diff --git a/bin/site.py b/bin/site.py index c63c392..78cfd19 100755 --- a/bin/site.py +++ b/bin/site.py @@ -7,6 +7,7 @@ import jinja2 import csv import re +import shutil def write_rmm_tools_csv(rmm_tools, output_dir, VERBOSE): output_file = os.path.join(output_dir, 'public', 'api', 'rmm_tools.csv') @@ -116,16 +117,19 @@ def clean_multiline(text): j2_env.globals.update(dump=json.dumps) j2_env.globals.update(escape=re.escape) + tools_dir = os.path.join(OUTPUT_DIR, 'pages', 'tools') + shutil.rmtree(tools_dir) + os.mkdir(tools_dir) d = datetime.datetime.now() template = j2_env.get_template('rmm.md.j2') for rmm_tool in rmm_tools: # Replace parentheses with underscores in the file name file_name = f"{rmm_tool['Name'].lower().replace(' ', '_').replace('(', '_').replace(')', '_')}.mdx" - output_path = os.path.join(OUTPUT_DIR, 'pages', 'tools', file_name) + output_path = os.path.join(tools_dir, file_name) output = template.render(rmm=rmm_tool, time=str(d.strftime("%Y-%m-%d"))) with open(output_path, 'w', encoding="utf-8") as f: f.write(output) - messages.append(f"site_gen.py wrote {len(rmm_tools)} RMM tools markdown to: {os.path.join(OUTPUT_DIR, 'pages', 'tools')}") + messages.append(f"site_gen.py wrote {len(rmm_tools)} RMM tools markdown to: {tools_dir}") # Write API CSV write_rmm_tools_csv(rmm_tools, OUTPUT_DIR, VERBOSE) diff --git a/yaml/air_explorer.yaml b/yaml/air_explorer.yaml deleted file mode 100644 index badda03..0000000 --- a/yaml/air_explorer.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: Air Explorer -Description: Air Explorer is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\airexplorer\* - - '*\airexplorer\*' - - '*\airexplorer.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_explorer_processes_sigma.yml - Description: Detects potential processes activity of Air Explorer RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/air_live_drive.yaml b/yaml/air_live_drive.yaml deleted file mode 100644 index f87bc6e..0000000 --- a/yaml/air_live_drive.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: Air Live Drive -Description: Air Live Drive is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\AirLiveDrive\* - - '*\AirLiveDrive\*' - - '*\AirLiveDrive.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_live_drive_processes_sigma.yml - Description: Detects potential processes activity of Air Live Drive RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/amazon_(cloud)_drive.yaml b/yaml/amazon_(cloud)_drive.yaml deleted file mode 100644 index 14af7a9..0000000 --- a/yaml/amazon_(cloud)_drive.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: Amazon (Cloud) Drive -Description: Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Users\*\AppData\Local\Amazon\Cloud Drive\* - - '*\AppData\Local\Amazon\Cloud Drive\*' - - '*\AmazonCloudDrive.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/amazon__cloud__drive_processes_sigma.yml - Description: Detects potential processes activity of Amazon (Cloud) Drive RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/aria2.yaml b/yaml/aria2.yaml deleted file mode 100644 index 00f1d3b..0000000 --- a/yaml/aria2.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: aria2 -Description: aria2 is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\ProgramData\CentraStage\AEMAgent\* - - '*ProgramData\CentraStage\AEMAgent\*' - - '*\Steinberg\Download Assistant\3rd Party\optional\aria2\*' - - '*\aria2c.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml - Description: Detects potential processes activity of aria2 RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/awerayawesun.yaml b/yaml/awerayawesun.yaml deleted file mode 100644 index b9c1d6d..0000000 --- a/yaml/awerayawesun.yaml +++ /dev/null @@ -1,38 +0,0 @@ -Name: AweRay (AweSun) -Description: AweRay (AweSun) is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - aweray_remote*.exe - - AweSun.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - asapi-us.aweray.net - - asapi.aweray.net - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__network_sigma.yml - Description: Detects potential network activity of AweRay (AweSun) RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__processes_sigma.yml - Description: Detects potential processes activity of AweRay (AweSun) RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/aws-cli.yaml b/yaml/aws-cli.yaml deleted file mode 100644 index 102c908..0000000 --- a/yaml/aws-cli.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: aws-cli -Description: aws-cli is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\Amazon\AWSCLI\* - - '*\Amazon\AWSCLI\*' - - '*\AWSCLIV*.msi' - - '*\AWSCLISetup.