From 3c3a0c5b5d035d3b675c0312f1ca5a4c35059a35 Mon Sep 17 00:00:00 2001 From: Hare Sudhan Date: Mon, 30 Sep 2024 11:41:29 -0400 Subject: [PATCH] removing more non rmms and dupes --- yaml/aria2.yaml | 33 ----------------------------- yaml/cloud_explorer.yaml | 27 ----------------------- yaml/cloud_turtle.yaml | 29 ------------------------- yaml/cloudfuze.yaml | 27 ----------------------- yaml/cloudhq.yaml | 27 ----------------------- yaml/cloudmounter.yaml | 33 ----------------------------- yaml/cloudxplorer.yaml | 32 ---------------------------- yaml/connectwise_control.yaml | 2 ++ yaml/connectwisecontrol.yaml | 40 ----------------------------------- yaml/freefilesync.yaml | 32 ---------------------------- 10 files changed, 2 insertions(+), 280 deletions(-) delete mode 100644 yaml/aria2.yaml delete mode 100644 yaml/cloud_explorer.yaml delete mode 100644 yaml/cloud_turtle.yaml delete mode 100644 yaml/cloudfuze.yaml delete mode 100644 yaml/cloudhq.yaml delete mode 100644 yaml/cloudmounter.yaml delete mode 100644 yaml/cloudxplorer.yaml delete mode 100644 yaml/connectwisecontrol.yaml delete mode 100644 yaml/freefilesync.yaml diff --git a/yaml/aria2.yaml b/yaml/aria2.yaml deleted file mode 100644 index 00f1d3b3..00000000 --- a/yaml/aria2.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: aria2 -Description: aria2 is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\ProgramData\CentraStage\AEMAgent\* - - '*ProgramData\CentraStage\AEMAgent\*' - - '*\Steinberg\Download Assistant\3rd Party\optional\aria2\*' - - '*\aria2c.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml - Description: Detects potential processes activity of aria2 RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cloud_explorer.yaml b/yaml/cloud_explorer.yaml deleted file mode 100644 index 2fc86433..00000000 --- a/yaml/cloud_explorer.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: Cloud Explorer -Description: Cloud Explorer is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloud_turtle.yaml b/yaml/cloud_turtle.yaml deleted file mode 100644 index 33e55e12..00000000 --- a/yaml/cloud_turtle.yaml +++ /dev/null @@ -1,29 +0,0 @@ -Name: Cloud Turtle -Description: Cloud Turtle is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\Genie9\* - - '*\Genie9\*' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudfuze.yaml b/yaml/cloudfuze.yaml deleted file mode 100644 index cfd7ac28..00000000 --- a/yaml/cloudfuze.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: CloudFuze -Description: CloudFuze is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudhq.yaml b/yaml/cloudhq.yaml deleted file mode 100644 index 73923193..00000000 --- a/yaml/cloudhq.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: CloudHQ -Description: CloudHQ is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudmounter.yaml b/yaml/cloudmounter.yaml deleted file mode 100644 index 2ed2d361..00000000 --- a/yaml/cloudmounter.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: CloudMounter -Description: CloudMounter is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\CloudMounter\* - - '*\CloudMounter\*' - - '*\CloudMounter\*' - - '*\cloudmounter.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml - Description: Detects potential processes activity of CloudMounter RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cloudxplorer.yaml b/yaml/cloudxplorer.yaml deleted file mode 100644 index 77ca236f..00000000 --- a/yaml/cloudxplorer.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: CloudXplorer -Description: CloudXplorer is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\ClumsyLeaf Software\CloudXplorer\* - - '*\ClumsyLeaf Software\CloudXplorer\*' - - '*\clumsyleaf.cloudxplorer*.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml - Description: Detects potential processes activity of CloudXplorer RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/connectwise_control.yaml b/yaml/connectwise_control.yaml index 5dd67566..d62b00c7 100644 --- a/yaml/connectwise_control.yaml +++ b/yaml/connectwise_control.yaml @@ -19,6 +19,7 @@ Details: InstallationPaths: - connectwisechat-customer.exe - connectwisecontrol.client.exe + - screenconnect.windowsclient.exe Artifacts: Disk: [] EventLog: [] @@ -26,6 +27,7 @@ Artifacts: Network: - Description: Known remote domains Domains: + - live.screenconnect.com - control.connectwise.com Ports: [] Detections: diff --git a/yaml/connectwisecontrol.yaml b/yaml/connectwisecontrol.yaml deleted file mode 100644 index 5f5bef11..00000000 --- a/yaml/connectwisecontrol.yaml +++ /dev/null @@ -1,40 +0,0 @@ -Name: ConnectWise Control -Description: ConnectWise Control is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - screenconnect.clientservice.exe - - connectwisecontrol.client.exe - - screenconnect.windowsclient.exe - - connectwisechat-customer.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - live.screenconnect.com - - control.connectwise.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml - Description: Detects potential network activity of ConnectWise Control RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml - Description: Detects potential processes activity of ConnectWise Control RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/freefilesync.yaml b/yaml/freefilesync.yaml deleted file mode 100644 index c8cd99e1..00000000 --- a/yaml/freefilesync.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: FreeFileSync -Description: FreeFileSync is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\FreeFileSync\* - - '*\FreeFileSync\*' - - '*\FreeFileSync.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freefilesync_processes_sigma.yml - Description: Detects potential processes activity of FreeFileSync RMM tool -References: [] -Acknowledgement: []