From a838b72949b4cbc7e5d6b3177a6b3315da9db487 Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Mon, 30 Sep 2024 23:42:44 -0400 Subject: [PATCH] removing more duplicates --- yaml/beyondtrustbomgar.yaml | 43 ------------------- yaml/bomgar.yaml | 36 ---------------- yaml/bomgar_-_now_beyondtrust.yaml | 27 ------------ yaml/box.yaml | 32 -------------- yaml/chicken_(of_the_vnc).yaml | 3 +- yaml/chromeremotedesktop.yaml | 43 ------------------- yaml/cloudbuckit.yaml | 32 -------------- yaml/cloudgopher.yaml | 27 ------------ yaml/cloudsfer.yaml | 27 ------------ yaml/core_ftp.yaml | 31 ------------- yaml/cruz.yaml | 33 -------------- yaml/cuteftp.yaml | 32 -------------- yaml/cyberduck.yaml | 32 -------------- ...dameware-mini_remote_control_protocol.yaml | 39 ----------------- yaml/dameware.yaml | 10 ++++- yaml/datto.yaml | 33 -------------- yaml/desktopcentral.yaml | 36 ---------------- yaml/distant_desktop.yaml | 4 +- yaml/distantdesktop.yaml | 40 ----------------- yaml/dropbox.yaml | 33 -------------- yaml/dw_service.yaml | 1 - yaml/dwservice.yaml | 38 ---------------- yaml/electric.yaml | 33 -------------- yaml/electric_ai_(kaseya).yaml | 10 ++++- yaml/manage_engine_(desktop_central).yaml | 13 +++--- yaml/microsoft_quick_assist.yaml | 3 +- yaml/microsoft_rdp.yaml | 2 + yaml/microsoft_tsc.yaml | 1 + yaml/microsoftrdp.yaml | 33 -------------- yaml/microsofttsc.yaml | 32 -------------- 30 files changed, 31 insertions(+), 728 deletions(-) delete mode 100644 yaml/beyondtrustbomgar.yaml delete mode 100644 yaml/bomgar.yaml delete mode 100644 yaml/bomgar_-_now_beyondtrust.yaml delete mode 100644 yaml/box.yaml delete mode 100644 yaml/chromeremotedesktop.yaml delete mode 100644 yaml/cloudbuckit.yaml delete mode 100644 yaml/cloudgopher.yaml delete mode 100644 yaml/cloudsfer.yaml delete mode 100644 yaml/core_ftp.yaml delete mode 100644 yaml/cruz.yaml delete mode 100644 yaml/cuteftp.yaml delete mode 100644 yaml/cyberduck.yaml delete mode 100644 yaml/dameware-mini_remote_control_protocol.yaml delete mode 100644 yaml/datto.yaml delete mode 100644 yaml/desktopcentral.yaml delete mode 100644 yaml/distantdesktop.yaml delete mode 100644 yaml/dropbox.yaml delete mode 100644 yaml/dwservice.yaml delete mode 100644 yaml/electric.yaml delete mode 100644 yaml/microsoftrdp.yaml delete mode 100644 yaml/microsofttsc.yaml diff --git a/yaml/beyondtrustbomgar.yaml b/yaml/beyondtrustbomgar.yaml deleted file mode 100644 index ab3651b9..00000000 --- a/yaml/beyondtrustbomgar.yaml +++ /dev/null @@ -1,43 +0,0 @@ -Name: BeyondTrust (Bomgar) -Description: BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - bomgar-scc.exe - - bomgar-rdp.exe - - bomgar-scc-*.exe - - bomgar-pac-*.exe - - bomgar-pac.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - bomgarcloud.com - - '*.bomgarcloud.com' - - '*.beyondtrustcloud.com' - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml - Description: Detects potential network activity of BeyondTrust (Bomgar) RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml - Description: Detects potential processes activity of BeyondTrust (Bomgar) RMM tool -References: -- https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm -Acknowledgement: [] diff --git a/yaml/bomgar.yaml b/yaml/bomgar.yaml deleted file mode 100644 index 176f5761..00000000 --- a/yaml/bomgar.yaml +++ /dev/null @@ -1,36 +0,0 @@ -Name: Bomgar -Description: Bomgar is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - bomgar-scc.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - beyondtrust.com/brand/bomgar - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_network_sigma.yml - Description: Detects potential network activity of Bomgar RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_processes_sigma.yml - Description: Detects potential processes activity of Bomgar RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/bomgar_-_now_beyondtrust.yaml b/yaml/bomgar_-_now_beyondtrust.yaml deleted file mode 100644 index 21820e11..00000000 --- a/yaml/bomgar_-_now_beyondtrust.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: Bomgar - Now BeyondTrust -Description: Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) - tool. More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/box.yaml b/yaml/box.yaml deleted file mode 100644 index 5b74807f..00000000 --- a/yaml/box.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: Box -Description: Box is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\Box\Box\* - - '*\Box\Box\*' - - '*\Box.