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aws-cli_processes_sigma.yml - Description: Detects potential processes activity of aws-cli RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/azure_storage_explorer.yaml b/yaml/azure_storage_explorer.yaml deleted file mode 100644 index 5878e24..0000000 --- a/yaml/azure_storage_explorer.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Azure Storage Explorer -Description: Azure Storage Explorer is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\Microsoft Azure Storage Explorer\* - - '*\Microsoft Azure Storage Explorer\*' - - '*\StorageExplorer.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/azure_storage_explorer_processes_sigma.yml - Description: Detects potential processes activity of Azure Storage Explorer RMM - tool -References: [] -Acknowledgement: [] diff --git a/yaml/beyondtrustbomgar.yaml b/yaml/beyondtrustbomgar.yaml deleted file mode 100644 index ab3651b..0000000 --- a/yaml/beyondtrustbomgar.yaml +++ /dev/null @@ -1,43 +0,0 @@ -Name: BeyondTrust (Bomgar) -Description: BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - bomgar-scc.exe - - bomgar-rdp.exe - - bomgar-scc-*.exe - - bomgar-pac-*.exe - - bomgar-pac.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - bomgarcloud.com - - '*.bomgarcloud.com' - - '*.beyondtrustcloud.com' - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml - Description: Detects potential network activity of BeyondTrust (Bomgar) RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml - Description: Detects potential processes activity of BeyondTrust (Bomgar) RMM tool -References: -- https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm -Acknowledgement: [] diff --git a/yaml/bomgar.yaml b/yaml/bomgar.yaml deleted file mode 100644 index 176f576..0000000 --- a/yaml/bomgar.yaml +++ /dev/null @@ -1,36 +0,0 @@ -Name: Bomgar -Description: Bomgar is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - bomgar-scc.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - beyondtrust.com/brand/bomgar - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_network_sigma.yml - Description: Detects potential network activity of Bomgar RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_processes_sigma.yml - Description: Detects potential processes activity of Bomgar RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/bomgar_-_now_beyondtrust.yaml b/yaml/bomgar_-_now_beyondtrust.yaml deleted file mode 100644 index 21820e1..0000000 --- a/yaml/bomgar_-_now_beyondtrust.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: Bomgar - Now BeyondTrust -Description: Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) - tool. More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/box.yaml b/yaml/box.yaml deleted file mode 100644 index 5b74807..0000000 --- a/yaml/box.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: Box -Description: Box is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\Box\Box\* - - '*\Box\Box\*' - - '*\Box.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml - Description: Detects potential processes activity of Box RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/chicken_(of_the_vnc).yaml b/yaml/chicken_(of_the_vnc).yaml index 34ade30..034e0c3 100644 --- a/yaml/chicken_(of_the_vnc).yaml +++ b/yaml/chicken_(of_the_vnc).yaml @@ -23,5 +23,6 @@ Artifacts: Registry: [] Network: [] Detections: [] -References: [] +References: +- https://github.com/flit/cotvnc Acknowledgement: [] diff --git a/yaml/chromeremotedesktop.yaml b/yaml/chromeremotedesktop.yaml deleted file mode 100644 index 4a53817..0000000 --- a/yaml/chromeremotedesktop.yaml +++ /dev/null @@ -1,43 +0,0 @@ -Name: Chrome Remote Desktop -Description: Chrome Remote Desktop is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - remote_host.exe - - remoting_host.exe - - C:\Program Files (x86)\Google\Chrome Remote Desktop\* - - '*\Google\Chrome Remote Desktop\*' - - '*\remoting_host.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*remotedesktop-pa.googleapis.com' - - '*remotedesktop.google.com' - - remotedesktop.google.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml - Description: Detects potential network activity of Chrome Remote Desktop RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml - Description: Detects potential processes activity of Chrome Remote Desktop RMM tool -References: -- https://support.google.com/chrome/a/answer/2799701?hl=en -Acknowledgement: [] diff --git a/yaml/cloud_explorer.yaml b/yaml/cloud_explorer.yaml deleted file mode 100644 index 2fc8643..0000000 --- a/yaml/cloud_explorer.