diff --git a/detections/sigma/atera_processes_sigma.yml b/detections/sigma/atera_processes_sigma.yml index 247e45b2..fca65b18 100644 --- a/detections/sigma/atera_processes_sigma.yml +++ b/detections/sigma/atera_processes_sigma.yml @@ -9,7 +9,6 @@ detection: - '*\AgentPackageTaskScheduler.exe' - '*\AteraAgent.exe' - atera_agent.exe - - atera_agent.exe - ateraagent.exe - syncrosetup.exe condition: selection diff --git a/detections/sigma/aweray__awesun__processes_sigma.yml b/detections/sigma/aweray__awesun__processes_sigma.yml deleted file mode 100644 index 870fcae2..00000000 --- a/detections/sigma/aweray__awesun__processes_sigma.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Potential AweRay (AweSun) RMM Tool Process Activity -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage|endswith: - - aweray_remote*.exe - - AweSun.exe - condition: selection -id: e32b8f65-ab9d-4668-a811-d99d471b085d -status: experimental -description: Detects potential processes activity of AweRay (AweSun) RMM tool -author: LOLRMM Project -date: 2024/08/07 -tags: -- attack.execution -- attack.t1219 -falsepositives: -- Legitimate use of AweRay (AweSun) -level: medium diff --git a/detections/sigma/dw_service_processes_sigma.yml b/detections/sigma/dw_service_processes_sigma.yml index d3c64186..ac215c95 100644 --- a/detections/sigma/dw_service_processes_sigma.yml +++ b/detections/sigma/dw_service_processes_sigma.yml @@ -7,7 +7,6 @@ detection: ParentImage|endswith: - dwagsvc.exe - dwagent.exe - - dwagsvc.exe condition: selection id: 5652feeb-de11-4703-a3fb-1d43fc633ebc status: experimental diff --git a/detections/sigma/fleetdeck_processes_sigma.yml b/detections/sigma/fleetdeck_processes_sigma.yml deleted file mode 100644 index 7307ee20..00000000 --- a/detections/sigma/fleetdeck_processes_sigma.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Potential FleetDeck RMM Tool Process Activity -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage|endswith: - - fleetdeck_agent_svc.exe - condition: selection -id: b8194fd9-f7a9-4c15-97cd-34351971c00b -status: experimental -description: Detects potential processes activity of FleetDeck RMM tool -author: LOLRMM Project -date: 2024/08/07 -tags: -- attack.execution -- attack.t1219 -falsepositives: -- Legitimate use of FleetDeck -level: medium diff --git a/detections/sigma/fleetdesk.io_processes_sigma.yml b/detections/sigma/fleetdesk.io_processes_sigma.yml deleted file mode 100644 index e5785110..00000000 --- a/detections/sigma/fleetdesk.io_processes_sigma.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Potential FleetDesk.io RMM Tool Process Activity -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage|endswith: - - fleetdeck_agent_svc.exe - - fleetdeck_commander_svc.exe - - fleetdeck_installer.exe - - fleetdeck_agent.exe - - fleetdeck_commander_launcher.exe - condition: selection -id: 6d868e41-b759-4e0e-976d-7e3ce05b7b87 -status: experimental -description: Detects potential processes activity of FleetDesk.io RMM tool -author: LOLRMM Project -date: 2024/08/07 -tags: -- attack.execution -- attack.t1219 -falsepositives: -- Legitimate use of FleetDesk.io -level: medium diff --git a/detections/sigma/labteach__connectwise_automate__processes_sigma.yml b/detections/sigma/labteach__connectwise_automate__processes_sigma.yml deleted file mode 100644 index bae7182c..00000000 --- a/detections/sigma/labteach__connectwise_automate__processes_sigma.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Potential LabTeach (Connectwise Automate) RMM Tool Process Activity -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage|endswith: - - ltsvc.exe - condition: selection -id: 3696a0f8-c8a0-417a-a408-e9bdf4caf318 -status: experimental -description: Detects potential processes activity of LabTeach (Connectwise Automate) - RMM tool -author: LOLRMM Project -date: 2024/08/07 -tags: -- attack.execution -- attack.t1219 -falsepositives: -- Legitimate use of LabTeach (Connectwise Automate) -level: medium diff --git a/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml b/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml deleted file mode 100644 index 38dd0905..00000000 --- a/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: Potential MioNet (Also known as WD Anywhere Access) RMM Tool Process Activity -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage|endswith: - - mionet.exe - - mionetmanager.exe - condition: selection -id: 88102b66-9f64-425c-86cf-fb29cdd68806 -status: experimental -description: Detects potential processes activity of MioNet (Also known as WD Anywhere - Access) RMM tool -author: LOLRMM Project -date: 2024/08/07 -tags: -- attack.execution -- attack.t1219 -falsepositives: -- Legitimate use of MioNet (Also known as WD Anywhere Access) -level: medium diff --git a/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml b/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml deleted file mode 100644 index 765d83b4..00000000 --- a/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Potential Netop Remote Control (aka Impero Connect) RMM Tool Process Activity -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage|endswith: - - nhostsvc.exe - - nhstw32.exe - - nldrw32.exe - - rmserverconsolemediator.exe - condition: selection -id: 3a4303d5-7d7f-4ea2-9d7e-f218c5971713 -status: experimental -description: Detects potential processes activity of Netop Remote Control (aka Impero - Connect) RMM tool -author: LOLRMM Project -date: 2024/08/07 -tags: -- attack.execution -- attack.t1219 -falsepositives: -- Legitimate use of Netop Remote Control (aka Impero Connect) -level: medium diff --git a/detections/sigma/royal_ts_processes_sigma.yml b/detections/sigma/royal_ts_processes_sigma.yml deleted file mode 100644 index 206bdd61..00000000 --- a/detections/sigma/royal_ts_processes_sigma.