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml - Description: Detects potential processes activity of Box RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/chicken_(of_the_vnc).yaml b/yaml/chicken_(of_the_vnc).yaml index 34ade304..034e0c36 100644 --- a/yaml/chicken_(of_the_vnc).yaml +++ b/yaml/chicken_(of_the_vnc).yaml @@ -23,5 +23,6 @@ Artifacts: Registry: [] Network: [] Detections: [] -References: [] +References: +- https://github.com/flit/cotvnc Acknowledgement: [] diff --git a/yaml/chromeremotedesktop.yaml b/yaml/chromeremotedesktop.yaml deleted file mode 100644 index 4a53817c..00000000 --- a/yaml/chromeremotedesktop.yaml +++ /dev/null @@ -1,43 +0,0 @@ -Name: Chrome Remote Desktop -Description: Chrome Remote Desktop is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - remote_host.exe - - remoting_host.exe - - C:\Program Files (x86)\Google\Chrome Remote Desktop\* - - '*\Google\Chrome Remote Desktop\*' - - '*\remoting_host.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*remotedesktop-pa.googleapis.com' - - '*remotedesktop.google.com' - - remotedesktop.google.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml - Description: Detects potential network activity of Chrome Remote Desktop RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml - Description: Detects potential processes activity of Chrome Remote Desktop RMM tool -References: -- https://support.google.com/chrome/a/answer/2799701?hl=en -Acknowledgement: [] diff --git a/yaml/cloudbuckit.yaml b/yaml/cloudbuckit.yaml deleted file mode 100644 index 0a6760eb..00000000 --- a/yaml/cloudbuckit.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: CloudBuckIt -Description: CloudBuckIt is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\CloudBuckIt\* - - '*\CloudBuckIt\*' - - '*\CloudBuckIt*.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudbuckit_processes_sigma.yml - Description: Detects potential processes activity of CloudBuckIt RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cloudgopher.yaml b/yaml/cloudgopher.yaml deleted file mode 100644 index 346e147d..00000000 --- a/yaml/cloudgopher.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: CloudGopher -Description: CloudGopher is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudsfer.yaml b/yaml/cloudsfer.yaml deleted file mode 100644 index 73979628..00000000 --- a/yaml/cloudsfer.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: Cloudsfer -Description: Cloudsfer is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/core_ftp.yaml b/yaml/core_ftp.yaml deleted file mode 100644 index 76e5a50b..00000000 --- a/yaml/core_ftp.yaml +++ /dev/null @@ -1,31 +0,0 @@ -Name: Core FTP -Description: Core FTP is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\*\coreftplite.exe - - '*\coreftplite.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml - Description: Detects potential processes activity of Core FTP RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cruz.yaml b/yaml/cruz.yaml deleted file mode 100644 index 1bf82391..00000000 --- a/yaml/cruz.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Cruz -Description: Cruz is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - resources.doradosoftware.com/cruz-rmm - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml - Description: Detects potential network activity of Cruz RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cuteftp.yaml b/yaml/cuteftp.yaml deleted file mode 100644 index ef266253..00000000 --- a/yaml/cuteftp.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: CuteFTP -Description: CuteFTP is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\Globalscape\CuteFTP\* - - '*\Globalscape\CuteFTP\*' - - '*\cuteftppro.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml - Description: Detects potential processes activity of CuteFTP RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cyberduck.yaml b/yaml/cyberduck.yaml deleted file mode 100644 index 82368f9a..00000000 --- a/yaml/cyberduck.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: Cyberduck -Description: Cyberduck is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\Cyberduck\* - - '*\Cyberduck\*' - - '*\Cyberduck.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cyberduck_processes_sigma.yml - Description: Detects potential processes activity of Cyberduck RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/dameware-mini_remote_control_protocol.yaml b/yaml/dameware-mini_remote_control_protocol.yaml deleted file mode 100644 index 3df39f99..00000000 --- a/yaml/dameware-mini_remote_control_protocol.yaml +++ /dev/null @@ -1,39 +0,0 @@ -Name: Dameware-mini remote control Protocol -Description: Dameware-mini remote control Protocol is a remote monitoring and management - (RMM) tool. More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - dntus*.exe - - dwrcs.