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: Cloud Explorer -Description: Cloud Explorer is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloud_turtle.yaml b/yaml/cloud_turtle.yaml deleted file mode 100644 index 33e55e1..0000000 --- a/yaml/cloud_turtle.yaml +++ /dev/null @@ -1,29 +0,0 @@ -Name: Cloud Turtle -Description: Cloud Turtle is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\Genie9\* - - '*\Genie9\*' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudberry_explorer.yaml b/yaml/cloudberry_explorer.yaml deleted file mode 100644 index c51f4ca..0000000 --- a/yaml/cloudberry_explorer.yaml +++ /dev/null @@ -1,29 +0,0 @@ -Name: CloudBerry Explorer -Description: CloudBerry Explorer is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\CloudBerryLab\CloudBerry Drive\* - - '*\CloudBerryLab\CloudBerry Drive\*' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudbuckit.yaml b/yaml/cloudbuckit.yaml deleted file mode 100644 index 0a6760e..0000000 --- a/yaml/cloudbuckit.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: CloudBuckIt -Description: CloudBuckIt is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\CloudBuckIt\* - - '*\CloudBuckIt\*' - - '*\CloudBuckIt*.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudbuckit_processes_sigma.yml - Description: Detects potential processes activity of CloudBuckIt RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cloudexplorer.yaml b/yaml/cloudexplorer.yaml deleted file mode 100644 index 6e89251..0000000 --- a/yaml/cloudexplorer.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: CloudExplorer -Description: CloudExplorer is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudfuze.yaml b/yaml/cloudfuze.yaml deleted file mode 100644 index cfd7ac2..0000000 --- a/yaml/cloudfuze.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: CloudFuze -Description: CloudFuze is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudgopher.yaml b/yaml/cloudgopher.yaml deleted file mode 100644 index 346e147..0000000 --- a/yaml/cloudgopher.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: CloudGopher -Description: CloudGopher is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudhq.yaml b/yaml/cloudhq.yaml deleted file mode 100644 index 7392319..0000000 --- a/yaml/cloudhq.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: CloudHQ -Description: CloudHQ is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudmounter.yaml b/yaml/cloudmounter.yaml deleted file mode 100644 index 2ed2d36..0000000 --- a/yaml/cloudmounter.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: CloudMounter -Description: CloudMounter is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\CloudMounter\* - - '*\CloudMounter\*' - - '*\CloudMounter\*' - - '*\cloudmounter.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml - Description: Detects potential processes activity of CloudMounter RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cloudsfer.yaml b/yaml/cloudsfer.yaml deleted file mode 100644 index 7397962..0000000 --- a/yaml/cloudsfer.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: Cloudsfer -Description: Cloudsfer is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/cloudxplorer.yaml b/yaml/cloudxplorer.yaml deleted file mode 100644 index 77ca236..0000000 --- a/yaml/cloudxplorer.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: CloudXplorer -Description: CloudXplorer is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\ClumsyLeaf Software\CloudXplorer\* - - '*\ClumsyLeaf Software\CloudXplorer\*' - - '*\clumsyleaf.cloudxplorer*.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml - Description: Detects potential processes activity of CloudXplorer RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/connectwise_control.yaml b/yaml/connectwise_control.yaml index 5dd6756..d62b00c 100644 --- a/yaml/connectwise_control.yaml +++ b/yaml/connectwise_control.yaml @@ -19,6 +19,7 @@ Details: InstallationPaths: - connectwisechat-customer.exe - connectwisecontrol.client.exe + - screenconnect.windowsclient.exe Artifacts: Disk: [] EventLog: [] @@ -26,6 +27,7 @@ Artifacts: Network: - Description: Known remote domains Domains: + - live.screenconnect.com - control.connectwise.com Ports: [] Detections: diff --git a/yaml/connectwisecontrol.yaml b/yaml/connectwisecontrol.yaml deleted file mode 100644 index 5f5bef1..0000000 --- a/yaml/connectwisecontrol.yaml +++ /dev/null @@ -1,40 +0,0 @@ -Name: ConnectWise Control -Description: ConnectWise Control is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - screenconnect.clientservice.exe - - connectwisecontrol.client.exe - - screenconnect.windowsclient.exe - - connectwisechat-customer.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - live.screenconnect.com - - control.connectwise.