.Installer.exe + - Kabuto.App.Runner.exe + - Syncro.Overmind.Service.exe + - Kabuto.Installer.exe + - KabutoSetup.exe + - Syncro.Service.exe + - Kabuto.Service.Runner.exe + - Syncro.App.Runner.exe + - SyncroLive.Service.exe + - SyncroLive.Agent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - kabuto.io - - '*.syncromsp.com' - - '*.syncroapi.com' - - syncromsp.com - - servably.com - - ld.aurelius.host - - 'app.kabuto.io ' - - '*.kabutoservices.com' - - repairshopr.com - - kabutoservices.com - - attachments.servably.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - kabuto.io + - '*.syncromsp.com' + - '*.syncroapi.com' + - syncromsp.com + - servably.com + - ld.aurelius.host + - 'app.kabuto.io ' + - '*.kabutoservices.com' + - repairshopr.com + - kabutoservices.com + - attachments.servably.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml + Description: Detects potential network activity of Syncro RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml + Description: Detects potential processes activity of Syncro RMM tool References: - - https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004 +- https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004 Acknowledgement: [] diff --git a/yaml/syncthing.yaml b/yaml/syncthing.yaml index 698b9e4c..8a5c21c6 100644 --- a/yaml/syncthing.yaml +++ b/yaml/syncthing.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Users\*\AppData\Roaming\SyncTrayzor\* - - '*Users\*\AppData\Roaming\SyncTrayzor\*' - - '*\Syncthing.exe' + - C:\Users\*\AppData\Roaming\SyncTrayzor\* + - '*Users\*\AppData\Roaming\SyncTrayzor\*' + - '*\Syncthing.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml + Description: Detects potential processes activity of Syncthing RMM tool References: [] Acknowledgement: [] diff --git a/yaml/synergy.yaml b/yaml/synergy.yaml index 7e3181f5..e7b15077 100644 --- a/yaml/synergy.yaml +++ b/yaml/synergy.yaml @@ -22,11 +22,13 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml + Description: Detects potential network activity of Synergy RMM tool References: - - https://symless.com/synergy +- https://symless.com/synergy Acknowledgement: [] diff --git a/yaml/sysaid.yaml b/yaml/sysaid.yaml index 3ea9211b..24b54b7f 100644 --- a/yaml/sysaid.yaml +++ b/yaml/sysaid.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\SysAidServer\* - - '*\SysAidServer\*' - - '*\SysAid\*' - - '*\IliAS.exe' + - C:\Program Files\SysAidServer\* + - '*\SysAidServer\*' + - '*\SysAid\*' + - '*\IliAS.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml + Description: Detects potential processes activity of SysAid RMM tool References: [] Acknowledgement: [] diff --git a/yaml/syspectr.yaml b/yaml/syspectr.yaml index 15dcbcf3..b706b549 100644 --- a/yaml/syspectr.yaml +++ b/yaml/syspectr.yaml @@ -17,19 +17,23 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - oo-syspectr*.exe - - OOSysAgent.exe + - oo-syspectr*.exe + - OOSysAgent.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - atled.syspectr.com - - app.syspectr.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - atled.syspectr.com + - app.syspectr.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml + Description: Detects potential network activity of Syspectr RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml + Description: Detects potential processes activity of Syspectr RMM tool References: - - https://www.syspectr.com/en/installation-in-a-network +- https://www.syspectr.com/en/installation-in-a-network Acknowledgement: [] diff --git a/yaml/tactical_rmm.yaml b/yaml/tactical_rmm.yaml index d60f71b6..a9f3ad78 100644 --- a/yaml/tactical_rmm.yaml +++ b/yaml/tactical_rmm.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - tacticalrmm.exe - - tacticalrmm.exe + - tacticalrmm.exe + - tacticalrmm.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - login.tailscale.com - - login.tailscale.com - - docs.tacticalrmm.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - login.tailscale.com + - login.tailscale.com + - docs.tacticalrmm.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml + Description: Detects potential network activity of Tactical RMM RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml + Description: Detects potential processes activity of Tactical RMM RMM tool References: - - docs.tacticalrmm.com +- docs.tacticalrmm.com Acknowledgement: [] diff --git a/yaml/tailscale.yaml b/yaml/tailscale.yaml index b79f5124..f20607a9 100644 --- a/yaml/tailscale.yaml +++ b/yaml/tailscale.