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - dameware.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml - Description: Detects potential network activity of Dameware-mini remote control - Protocol RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml - Description: Detects potential processes activity of Dameware-mini remote control - Protocol RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/dameware.yaml b/yaml/dameware.yaml index f0146ac1..7ec75f00 100644 --- a/yaml/dameware.yaml +++ b/yaml/dameware.yaml @@ -21,6 +21,7 @@ Details: - DameWare Mini Remote Control*.exe - "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\\ *" + - dntus*.exe - dwrcs.exe - '*\dwrcs\*' - '*\dwrcst.exe' @@ -30,8 +31,15 @@ Artifacts: Disk: [] EventLog: [] Registry: [] - Network: [] + Network: + - Description: Known remote domains + Domains: + - dameware.com + Ports: [] Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml + Description: Detects potential network activity of Dameware-mini remote control + Protocol RMM tool - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml Description: Detects potential processes activity of DameWare RMM tool References: diff --git a/yaml/datto.yaml b/yaml/datto.yaml deleted file mode 100644 index 3d66d27b..00000000 --- a/yaml/datto.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Datto -Description: Datto is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - datto.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml - Description: Detects potential network activity of Datto RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/desktopcentral.yaml b/yaml/desktopcentral.yaml deleted file mode 100644 index ad359adb..00000000 --- a/yaml/desktopcentral.yaml +++ /dev/null @@ -1,36 +0,0 @@ -Name: Desktop Central -Description: Desktop Central is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - dcagentservice.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - desktopcentral.manageengine.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml - Description: Detects potential network activity of Desktop Central RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml - Description: Detects potential processes activity of Desktop Central RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/distant_desktop.yaml b/yaml/distant_desktop.yaml index 5e66a438..4ed239e7 100644 --- a/yaml/distant_desktop.yaml +++ b/yaml/distant_desktop.yaml @@ -17,9 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - distant-desktop.exe - - dd.exe - ddsystem.exe + - dd.exe + - distant-desktop.exe Artifacts: Disk: [] EventLog: [] diff --git a/yaml/distantdesktop.yaml b/yaml/distantdesktop.yaml deleted file mode 100644 index 4ed239e7..00000000 --- a/yaml/distantdesktop.yaml +++ /dev/null @@ -1,40 +0,0 @@ -Name: Distant Desktop -Description: Distant Desktop is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/8/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - ddsystem.exe - - dd.exe - - distant-desktop.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*.distantdesktop.com' - - '*signalserver.xyz' - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml - Description: Detects potential network activity of Distant Desktop RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml - Description: Detects potential processes activity of Distant Desktop RMM tool -References: -- https://www.distantdesktop.com/manual/first-start.htm -Acknowledgement: [] diff --git a/yaml/dropbox.yaml b/yaml/dropbox.yaml deleted file mode 100644 index d9323833..00000000 --- a/yaml/dropbox.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Dropbox -Description: Dropbox is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\Dropbox\Client\* - - '*\Dropbox\Client\*' - - '*\Dropbox.exe' - - '*Users\*\Dropbox\bin\' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml - Description: Detects potential processes activity of Dropbox RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/dw_service.yaml b/yaml/dw_service.yaml index 269e67eb..049edfed 100644 --- a/yaml/dw_service.yaml +++ b/yaml/dw_service.yaml @@ -17,7 +17,6 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - dwagsvc.exe - dwagent.exe - dwagsvc.exe Artifacts: diff --git a/yaml/dwservice.yaml b/yaml/dwservice.yaml deleted file mode 100644 index 049edfed..00000000 --- a/yaml/dwservice.yaml +++ /dev/null @@ -1,38 +0,0 @@ -Name: DW Service -Description: DW Service is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - dwagent.exe - - dwagsvc.