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml - Description: Detects potential network activity of ConnectWise Control RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml - Description: Detects potential processes activity of ConnectWise Control RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/core_ftp.yaml b/yaml/core_ftp.yaml deleted file mode 100644 index 76e5a50..0000000 --- a/yaml/core_ftp.yaml +++ /dev/null @@ -1,31 +0,0 @@ -Name: Core FTP -Description: Core FTP is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\*\coreftplite.exe - - '*\coreftplite.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml - Description: Detects potential processes activity of Core FTP RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cruz.yaml b/yaml/cruz.yaml deleted file mode 100644 index 1bf8239..0000000 --- a/yaml/cruz.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Cruz -Description: Cruz is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - resources.doradosoftware.com/cruz-rmm - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml - Description: Detects potential network activity of Cruz RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cuteftp.yaml b/yaml/cuteftp.yaml deleted file mode 100644 index ef26625..0000000 --- a/yaml/cuteftp.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: CuteFTP -Description: CuteFTP is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\Globalscape\CuteFTP\* - - '*\Globalscape\CuteFTP\*' - - '*\cuteftppro.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml - Description: Detects potential processes activity of CuteFTP RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/cyberduck.yaml b/yaml/cyberduck.yaml deleted file mode 100644 index 82368f9..0000000 --- a/yaml/cyberduck.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: Cyberduck -Description: Cyberduck is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\Cyberduck\* - - '*\Cyberduck\*' - - '*\Cyberduck.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cyberduck_processes_sigma.yml - Description: Detects potential processes activity of Cyberduck RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/dameware-mini_remote_control_protocol.yaml b/yaml/dameware-mini_remote_control_protocol.yaml deleted file mode 100644 index 3df39f9..0000000 --- a/yaml/dameware-mini_remote_control_protocol.yaml +++ /dev/null @@ -1,39 +0,0 @@ -Name: Dameware-mini remote control Protocol -Description: Dameware-mini remote control Protocol is a remote monitoring and management - (RMM) tool. More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - dntus*.exe - - dwrcs.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - dameware.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml - Description: Detects potential network activity of Dameware-mini remote control - Protocol RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml - Description: Detects potential processes activity of Dameware-mini remote control - Protocol RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/dameware.yaml b/yaml/dameware.yaml index f0146ac..7ec75f0 100644 --- a/yaml/dameware.yaml +++ b/yaml/dameware.yaml @@ -21,6 +21,7 @@ Details: - DameWare Mini Remote Control*.exe - "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\\ *" + - dntus*.exe - dwrcs.exe - '*\dwrcs\*' - '*\dwrcst.exe' @@ -30,8 +31,15 @@ Artifacts: Disk: [] EventLog: [] Registry: [] - Network: [] + Network: + - Description: Known remote domains + Domains: + - dameware.com + Ports: [] Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml + Description: Detects potential network activity of Dameware-mini remote control + Protocol RMM tool - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml Description: Detects potential processes activity of DameWare RMM tool References: diff --git a/yaml/datto.yaml b/yaml/datto.yaml deleted file mode 100644 index 3d66d27..0000000 --- a/yaml/datto.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Datto -Description: Datto is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - datto.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml - Description: Detects potential network activity of Datto RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/desktopcentral.yaml b/yaml/desktopcentral.yaml deleted file mode 100644 index ad359ad..0000000 --- a/yaml/desktopcentral.yaml +++ /dev/null @@ -1,36 +0,0 @@ -Name: Desktop Central -Description: Desktop Central is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - dcagentservice.