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - tailscale-*.exe - - tailscaled.exe - - tailscale-ipn.exe + - tailscale-*.exe + - tailscaled.exe + - tailscale-ipn.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.tailscale.com' - - '*.tailscale.io' - - tailscale.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.tailscale.com' + - '*.tailscale.io' + - tailscale.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml + Description: Detects potential network activity of Tailscale RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml + Description: Detects potential processes activity of Tailscale RMM tool References: - - https://tailscale.com/kb/1023/troubleshooting +- https://tailscale.com/kb/1023/troubleshooting Acknowledgement: [] diff --git a/yaml/tanium.yaml b/yaml/tanium.yaml index bfadf4e6..f10f2abb 100644 --- a/yaml/tanium.yaml +++ b/yaml/tanium.yaml @@ -17,22 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - TaniumClient.exe - - TaniumCX.exe - - TaniumExecWrapper.exe - - TaniumFileInfo.exe - - TPowerShell.exe + - TaniumClient.exe + - TaniumCX.exe + - TaniumExecWrapper.exe + - TaniumFileInfo.exe + - TPowerShell.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - cloud.tanium.com - - '*.cloud.tanium.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - cloud.tanium.com + - '*.cloud.tanium.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml + Description: Detects potential network activity of Tanium RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml + Description: Detects potential processes activity of Tanium RMM tool References: - - https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html +- https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html Acknowledgement: [] diff --git a/yaml/taniumdeploy.yaml b/yaml/taniumdeploy.yaml index 1eb25860..356880ae 100644 --- a/yaml/taniumdeploy.yaml +++ b/yaml/taniumdeploy.yaml @@ -22,10 +22,12 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - tanium.com/products/tanium-deploy - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - tanium.com/products/tanium-deploy + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml + Description: Detects potential network activity of Tanium Deploy RMM tool References: [] Acknowledgement: [] diff --git a/yaml/teamviewer.yaml b/yaml/teamviewer.yaml index b7f118d6..b1af7d76 100644 --- a/yaml/teamviewer.yaml +++ b/yaml/teamviewer.yaml @@ -1,163 +1,172 @@ Name: TeamViewer -Description: | - TeamViewer is a remote monitoring and management (RMM) tool. -Author: 'Nasreddine Bencherchali, Michael Haag' +Description: 'TeamViewer is a remote monitoring and management (RMM) tool. + + ' +Author: Nasreddine Bencherchali, Michael Haag Created: '2024-08-02' LastModified: '2024-08-02' Details: - Website: 'https://www.teamviewer.com/en' + Website: https://www.teamviewer.com/en PEMetadata: - - Filename: 'TeamViewer.exe' - OriginalFileName: '' - Description: '' - Product: 'TeamViewer' + - Filename: TeamViewer.exe + OriginalFileName: '' + Description: '' + Product: TeamViewer Privileges: user Free: true Verification: false SupportedOS: - - Android - - ChromeOS - - IOS - - Linux - - Mac - - Windows + - Android + - ChromeOS + - IOS + - Linux + - Mac + - Windows Capabilities: [] Vulnerabilities: - - https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html + - https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html InstallationPaths: - - 'C:\Program Files\TeamViewer\' - - teamviewer_desktop.exe - - teamviewer_service.exe - - teamviewerhost + - C:\Program Files\TeamViewer\ + - teamviewer_desktop.exe + - teamviewer_service.exe + - teamviewerhost Artifacts: Disk: - - File: 'C:\Users\\AppData\Local\Temp\TeamViewer\TV15Install.log' - Description: N/A - OS: Windows - - File: 'TeamViewer\d\d_Logfile\.log' - Description: N/A - OS: Windows - Type: Regex - - File: 'C:\Program Files\TeamViewer\Connections_incoming.txt' - Description: N/A - OS: Windows - - File: 'C:\Program Files\TeamViewer\TVNetwork.log' - Description: N/A - OS: Windows - - File: '%LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log' - Description: N/A - OS: Windows - - File: '%APPDATA%\\TeamViewer\\TeamViewer\d\d_Logfile\.log' - Description: N/A - OS: Windows - Type: Regex - - File: 'teamviewerqs.exe' - Description: N/A - OS: Windows - - File: 'tv_w32.exe' - Description: N/A - OS: Windows - - File: 'tv_w64.exe' - Description: N/A - OS: Windows - - File: 'tv_x64.exe' - Description: N/A - OS: Windows - - File: 'teamviewer.exe' - Description: N/A - OS: Windows - - File: 'teamviewer_service.exe' - Description: N/A - OS: Windows - - File: '%LOCALAPPDATA%\TeamViewer\Database\tvchatfilecache.db' - Description: SQlite 3 database storing cache about TeamViewer chat - OS: Windows - - File: '%LOCALAPPDATA%\TeamViewer\RemotePrinting\tvprint.db' - Description: SQlite 3 database storing TeamViewer print jobs - OS: Windows - - File: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\TeamViewer.lnk' - Description: N/A - OS: Windows - - File: 'C:\Program Files*\TeamViewer\connections*.txt' - Description: N/A - OS: Windows - - File: 'C:\Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\*tvc' - Description: N/A - OS: Windows + - File: C:\Users\\AppData\Local\Temp\TeamViewer\TV15Install.log + Description: N/A + OS: Windows + - File: TeamViewer\d\d_Logfile\.log + Description: N/A + OS: Windows + Type: Regex + - File: C:\Program Files\TeamViewer\Connections_incoming.txt + Description: N/A + OS: Windows + - File: C:\Program Files\TeamViewer\TVNetwork.log + Description: N/A + OS: Windows + - File: '%LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log' + Description: N/A + OS: Windows + - File: '%APPDATA%\\TeamViewer\\TeamViewer\d\d_Logfile\.log' + Description: N/A + OS: Windows + Type: Regex + - File: teamviewerqs.exe + Description: N/A + OS: Windows + - File: tv_w32.exe + Description: N/A + OS: Windows + - File: tv_w64.exe + Description: N/A + OS: Windows + - File: tv_x64.exe + Description: N/A + OS: Windows + - File: teamviewer.exe + Description: N/A + OS: Windows + - File: teamviewer_service.exe + Description: N/A + OS: Windows + - File: '%LOCALAPPDATA%\TeamViewer\Database\tvchatfilecache.db' + Description: SQlite 3 database storing cache about TeamViewer chat + OS: Windows + - File: '%LOCALAPPDATA%\TeamViewer\RemotePrinting\tvprint.db' + Description: SQlite 3 database storing TeamViewer print jobs + OS: Windows + - File: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\TeamViewer.lnk' + Description: N/A + OS: Windows + - File: C:\Program Files*\TeamViewer\connections*.txt + Description: N/A + OS: Windows + - File: C:\Users\*\AppData\Roaming\TeamViewer\MRU\RemoteSupport\*tvc + Description: N/A + OS: Windows EventLog: - - EventID: 7045 - ProviderName: Service Control Manager - LogFile: System.evtx - ServiceName: TeamViewer - ImagePath: '"C:\\Program Files\\TeamViewer\\TeamViewer_Service.exe"' - Description: Service installation event as result of TeamViewer installation. + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: TeamViewer + ImagePath: '"C:\\Program Files\\TeamViewer\\TeamViewer_Service.exe"' + Description: Service installation event as result of TeamViewer installation. Registry: - - Path: 'HKLM\SOFTWARE\TeamViewer\*' - Description: N/A - - Path: 'HKU\\SOFTWARE\TeamViewer\*' - Description: N/A - - Path: 'HKLM\SYSTEM\CurrentControlSet\Services\TeamViewer\*' - Description: N/A - - Path: 'HKLM\SOFTWARE\TeamViewer\ConnectionHistory' - Description: N/A - - Path: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer\*' - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\MainWindowHandle - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImage - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePath - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePosition - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\MinimizeToTray - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedCapturingEndpoint - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioSendingVolumeV2 - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedRenderingEndpoint - Description: N/A - - Path: HKLM\SOFTWARE\TeamViewer\ConnectionHistory - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\ClientWindow_Mode - Description: N/A - - Path: HKU\SID\SOFTWARE\TeamViewer\ClientWindowPositions - Description: N/A + - Path: HKLM\SOFTWARE\TeamViewer\* + Description: N/A + - Path: HKU\\SOFTWARE\TeamViewer\* + Description: N/A + - Path: HKLM\SYSTEM\CurrentControlSet\Services\TeamViewer\* + Description: N/A + - Path: HKLM\SOFTWARE\TeamViewer\ConnectionHistory + Description: N/A + - Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer\* + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\MainWindowHandle + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImage + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePath + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePosition + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\MinimizeToTray + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedCapturingEndpoint + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioSendingVolumeV2 + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedRenderingEndpoint + Description: N/A + - Path: HKLM\SOFTWARE\TeamViewer\ConnectionHistory + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\ClientWindow_Mode + Description: N/A + - Path: HKU\SID\SOFTWARE\TeamViewer\ClientWindowPositions + Description: N/A Network: - - Description: Known remote domains - Domains: - - '*.teamviewer.com' - Ports: [] - - Description: N/A - Domains: - - 'router15.teamviewer.com' - Ports: - - 443 - - Description: N/A - Domains: - - 'client.teamviewer.com' - Ports: - - 443 - - Description: N/A - Domains: - - 'taf.teamviewer.com' - Ports: - - 443 + - Description: Known remote domains + Domains: + - '*.teamviewer.com' + Ports: [] + - Description: N/A + Domains: + - router15.teamviewer.com + Ports: + - 443 + - Description: N/A + Domains: + - client.teamviewer.com + Ports: + - 443 + - Description: N/A + Domains: + - taf.teamviewer.com + Ports: + - 443 Other: - - Type: Mutex - Value: 'TeamViewer_LogMutex' - - Type: Mutex - Value: 'TeamViewerHooks_DynamicMemMutex' - - Type: Mutex - Value: 'TeamViewer3_Win32_Instance_Mutex' -Detections: [] + - Type: Mutex + Value: TeamViewer_LogMutex + - Type: Mutex + Value: TeamViewerHooks_DynamicMemMutex + - Type: Mutex + Value: TeamViewer3_Win32_Instance_Mutex +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml + Description: Detects potential registry activity of TeamViewer RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml + Description: Detects potential network activity of TeamViewer RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml + Description: Detects potential files activity of TeamViewer RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml + Description: Detects potential processes activity of TeamViewer RMM tool References: - - https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer - - https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer# - - https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/ - - https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html - - https://github.com/Purp1eW0lf/Blue-Team-Notes +- https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer +- https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer# +- https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/ +- https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html +- https://github.com/Purp1eW0lf/Blue-Team-Notes Acknowledgement: - - Person: "Théo Letailleur" - Handle: 'in/theosyn' +- Person: "Th\xE9o Letailleur" + Handle: in/theosyn diff --git a/yaml/teledesktop.yaml b/yaml/teledesktop.yaml index 47d17554..e59b9800 100644 --- a/yaml/teledesktop.yaml +++ b/yaml/teledesktop.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - pstlaunch.exe - - ptdskclient.exe - - ptdskhost.exe + - pstlaunch.exe + - ptdskclient.exe + - ptdskhost.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - tele-desk.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - tele-desk.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml + Description: Detects potential network activity of TeleDesktop RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml + Description: Detects potential processes activity of TeleDesktop RMM tool References: - - http://potomacsoft.com/ - DOA as of 2024 +- http://potomacsoft.com/ - DOA as of 2024 Acknowledgement: [] diff --git a/yaml/teracloud.yaml b/yaml/teracloud.yaml index 7c040716..16563aa0 100644 --- a/yaml/teracloud.yaml +++ b/yaml/teracloud.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - c:\*\TeraCloud.Client* - - '*\TeraCloud.Client*' - - '*\Livedrive-Setup.exe' + - c:\*\TeraCloud.Client* + - '*\TeraCloud.Client*' + - '*\Livedrive-Setup.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teracloud_processes_sigma.yml + Description: Detects potential processes activity of TeraCLOUD RMM tool References: [] Acknowledgement: [] diff --git a/yaml/tigervnc.yaml b/yaml/tigervnc.yaml index c53b2c88..a0bcff66 100644 --- a/yaml/tigervnc.yaml +++ b/yaml/tigervnc.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - tigervnc*.exe - - winvnc4.exe - - C:\Program Files\TightVNC\* - - '*\TightVNC\*' - - '*\tvnserver.exe' + - tigervnc*.exe + - winvnc4.exe + - C:\Program Files\TightVNC\* + - '*\TightVNC\*' + - '*\tvnserver.