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*.dwservice.net' - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml - Description: Detects potential network activity of DW Service RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml - Description: Detects potential processes activity of DW Service RMM tool -References: -- https://news.dwservice.net/dwservice-security-infrastructure/ -Acknowledgement: [] diff --git a/yaml/electric.yaml b/yaml/electric.yaml deleted file mode 100644 index 4d61b5f5..00000000 --- a/yaml/electric.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Electric -Description: Electric is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - electric.ai - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml - Description: Detects potential network activity of Electric RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/electric_ai_(kaseya).yaml b/yaml/electric_ai_(kaseya).yaml index b3fa8c52..b4c84039 100644 --- a/yaml/electric_ai_(kaseya).yaml +++ b/yaml/electric_ai_(kaseya).yaml @@ -21,8 +21,14 @@ Artifacts: Disk: [] EventLog: [] Registry: [] - Network: [] -Detections: [] + Network: + - Description: Known remote domains + Domains: + - electric.ai + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml + Description: Detects potential network activity of Electric RMM tool References: - https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf Acknowledgement: [] diff --git a/yaml/manage_engine_(desktop_central).yaml b/yaml/manage_engine_(desktop_central).yaml index 2e5f1249..08227814 100644 --- a/yaml/manage_engine_(desktop_central).yaml +++ b/yaml/manage_engine_(desktop_central).yaml @@ -34,12 +34,9 @@ Artifacts: - '*.-dms.zoho.com.cn' Ports: [] Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml - Description: Detects potential network activity of Manage Engine (Desktop Central) - RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml - Description: Detects potential processes activity of Manage Engine (Desktop Central) - RMM tool -References: -- https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml + Description: Detects potential network activity of Desktop Central RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml + Description: Detects potential processes activity of Desktop Central RMM tool +References: [] Acknowledgement: [] diff --git a/yaml/microsoft_quick_assist.yaml b/yaml/microsoft_quick_assist.yaml index 5104da16..2451082f 100644 --- a/yaml/microsoft_quick_assist.yaml +++ b/yaml/microsoft_quick_assist.yaml @@ -3,7 +3,7 @@ Description: Microsoft Quick Assist is a remote monitoring and management (RMM) More information will be added as it becomes available. Author: '' Created: '' -LastModified: 2/9/2024 +LastModified: '' Details: Website: '' PEMetadata: @@ -26,6 +26,7 @@ Artifacts: - Description: Known remote domains Domains: - user_managed + - '*.support.services.microsoft.com' Ports: [] Detections: - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml diff --git a/yaml/microsoft_rdp.yaml b/yaml/microsoft_rdp.yaml index e0e0c380..03ef749c 100644 --- a/yaml/microsoft_rdp.yaml +++ b/yaml/microsoft_rdp.yaml @@ -17,7 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: + - termsrv.exe - mstsc.exe + - Microsoft Remote Desktop Artifacts: Disk: [] EventLog: [] diff --git a/yaml/microsoft_tsc.yaml b/yaml/microsoft_tsc.yaml index 393b9f50..8f46d55d 100644 --- a/yaml/microsoft_tsc.yaml +++ b/yaml/microsoft_tsc.yaml @@ -18,6 +18,7 @@ Details: Vulnerabilities: [] InstallationPaths: - termsrv.exe + - mstsc.exe Artifacts: Disk: [] EventLog: [] diff --git a/yaml/microsoftrdp.yaml b/yaml/microsoftrdp.yaml deleted file mode 100644 index 03ef749c..00000000 --- a/yaml/microsoftrdp.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Microsoft RDP -Description: Microsoft RDP is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/8/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - termsrv.exe - - mstsc.exe - - Microsoft Remote Desktop -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml - Description: Detects potential processes activity of Microsoft RDP RMM tool -References: -- https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows -Acknowledgement: [] diff --git a/yaml/microsofttsc.yaml b/yaml/microsofttsc.yaml deleted file mode 100644 index 8f46d55d..00000000 --- a/yaml/microsofttsc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: Microsoft TSC -Description: Microsoft TSC is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/8/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - termsrv.exe - - mstsc.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml - Description: Detects potential processes activity of Microsoft TSC RMM tool -References: -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application -Acknowledgement: []