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - desktopcentral.manageengine.com - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml - Description: Detects potential network activity of Desktop Central RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml - Description: Detects potential processes activity of Desktop Central RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/distant_desktop.yaml b/yaml/distant_desktop.yaml index 5e66a43..4ed239e 100644 --- a/yaml/distant_desktop.yaml +++ b/yaml/distant_desktop.yaml @@ -17,9 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: - - distant-desktop.exe - - dd.exe - ddsystem.exe + - dd.exe + - distant-desktop.exe Artifacts: Disk: [] EventLog: [] diff --git a/yaml/distantdesktop.yaml b/yaml/distantdesktop.yaml deleted file mode 100644 index 4ed239e..0000000 --- a/yaml/distantdesktop.yaml +++ /dev/null @@ -1,40 +0,0 @@ -Name: Distant Desktop -Description: Distant Desktop is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/8/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - ddsystem.exe - - dd.exe - - distant-desktop.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*.distantdesktop.com' - - '*signalserver.xyz' - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml - Description: Detects potential network activity of Distant Desktop RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml - Description: Detects potential processes activity of Distant Desktop RMM tool -References: -- https://www.distantdesktop.com/manual/first-start.htm -Acknowledgement: [] diff --git a/yaml/drivemaker.yaml b/yaml/drivemaker.yaml deleted file mode 100644 index c336b31..0000000 --- a/yaml/drivemaker.yaml +++ /dev/null @@ -1,31 +0,0 @@ -Name: DriveMaker -Description: DriveMaker is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\*\DriveMaker.exe - - '*\DriveMaker.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/drivemaker_processes_sigma.yml - Description: Detects potential processes activity of DriveMaker RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/dropbox.yaml b/yaml/dropbox.yaml deleted file mode 100644 index d932383..0000000 --- a/yaml/dropbox.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Dropbox -Description: Dropbox is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\Dropbox\Client\* - - '*\Dropbox\Client\*' - - '*\Dropbox.exe' - - '*Users\*\Dropbox\bin\' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml - Description: Detects potential processes activity of Dropbox RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/dwservice.yaml b/yaml/dwservice.yaml deleted file mode 100644 index 049edfe..0000000 --- a/yaml/dwservice.yaml +++ /dev/null @@ -1,38 +0,0 @@ -Name: DW Service -Description: DW Service is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - dwagent.exe - - dwagsvc.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*.dwservice.net' - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml - Description: Detects potential network activity of DW Service RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml - Description: Detects potential processes activity of DW Service RMM tool -References: -- https://news.dwservice.net/dwservice-security-infrastructure/ -Acknowledgement: [] diff --git a/yaml/electric.yaml b/yaml/electric.yaml deleted file mode 100644 index 4d61b5f..0000000 --- a/yaml/electric.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Electric -Description: Electric is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - electric.ai - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml - Description: Detects potential network activity of Electric RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/electric_ai_(kaseya).yaml b/yaml/electric_ai_(kaseya).yaml index b3fa8c5..b4c8403 100644 --- a/yaml/electric_ai_(kaseya).yaml +++ b/yaml/electric_ai_(kaseya).yaml @@ -21,8 +21,14 @@ Artifacts: Disk: [] EventLog: [] Registry: [] - Network: [] -Detections: [] + Network: + - Description: Known remote domains + Domains: + - electric.ai + Ports: [] +Detections: +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml + Description: Detects potential network activity of Electric RMM tool References: - https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf Acknowledgement: [] diff --git a/yaml/esetremoteadministrator.yaml b/yaml/esetremoteadministrator.yaml deleted file mode 100644 index 718858a..0000000 --- a/yaml/esetremoteadministrator.yaml +++ /dev/null @@ -1,44 +0,0 @@ -Name: ESET Remote Administrator -Description: ESET Remote Administrator is a remote monitoring and management (RMM) - tool. More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - einstaller.exe - - era.exe - - ERAAgent.exe - - ezhelp*.exe - - eratool.