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml + Description: Detects potential network activity of TigerVNC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml + Description: Detects potential processes activity of TigerVNC RMM tool References: - - https://github.com/TigerVNC/tigervnc/releases +- https://github.com/TigerVNC/tigervnc/releases Acknowledgement: [] diff --git a/yaml/tightvnc.yaml b/yaml/tightvnc.yaml index 4a2dac73..8426e037 100644 --- a/yaml/tightvnc.yaml +++ b/yaml/tightvnc.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - tvnviewer.exe - - TightVNCViewerPortable*.exe - - tvnserver.exe + - tvnviewer.exe + - TightVNCViewerPortable*.exe + - tvnserver.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - tightvnc.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - tightvnc.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml + Description: Detects potential network activity of TightVNC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml + Description: Detects potential processes activity of TightVNC RMM tool References: - - https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf +- https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf Acknowledgement: [] diff --git a/yaml/todesk.yaml b/yaml/todesk.yaml index e7069b9e..50aa6939 100644 --- a/yaml/todesk.yaml +++ b/yaml/todesk.yaml @@ -17,22 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - todesk.exe - - ToDesk_Service.exe - - ToDesk_Setup.exe + - todesk.exe + - ToDesk_Service.exe + - ToDesk_Setup.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - todesk.com - - '*.todesk.com' - - '*.todesk.com' - - todesktop.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - todesk.com + - '*.todesk.com' + - '*.todesk.com' + - todesktop.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml + Description: Detects potential network activity of ToDesk RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml + Description: Detects potential processes activity of ToDesk RMM tool References: - - https://www.todesk.com/ +- https://www.todesk.com/ Acknowledgement: [] diff --git a/yaml/total_software_deployment.yaml b/yaml/total_software_deployment.yaml index e084a124..a943aed6 100644 --- a/yaml/total_software_deployment.yaml +++ b/yaml/total_software_deployment.yaml @@ -17,15 +17,18 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\ProgramData\Total Software Deployment\* - - '*\Total Software Deployment\*' - - '*\tniwinagent.exe' - - '*\Tsdservice.exe' + - C:\ProgramData\Total Software Deployment\* + - '*\Total Software Deployment\*' + - '*\tniwinagent.exe' + - '*\Tsdservice.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml + Description: Detects potential processes activity of Total Software Deployment RMM + tool References: [] Acknowledgement: [] diff --git a/yaml/turbomeeting.yaml b/yaml/turbomeeting.yaml index 6534f062..42dd3d90 100644 --- a/yaml/turbomeeting.yaml +++ b/yaml/turbomeeting.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - pcstarter.exe - - turbomeeting.exe - - turbomeetingstarter.exe + - pcstarter.exe + - turbomeeting.exe + - turbomeetingstarter.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - acceo.com/turbomeeting/ - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - acceo.com/turbomeeting/ + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml + Description: Detects potential network activity of TurboMeeting RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml + Description: Detects potential processes activity of TurboMeeting RMM tool References: - - http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv +- http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv Acknowledgement: [] diff --git a/yaml/ultra_vnc.yaml b/yaml/ultra_vnc.yaml index 50a53025..25a1b310 100644 --- a/yaml/ultra_vnc.yaml +++ b/yaml/ultra_vnc.yaml @@ -17,16 +17,18 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\uvnc bvba\UltraVNC\* - - '*\uvnc bvba\UltraVNC\*' - - '*\UVNC_Launch.exe' - - '*\winvnc.exe' - - '*\vncviewer.exe' + - C:\Program Files\uvnc bvba\UltraVNC\* + - '*\uvnc bvba\UltraVNC\*' + - '*\UVNC_Launch.exe' + - '*\winvnc.exe' + - '*\vncviewer.