From 03b8e420c2f1367aecc61619ddc968db0cae00f0 Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Mon, 30 Sep 2024 23:52:45 -0400 Subject: [PATCH] rm dupes --- yaml/dw_service.yaml | 1 + yaml/esetremoteadministrator.yaml | 44 -------------------------- yaml/fixme.it.yaml | 52 ------------------------------- yaml/fixme.yaml | 15 +++++++-- yaml/fleetdeck.yaml | 21 ++++++++----- yaml/fleetdeckio.yaml | 40 ------------------------ yaml/fleetdesk.io.yaml | 43 ------------------------- 7 files changed, 27 insertions(+), 189 deletions(-) delete mode 100644 yaml/esetremoteadministrator.yaml delete mode 100644 yaml/fixme.it.yaml delete mode 100644 yaml/fleetdeckio.yaml delete mode 100644 yaml/fleetdesk.io.yaml diff --git a/yaml/dw_service.yaml b/yaml/dw_service.yaml index 049edfed..269e67eb 100644 --- a/yaml/dw_service.yaml +++ b/yaml/dw_service.yaml @@ -17,6 +17,7 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: + - dwagsvc.exe - dwagent.exe - dwagsvc.exe Artifacts: diff --git a/yaml/esetremoteadministrator.yaml b/yaml/esetremoteadministrator.yaml deleted file mode 100644 index 718858aa..00000000 --- a/yaml/esetremoteadministrator.yaml +++ /dev/null @@ -1,44 +0,0 @@ -Name: ESET Remote Administrator -Description: ESET Remote Administrator is a remote monitoring and management (RMM) - tool. More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - einstaller.exe - - era.exe - - ERAAgent.exe - - ezhelp*.exe - - eratool.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - user_managed - - eset.com/me/business/remote-management/remote-administrator/ - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml - Description: Detects potential network activity of ESET Remote Administrator RMM - tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml - Description: Detects potential processes activity of ESET Remote Administrator RMM - tool -References: -- eset.com/me/business/remote-management/remote-administrator/ -Acknowledgement: [] diff --git a/yaml/fixme.it.yaml b/yaml/fixme.it.yaml deleted file mode 100644 index a9a1fc22..00000000 --- a/yaml/fixme.it.yaml +++ /dev/null @@ -1,52 +0,0 @@ -Name: FixMe.it -Description: FixMe.it is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - FixMeit Unattended Access Setup.exe - - TiExpertStandalone.exe - - FixMeitClient*.exe - - FixMeit Client.exe - - FixMeit Expert Setup.exe - - TiExpertCore.exe - - fixmeitclient.exe - - TiClientCore.exe - - TiClientHelper*.exe - - no installation required | recommend blocking fixme[.]it SaaS portal - - no installation required | recommend blocking fixme[.]it SaaS portal - - 9380CC75B872221A7425D7503565B67580407F60 -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*.fixme.it' - - '*.techinline.net' - - fixme.it - - '*set.me' - - '*setme.net' - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml - Description: Detects potential network activity of FixMe.it RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml - Description: Detects potential processes activity of FixMe.it RMM tool -References: -- https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use -Acknowledgement: [] diff --git a/yaml/fixme.yaml b/yaml/fixme.yaml index 21f6b311..e8319325 100644 --- a/yaml/fixme.yaml +++ b/yaml/fixme.yaml @@ -1,9 +1,9 @@ -Name: FixMe -Description: FixMe is a remote monitoring and management (RMM) tool. More information +Name: FixMe.it +Description: FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. Author: '' Created: '' -LastModified: '' +LastModified: 2/7/2024 Details: Website: '' PEMetadata: @@ -23,6 +23,11 @@ Details: - TiExpertCore.exe - FixMeit Unattended Access Setup.exe - FixMeit Expert Setup.exe + - TiExpertCore.exe + - fixmeitclient.exe + - TiClientCore.exe + - TiClientHelper*.exe + - 9380CC75B872221A7425D7503565B67580407F60 Artifacts: Disk: [] EventLog: [] @@ -30,7 +35,11 @@ Artifacts: Network: - Description: Known remote domains Domains: + - '*.fixme.it' + - '*.techinline.net' - fixme.it + - '*set.me' + - '*setme.net' Ports: [] Detections: - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml diff --git a/yaml/fleetdeck.yaml b/yaml/fleetdeck.yaml index 089d2435..7747da50 100644 --- a/yaml/fleetdeck.yaml +++ b/yaml/fleetdeck.yaml @@ -1,5 +1,5 @@ -Name: FleetDeck -Description: FleetDeck is a remote monitoring and management (RMM) tool. More information +Name: FleetDeck.io +Description: FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. Author: '' Created: '' @@ -18,6 +18,10 @@ Details: Vulnerabilities: [] InstallationPaths: - fleetdeck_agent_svc.exe + - fleetdeck_commander_svc.exe + - fleetdeck_installer.exe + - fleetdeck_commander_launcher.exe + - fleetdeck_agent.exe Artifacts: Disk: [] EventLog: [] @@ -25,12 +29,15 @@ Artifacts: Network: - Description: Known remote domains Domains: + - '*.fleetdeck.io' + - cognito-idp.us-west-2.amazonaws.com - fleetdeck.io Ports: [] Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml - Description: Detects potential network activity of FleetDeck RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml - Description: Detects potential processes activity of FleetDeck RMM tool -References: [] +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml + Description: Detects potential network activity of FleetDesk.io RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml + Description: Detects potential processes activity of FleetDesk.io RMM tool +References: +- https://fleetdeck.io/faq/ Acknowledgement: [] diff --git a/yaml/fleetdeckio.yaml b/yaml/fleetdeckio.yaml deleted file mode 100644 index 8014878e..00000000 --- a/yaml/fleetdeckio.yaml +++ /dev/null @@ -1,40 +0,0 @@ -Name: FleetDeck.io -Description: FleetDeck.io is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - fleetdeck_agent_svc.exe - - fleetdeck_commander_svc.exe - - fleetdeck_installer.exe - - fleetdeck_commander_launcher.exe - - fleetdeck_agent.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - fleetdeck.io - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml - Description: Detects potential network activity of FleetDeck.io RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml - Description: Detects potential processes activity of FleetDeck.io RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/fleetdesk.io.yaml b/yaml/fleetdesk.io.yaml deleted file mode 100644 index de8612ab..00000000 --- a/yaml/fleetdesk.io.yaml +++ /dev/null @@ -1,43 +0,0 @@ -Name: FleetDesk.io -Description: FleetDesk.io is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - fleetdeck_agent_svc.exe - - fleetdeck_commander_svc.exe - - fleetdeck_installer.exe - - fleetdeck_agent.exe - - fleetdeck_commander_launcher.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*.fleetdeck.io' - - cognito-idp.us-west-2.amazonaws.com - - fleetdeck.io - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml - Description: Detects potential network activity of FleetDesk.io RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml - Description: Detects potential processes activity of FleetDesk.io RMM tool -References: -- https://fleetdeck.io/faq/ -Acknowledgement: []