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - user_managed - - eset.com/me/business/remote-management/remote-administrator/ - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml - Description: Detects potential network activity of ESET Remote Administrator RMM - tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml - Description: Detects potential processes activity of ESET Remote Administrator RMM - tool -References: -- eset.com/me/business/remote-management/remote-administrator/ -Acknowledgement: [] diff --git a/yaml/expandrive.yaml b/yaml/expandrive.yaml deleted file mode 100644 index b2c9fd3..0000000 --- a/yaml/expandrive.yaml +++ /dev/null @@ -1,31 +0,0 @@ -Name: ExpanDrive -Description: ExpanDrive is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Users\*\ExpanDrive.exe - - '*\ExpanDrive.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/expandrive_processes_sigma.yml - Description: Detects potential processes activity of ExpanDrive RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/filezilla.yaml b/yaml/filezilla.yaml deleted file mode 100644 index e8af76e..0000000 --- a/yaml/filezilla.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: FileZilla -Description: FileZilla is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\FileZilla FTP Client\* - - '*\FileZilla FTP Client\*' - - '*\FileZilla.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/filezilla_processes_sigma.yml - Description: Detects potential processes activity of FileZilla RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/fixme.it.yaml b/yaml/fixme.it.yaml deleted file mode 100644 index a9a1fc2..0000000 --- a/yaml/fixme.it.yaml +++ /dev/null @@ -1,52 +0,0 @@ -Name: FixMe.it -Description: FixMe.it is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - FixMeit Unattended Access Setup.exe - - TiExpertStandalone.exe - - FixMeitClient*.exe - - FixMeit Client.exe - - FixMeit Expert Setup.exe - - TiExpertCore.exe - - fixmeitclient.exe - - TiClientCore.exe - - TiClientHelper*.exe - - no installation required | recommend blocking fixme[.]it SaaS portal - - no installation required | recommend blocking fixme[.]it SaaS portal - - 9380CC75B872221A7425D7503565B67580407F60 -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*.fixme.it' - - '*.techinline.net' - - fixme.it - - '*set.me' - - '*setme.net' - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml - Description: Detects potential network activity of FixMe.it RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml - Description: Detects potential processes activity of FixMe.it RMM tool -References: -- https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use -Acknowledgement: [] diff --git a/yaml/fixme.yaml b/yaml/fixme.yaml index 21f6b31..e831932 100644 --- a/yaml/fixme.yaml +++ b/yaml/fixme.yaml @@ -1,9 +1,9 @@ -Name: FixMe -Description: FixMe is a remote monitoring and management (RMM) tool. More information +Name: FixMe.it +Description: FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. Author: '' Created: '' -LastModified: '' +LastModified: 2/7/2024 Details: Website: '' PEMetadata: @@ -23,6 +23,11 @@ Details: - TiExpertCore.exe - FixMeit Unattended Access Setup.exe - FixMeit Expert Setup.exe + - TiExpertCore.exe + - fixmeitclient.exe + - TiClientCore.exe + - TiClientHelper*.exe + - 9380CC75B872221A7425D7503565B67580407F60 Artifacts: Disk: [] EventLog: [] @@ -30,7 +35,11 @@ Artifacts: Network: - Description: Known remote domains Domains: + - '*.fixme.it' + - '*.techinline.net' - fixme.it + - '*set.me' + - '*setme.net' Ports: [] Detections: - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml diff --git a/yaml/fleetdeck.yaml b/yaml/fleetdeck.yaml index 089d243..7747da5 100644 --- a/yaml/fleetdeck.yaml +++ b/yaml/fleetdeck.yaml @@ -1,5 +1,5 @@ -Name: FleetDeck -Description: FleetDeck is a remote monitoring and management (RMM) tool. More information +Name: FleetDeck.io +Description: FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. Author: '' Created: '' @@ -18,6 +18,10 @@ Details: Vulnerabilities: [] InstallationPaths: - fleetdeck_agent_svc.exe + - fleetdeck_commander_svc.exe + - fleetdeck_installer.exe + - fleetdeck_commander_launcher.exe + - fleetdeck_agent.exe Artifacts: Disk: [] EventLog: [] @@ -25,12 +29,15 @@ Artifacts: Network: - Description: Known remote domains Domains: + - '*.fleetdeck.io' + - cognito-idp.us-west-2.amazonaws.com - fleetdeck.io Ports: [] Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml - Description: Detects potential network activity of FleetDeck RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml - Description: Detects potential processes activity of FleetDeck RMM tool -References: [] +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml + Description: Detects potential network activity of FleetDesk.io RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml + Description: Detects potential processes activity of FleetDesk.io RMM tool +References: +- https://fleetdeck.io/faq/ Acknowledgement: [] diff --git a/yaml/fleetdeckio.yaml b/yaml/fleetdeckio.yaml deleted file mode 100644 index 8014878..0000000 --- a/yaml/fleetdeckio.yaml +++ /dev/null @@ -1,40 +0,0 @@ -Name: FleetDeck.io -Description: FleetDeck.io is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - fleetdeck_agent_svc.exe - - fleetdeck_commander_svc.exe - - fleetdeck_installer.exe - - fleetdeck_commander_launcher.exe - - fleetdeck_agent.