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml + Description: Detects potential processes activity of Ultra VNC RMM tool References: [] Acknowledgement: [] diff --git a/yaml/ultraviewer.yaml b/yaml/ultraviewer.yaml index 3034c626..e8bdf46d 100644 --- a/yaml/ultraviewer.yaml +++ b/yaml/ultraviewer.yaml @@ -17,29 +17,33 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - UltraViewer_Service.exe - - UltraViewer_setup* - - UltraViewer_Desktop.exe - - ultraviewer.exe - - C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe - - '*\UltraViewer\' - - '*\UltraViewer_Desktop.exe' - - ultraviewer_desktop.exe - - ultraviewer_service.exe - - UltraViewer_Desktop.exe - - UltraViewer_setup* - - UltraViewer_Service.exe + - UltraViewer_Service.exe + - UltraViewer_setup* + - UltraViewer_Desktop.exe + - ultraviewer.exe + - C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe + - '*\UltraViewer\' + - '*\UltraViewer_Desktop.exe' + - ultraviewer_desktop.exe + - ultraviewer_service.exe + - UltraViewer_Desktop.exe + - UltraViewer_setup* + - UltraViewer_Service.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '* .ultraviewer.net' - - ultraviewer.net - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '* .ultraviewer.net' + - ultraviewer.net + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml + Description: Detects potential network activity of UltraViewer RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml + Description: Detects potential processes activity of UltraViewer RMM tool References: - - https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html +- https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html Acknowledgement: [] diff --git a/yaml/ultravnc.yaml b/yaml/ultravnc.yaml index 3deb65f2..d8ea15b4 100644 --- a/yaml/ultravnc.yaml +++ b/yaml/ultravnc.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - UltraVNC*.exe + - UltraVNC*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - ultravnc.com - - user_managed - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - ultravnc.com + - user_managed + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml + Description: Detects potential network activity of UltraVNC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml + Description: Detects potential processes activity of UltraVNC RMM tool References: - - https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html +- https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html Acknowledgement: [] diff --git a/yaml/visual_studio_dev_tunnel.yaml b/yaml/visual_studio_dev_tunnel.yaml index 7c50655d..59c70083 100644 --- a/yaml/visual_studio_dev_tunnel.yaml +++ b/yaml/visual_studio_dev_tunnel.yaml @@ -22,13 +22,16 @@ Artifacts: EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - global.rel.tunnels.api.visualstudio.com - - '*.rel.tunnels.api.visualstudio.com' - - '*.devtunnels.ms' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - global.rel.tunnels.api.visualstudio.com + - '*.rel.tunnels.api.visualstudio.com' + - '*.devtunnels.ms' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml + Description: Detects potential network activity of Visual Studio Dev Tunnel RMM + tool References: - - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security +- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security Acknowledgement: [] diff --git a/yaml/vnc.yaml b/yaml/vnc.yaml index b4ec1b80..eebdde26 100644 --- a/yaml/vnc.yaml +++ b/yaml/vnc.yaml @@ -17,24 +17,28 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - winvnc*.exe - - vncserver.exe - - winwvc.exe - - winvncsc.exe - - vncserverui.exe - - vncviewer.exe - - winvnc.exe + - winvnc*.exe + - vncserver.exe + - winwvc.exe + - winvncsc.exe + - vncserverui.exe + - vncviewer.exe + - winvnc.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - realvnc.com/en/connect/download/vnc - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - realvnc.com/en/connect/download/vnc + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml + Description: Detects potential network activity of VNC RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml + Description: Detects potential processes activity of VNC RMM tool References: - - https://realvnc.com/en/connect/download/vnc +- https://realvnc.com/en/connect/download/vnc Acknowledgement: [] diff --git a/yaml/vnc_connect.yaml b/yaml/vnc_connect.yaml index 96b8b0c5..e85af07f 100644 --- a/yaml/vnc_connect.yaml +++ b/yaml/vnc_connect.yaml @@ -17,8 +17,8 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\RealVNC\VNC Server\* - - '*\RealVNC\VNC Server\*' + - C:\Program Files\RealVNC\VNC Server\* + - '*\RealVNC\VNC Server\*' Artifacts: Disk: [] EventLog: [] diff --git a/yaml/webex_(remote_access).yaml b/yaml/webex_(remote_access).yaml index b1a6d9e4..270175c1 100644 --- a/yaml/webex_(remote_access).yaml +++ b/yaml/webex_(remote_access).yaml @@ -24,5 +24,5 @@ Artifacts: Network: [] Detections: [] References: - - https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access +- https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access Acknowledgement: [] diff --git a/yaml/webrdp.yaml b/yaml/webrdp.yaml index 449ccb01..9cd715fd 100644 --- a/yaml/webrdp.yaml +++ b/yaml/webrdp.