magicsword-io · Koifman · Oct 7, 2024 · Oct 7, 2024 · Oct 9, 2024 · Oct 9, 2024
diff --git a/detections/sigma/atera_processes_sigma.yml b/detections/sigma/atera_processes_sigma.yml
@@ -9,7 +9,6 @@ detection:
     - '*\AgentPackageTaskScheduler.exe'
     - '*\AteraAgent.exe'
     - atera_agent.exe
-    - atera_agent.exe
     - ateraagent.exe
     - syncrosetup.exe
   condition: selection

diff --git a/detections/sigma/aweray__awesun__processes_sigma.yml b/detections/sigma/aweray__awesun__processes_sigma.yml
diff --git a/detections/sigma/dw_service_processes_sigma.yml b/detections/sigma/dw_service_processes_sigma.yml
@@ -7,7 +7,6 @@ detection:
     ParentImage|endswith:
     - dwagsvc.exe
     - dwagent.exe
-    - dwagsvc.exe
   condition: selection
 id: 5652feeb-de11-4703-a3fb-1d43fc633ebc
 status: experimental

diff --git a/detections/sigma/fleetdeck_processes_sigma.yml b/detections/sigma/fleetdeck_processes_sigma.yml
diff --git a/detections/sigma/fleetdesk.io_processes_sigma.yml b/detections/sigma/fleetdesk.io_processes_sigma.yml
diff --git a/detections/sigma/labteach__connectwise_automate__processes_sigma.yml b/detections/sigma/labteach__connectwise_automate__processes_sigma.yml
diff --git a/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml b/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml
diff --git a/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml b/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml
diff --git a/detections/sigma/royal_ts_processes_sigma.yml b/detections/sigma/royal_ts_processes_sigma.yml
diff --git a/detections/sigma/splashtop_processes_sigma.yml b/detections/sigma/splashtop_processes_sigma.yml
diff --git a/detections/sigma/tactical_rmm_processes_sigma.yml b/detections/sigma/tactical_rmm_processes_sigma.yml
@@ -6,7 +6,6 @@ detection:
   selection:
     ParentImage|endswith:
     - tacticalrmm.exe
-    - tacticalrmm.exe
   condition: selection
 id: 58f7ad72-6d1a-46b6-b998-4a984395f7d5
 status: experimental

diff --git a/detections/sigma/ultraviewer_processes_sigma.yml b/detections/sigma/ultraviewer_processes_sigma.yml
@@ -12,8 +12,6 @@ detection:
     - '*\UltraViewer_Desktop.exe'
     - ultraviewer_desktop.exe
     - ultraviewer_service.exe
-    - UltraViewer_Desktop.exe
-    - UltraViewer_Service.exe
   condition: selection
 id: 71b5a484-76c9-4341-9267-f4b7eb8fd8a3
 status: experimental

diff --git a/yaml/access_remote_pc.yaml b/yaml/access_remote_pc.yaml
@@ -3,29 +3,67 @@ Description: Access Remote PC is a remote monitoring and management (RMM) tool.
   information will be added as it becomes available.
 Author: ''
 Created: ''
-LastModified: 2/7/2024
+LastModified: '2024-10-07'
 Details:
-  Website: ''
+  Website: https://www.remotedesktop.com/
   PEMetadata:
-    Filename: ''
-    OriginalFileName: ''
-    Description: ''
-  Privileges: ''
-  Free: ''
-  Verification: ''
-  SupportedOS: []
+    Filename: 
+    OriginalFileName: 
+    Description: 
+  Privileges: 
+  Free: true
+  Verification: true
+  SupportedOS:
+  - Windows
+  - Mac
+  - Linux
+  - Android
+  - iOS
   Capabilities: []
   Vulnerabilities: []
   InstallationPaths:
-  - rpcgrab.exe
-  - rpcsetup.exe
+  - C:\Program Files (x86)\RemotePC\*
 Artifacts:
-  Disk: []
-  EventLog: []
+  Disk: 
+  - File: 'C:\Program Files (x86)\RemotePC\RemotePCUIU.exe'
+    Description: RemotePC service binary
+    OS: Windows
+  - File: C:\Program Files (x86)\RemotePC\*
+    Description: Multiple files and binaries related to RemotePC installation
+    OS: Windows
+  EventLog: 
+  - EventID: 7045
+    ProviderName: Service Control Manager
+    LogFile: System.evtx
+    ServiceName: RemotePC Performance Service
+    ImagePath: '"C:\\Program Files (x86)\\RemotePC\\RemotePCPerformance\\RPCPerformanceService.exe"'
+    Description: Service installation event as result of RemotePC installation.
+  - EventID: 4688
+    ProviderName: Microsoft-Security-Auditing
+    LogFile: Security.evtx
+    CommandLine: sc  create RPCService start=auto binpath="C:\\Program Files (x86)\\RemotePC\\RemotePCService.exe"
+    Description: Executing command to install RemotePC service.
+  - EventID: 4688
+    ProviderName: Microsoft-Security-Auditing
+    LogFile: Security.evtx
+    CommandLine: C:\\Windows\\system32\\schtasks /create /SC DAILY /st 12:00 /TN "RPCPerformanceHealthCheck" /TR "C:\\Program Files (x86)\\RemotePC\\RemotePCPerformance\\RPCPerformanceDownloader.exe" /rl HIGHEST /ru system
+    Description: Executing command to create RemotePC HealthCheck scheduled task.
+  - EventID: 4688
+    ProviderName: Microsoft-Security-Auditing
+    LogFile: Security.evtx
+    CommandLine: "C:\\Windows\\regedit.exe /s C:\\Program Files (x86)\\RemotePC\\Register.reg"
+    Description: Executing command to install various registry changes related to RemotePC.
+  - EventID: 4688
+    ProviderName: Microsoft-Security-Auditing
+    LogFile: Security.evtx
+    CommandLine: netsh  advfirewall firewall add rule name="RemotePCDesktop" enable=yes dir=in action=allow profile=any program="C:\Program Files (x86)\RemotePC\RemotePCDesktop.exe" description="This program is used for File Transfer and is part of RemotePC product."
+    Description: Executing command to add local firewall rule to allow inbound traffic for RemotePC.
   Registry: []
   Network: []
 Detections:
 - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml
   Description: Detects potential processes activity of Access Remote PC RMM tool
 References: []
-Acknowledgement: []
+Acknowledgement: 
+- Person: Daniel Koifman
+  Handle: '@koifsec'