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Potential Royal TS RMM Tool Process Activity -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage|endswith: - - royalts.exe - condition: selection -id: 5a1504da-daca-4287-995f-3b911f517848 -status: experimental -description: Detects potential processes activity of Royal TS RMM tool -author: LOLRMM Project -date: 2024/08/07 -tags: -- attack.execution -- attack.t1219 -falsepositives: -- Legitimate use of Royal TS -level: medium diff --git a/detections/sigma/splashtop_processes_sigma.yml b/detections/sigma/splashtop_processes_sigma.yml deleted file mode 100644 index cdb911c5..00000000 --- a/detections/sigma/splashtop_processes_sigma.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Potential Splashtop RMM Tool Process Activity -logsource: - product: windows - category: process_creation -detection: - selection: - ParentImage|endswith: - - strwinclt.exe - condition: selection -id: 7fb2bbef-d140-461d-aca3-9c0cfe6d3d4b -status: experimental -description: Detects potential processes activity of Splashtop RMM tool -author: LOLRMM Project -date: 2024/08/07 -tags: -- attack.execution -- attack.t1219 -falsepositives: -- Legitimate use of Splashtop -level: medium diff --git a/detections/sigma/tactical_rmm_processes_sigma.yml b/detections/sigma/tactical_rmm_processes_sigma.yml index b2cd0e90..507a5ca4 100644 --- a/detections/sigma/tactical_rmm_processes_sigma.yml +++ b/detections/sigma/tactical_rmm_processes_sigma.yml @@ -6,7 +6,6 @@ detection: selection: ParentImage|endswith: - tacticalrmm.exe - - tacticalrmm.exe condition: selection id: 58f7ad72-6d1a-46b6-b998-4a984395f7d5 status: experimental diff --git a/detections/sigma/ultraviewer_processes_sigma.yml b/detections/sigma/ultraviewer_processes_sigma.yml index 0c356ffd..c0147e12 100644 --- a/detections/sigma/ultraviewer_processes_sigma.yml +++ b/detections/sigma/ultraviewer_processes_sigma.yml @@ -12,8 +12,6 @@ detection: - '*\UltraViewer_Desktop.exe' - ultraviewer_desktop.exe - ultraviewer_service.exe - - UltraViewer_Desktop.exe - - UltraViewer_Service.exe condition: selection id: 71b5a484-76c9-4341-9267-f4b7eb8fd8a3 status: experimental diff --git a/yaml/access_remote_pc.yaml b/yaml/access_remote_pc.yaml index 6ef6485f..aca73082 100644 --- a/yaml/access_remote_pc.yaml +++ b/yaml/access_remote_pc.yaml @@ -3,29 +3,67 @@ Description: Access Remote PC is a remote monitoring and management (RMM) tool. information will be added as it becomes available. Author: '' Created: '' -LastModified: 2/7/2024 +LastModified: '2024-10-07' Details: - Website: '' + Website: https://www.remotedesktop.com/ PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] + Filename: + OriginalFileName: + Description: + Privileges: + Free: true + Verification: true + SupportedOS: + - Windows + - Mac + - Linux + - Android + - iOS Capabilities: [] Vulnerabilities: [] InstallationPaths: - - rpcgrab.exe - - rpcsetup.exe + - C:\Program Files (x86)\RemotePC\* Artifacts: - Disk: [] - EventLog: [] + Disk: + - File: 'C:\Program Files (x86)\RemotePC\RemotePCUIU.exe' + Description: RemotePC service binary + OS: Windows + - File: C:\Program Files (x86)\RemotePC\* + Description: Multiple files and binaries related to RemotePC installation + OS: Windows + EventLog: + - EventID: 7045 + ProviderName: Service Control Manager + LogFile: System.evtx + ServiceName: RemotePC Performance Service + ImagePath: '"C:\\Program Files (x86)\\RemotePC\\RemotePCPerformance\\RPCPerformanceService.exe"' + Description: Service installation event as result of RemotePC installation. + - EventID: 4688 + ProviderName: Microsoft-Security-Auditing + LogFile: Security.evtx + CommandLine: sc create RPCService start=auto binpath="C:\\Program Files (x86)\\RemotePC\\RemotePCService.exe" + Description: Executing command to install RemotePC service. + - EventID: 4688 + ProviderName: Microsoft-Security-Auditing + LogFile: Security.evtx + CommandLine: C:\\Windows\\system32\\schtasks /create /SC DAILY /st 12:00 /TN "RPCPerformanceHealthCheck" /TR "C:\\Program Files (x86)\\RemotePC\\RemotePCPerformance\\RPCPerformanceDownloader.exe" /rl HIGHEST /ru system + Description: Executing command to create RemotePC HealthCheck scheduled task. + - EventID: 4688 + ProviderName: Microsoft-Security-Auditing + LogFile: Security.evtx + CommandLine: "C:\\Windows\\regedit.exe /s C:\\Program Files (x86)\\RemotePC\\Register.reg" + Description: Executing command to install various registry changes related to RemotePC. + - EventID: 4688 + ProviderName: Microsoft-Security-Auditing + LogFile: Security.evtx + CommandLine: netsh advfirewall firewall add rule name="RemotePCDesktop" enable=yes dir=in action=allow profile=any program="C:\Program Files (x86)\RemotePC\RemotePCDesktop.exe" description="This program is used for File Transfer and is part of RemotePC product." + Description: Executing command to add local firewall rule to allow inbound traffic for RemotePC. Registry: [] Network: [] Detections: - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml Description: Detects potential processes activity of Access Remote PC RMM tool References: [] -Acknowledgement: [] +Acknowledgement: +- Person: Daniel Koifman + Handle: '@koifsec'