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - webrdp.exe + - webrdp.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - github.com/Mikej81/WebRDP - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - github.com/Mikej81/WebRDP + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml + Description: Detects potential network activity of WebRDP RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml + Description: Detects potential processes activity of WebRDP RMM tool References: - - github.com/Mikej81/WebRDP +- github.com/Mikej81/WebRDP Acknowledgement: [] diff --git a/yaml/weezo.yaml b/yaml/weezo.yaml index 2df348f7..f8dc42d3 100644 --- a/yaml/weezo.yaml +++ b/yaml/weezo.yaml @@ -17,22 +17,26 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - weezohttpd.exe - - weezo.exe - - weezo setup*.exe + - weezohttpd.exe + - weezo.exe + - weezo setup*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.weezo.me' - - weezo.net - - '*.weezo.net' - - weezo.en.softonic.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.weezo.me' + - weezo.net + - '*.weezo.net' + - weezo.en.softonic.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml + Description: Detects potential network activity of Weezo RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml + Description: Detects potential processes activity of Weezo RMM tool References: - - weezo.en.softonic.com +- weezo.en.softonic.com Acknowledgement: [] diff --git a/yaml/winscp.yaml b/yaml/winscp.yaml index 0e66b8b2..1cbd1a59 100644 --- a/yaml/winscp.yaml +++ b/yaml/winscp.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\* - - '*\WinSCP*Portable\*' - - '*\WinSCP.exe' - - '*\WinSCP\*' + - C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\* + - '*\WinSCP*Portable\*' + - '*\WinSCP.exe' + - '*\WinSCP\*' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml + Description: Detects potential processes activity of WinSCP RMM tool References: [] Acknowledgement: [] diff --git a/yaml/xeox.yaml b/yaml/xeox.yaml index 39ace68e..1ca4488c 100644 --- a/yaml/xeox.yaml +++ b/yaml/xeox.yaml @@ -17,21 +17,25 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - xeox-agent_x64.exe - - xeox_service_windows.exe - - xeox-agent_*.exe - - xeox-agent_x86.exe + - xeox-agent_x64.exe + - xeox_service_windows.exe + - xeox-agent_*.exe + - xeox-agent_x86.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.xeox.com' - - xeox.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.xeox.com' + - xeox.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml + Description: Detects potential network activity of Xeox RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml + Description: Detects potential processes activity of Xeox RMM tool References: - - https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW +- https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW Acknowledgement: [] diff --git a/yaml/xpra.yaml b/yaml/xpra.yaml index 7b201619..f1fa83be 100644 --- a/yaml/xpra.yaml +++ b/yaml/xpra.yaml @@ -17,15 +17,17 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Xpra\* - - '*\Xpra\*' - - '*\Xpra-Launcher.exe' - - '*\Xpra-x86_64_Setup.exe' + - C:\Program Files (x86)\Xpra\* + - '*\Xpra\*' + - '*\Xpra-Launcher.exe' + - '*\Xpra-x86_64_Setup.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml + Description: Detects potential processes activity of Xpra RMM tool References: [] Acknowledgement: [] diff --git a/yaml/xshell.yaml b/yaml/xshell.yaml index de6e287c..38e7981b 100644 --- a/yaml/xshell.yaml +++ b/yaml/xshell.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\NetSarang\xShell\* - - '*\NetSarang\xShell\*' - - '*\xShell.exe' + - C:\Program Files (x86)\NetSarang\xShell\* + - '*\NetSarang\xShell\*' + - '*\xShell.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml + Description: Detects potential processes activity of Xshell RMM tool References: [] Acknowledgement: [] diff --git a/yaml/yandex.disk.yaml b/yaml/yandex.disk.yaml index 90d372b5..659726d1 100644 --- a/yaml/yandex.disk.yaml +++ b/yaml/yandex.disk.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files (x86)\Yandex\* - - '*\Yandex\*' - - '*\YandexDisk2.exe' + - C:\Program Files (x86)\Yandex\* + - '*\Yandex\*' + - '*\YandexDisk2.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml + Description: Detects potential processes activity of Yandex.Disk RMM tool References: [] Acknowledgement: [] diff --git a/yaml/zabbix_agent.yaml b/yaml/zabbix_agent.yaml index c27aa461..8d773c3d 100644 --- a/yaml/zabbix_agent.yaml +++ b/yaml/zabbix_agent.yaml @@ -17,18 +17,22 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - zabbix_agent*.exe + - zabbix_agent*.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - user_managed - - zabbix.com - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - user_managed + - zabbix.com + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml + Description: Detects potential network activity of Zabbix Agent RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml + Description: Detects potential processes activity of Zabbix Agent RMM tool References: - - https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent +- https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent Acknowledgement: [] diff --git a/yaml/zerotier.yaml b/yaml/zerotier.yaml index 0d2b2c2e..107da668 100644 --- a/yaml/zerotier.yaml +++ b/yaml/zerotier.yaml @@ -17,20 +17,24 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - zerotier*.msi - - zerotier*.exe - - zero-powershell.exe + - zerotier*.msi + - zerotier*.exe + - zero-powershell.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - zerotier.com - - '*.zerotier.com' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - zerotier.com + - '*.zerotier.com' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml + Description: Detects potential network activity of ZeroTier RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml + Description: Detects potential processes activity of ZeroTier RMM tool References: - - https://my.zerotier.com/ +- https://my.zerotier.com/ Acknowledgement: [] diff --git a/yaml/zoc.yaml b/yaml/zoc.yaml index 3c46a328..f5752b9e 100644 --- a/yaml/zoc.yaml +++ b/yaml/zoc.yaml @@ -17,14 +17,16 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - C:\Program Files\ZOC8\* - - '*\ZOC?\*' - - '*\zoc.exe' + - C:\Program Files\ZOC8\* + - '*\ZOC?\*' + - '*\zoc.exe' Artifacts: Disk: [] EventLog: [] Registry: [] Network: [] -Detections: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml + Description: Detects potential processes activity of ZOC RMM tool References: [] Acknowledgement: [] diff --git a/yaml/zohoassist.yaml b/yaml/zohoassist.yaml index 06a875af..97198135 100644 --- a/yaml/zohoassist.yaml +++ b/yaml/zohoassist.yaml @@ -17,38 +17,42 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - zaservice.exe - - ZMAgent.exe - - C:\*\ZA_Access.exe - - ZohoMeeting.exe - - Zohours.exe - - zohotray.exe - - ZohoURSService.exe - - '*\ZA_Access.exe' - - Zaservice.exe - - za_connect.exe + - zaservice.exe + - ZMAgent.exe + - C:\*\ZA_Access.exe + - ZohoMeeting.exe + - Zohours.exe + - zohotray.exe + - ZohoURSService.exe + - '*\ZA_Access.exe' + - Zaservice.exe + - za_connect.exe Artifacts: Disk: [] EventLog: [] Registry: [] Network: - - Description: Known remote domains - Domains: - - '*.zoho.com.au' - - '*.zohoassist.jp' - - assist.zoho.com - - zoho.com/assist/ - - '*.zoho.in' - - downloads.zohodl.com.cn - - '*.zohoassist.com' - - downloads.zohocdn.com - - gateway.zohoassist.com - - '*.zohoassist.com.cn' - - '*.zoho.com.cn' - - '*.zoho.com' - - '*.zoho.eu' - Ports: [] -Detections: [] + - Description: Known remote domains + Domains: + - '*.zoho.com.au' + - '*.zohoassist.jp' + - assist.zoho.com + - zoho.com/assist/ + - '*.zoho.in' + - downloads.zohodl.com.cn + - '*.zohoassist.com' + - downloads.zohocdn.com + - gateway.zohoassist.com + - '*.zohoassist.com.cn' + - '*.zoho.com.cn' + - '*.zoho.com' + - '*.zoho.eu' + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml + Description: Detects potential network activity of Zoho Assist RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml + Description: Detects potential processes activity of Zoho Assist RMM tool References: - - https://www.zoho.com/assist/kb/firewall-configuration.html +- https://www.zoho.com/assist/kb/firewall-configuration.html Acknowledgement: []