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - fleetdeck.io - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml - Description: Detects potential network activity of FleetDeck.io RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml - Description: Detects potential processes activity of FleetDeck.io RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/fleetdesk.io.yaml b/yaml/fleetdesk.io.yaml deleted file mode 100644 index de8612a..0000000 --- a/yaml/fleetdesk.io.yaml +++ /dev/null @@ -1,43 +0,0 @@ -Name: FleetDesk.io -Description: FleetDesk.io is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/7/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - fleetdeck_agent_svc.exe - - fleetdeck_commander_svc.exe - - fleetdeck_installer.exe - - fleetdeck_agent.exe - - fleetdeck_commander_launcher.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - '*.fleetdeck.io' - - cognito-idp.us-west-2.amazonaws.com - - fleetdeck.io - Ports: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml - Description: Detects potential network activity of FleetDesk.io RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml - Description: Detects potential processes activity of FleetDesk.io RMM tool -References: -- https://fleetdeck.io/faq/ -Acknowledgement: [] diff --git a/yaml/freefilesync.yaml b/yaml/freefilesync.yaml deleted file mode 100644 index c8cd99e..0000000 --- a/yaml/freefilesync.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: FreeFileSync -Description: FreeFileSync is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\FreeFileSync\* - - '*\FreeFileSync\*' - - '*\FreeFileSync.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freefilesync_processes_sigma.yml - Description: Detects potential processes activity of FreeFileSync RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/goodsync.yaml b/yaml/goodsync.yaml deleted file mode 100644 index 9a557ab..0000000 --- a/yaml/goodsync.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: GoodSync -Description: GoodSync is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - installation requires paid version of GoodSync Server - - installation requires paid version of GoodSync Server - - GoodSync-vsub-Setup.exe - - A40B81B36CDC2D24910FC58816E50DCDE21BD1A9 -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goodsync_processes_sigma.yml - Description: Detects potential processes activity of GoodSync RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/google_drive.yaml b/yaml/google_drive.yaml deleted file mode 100644 index 72af780..0000000 --- a/yaml/google_drive.yaml +++ /dev/null @@ -1,34 +0,0 @@ -Name: Google Drive -Description: Google Drive is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files\Google\Drive File Stream\* - - '*\Google\Drive File Stream\*' - - '*Users\*\AppData\*\Google\DriveFS*' - - G:\My Drive* - - '*\GoogleDriveFS.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/google_drive_processes_sigma.yml - Description: Detects potential processes activity of Google Drive RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/manage_engine_(desktop_central).yaml b/yaml/manage_engine_(desktop_central).yaml index 2e5f124..0822781 100644 --- a/yaml/manage_engine_(desktop_central).yaml +++ b/yaml/manage_engine_(desktop_central).yaml @@ -34,12 +34,9 @@ Artifacts: - '*.-dms.zoho.com.cn' Ports: [] Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml - Description: Detects potential network activity of Manage Engine (Desktop Central) - RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml - Description: Detects potential processes activity of Manage Engine (Desktop Central) - RMM tool -References: -- https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml + Description: Detects potential network activity of Desktop Central RMM tool +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml + Description: Detects potential processes activity of Desktop Central RMM tool +References: [] Acknowledgement: [] diff --git a/yaml/microsoft_onedrive.yaml b/yaml/microsoft_onedrive.yaml deleted file mode 100644 index 9283d06..0000000 --- a/yaml/microsoft_onedrive.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: Microsoft OneDrive -Description: Microsoft OneDrive is a remote monitoring and management (RMM) tool. - More information will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/microsoft_quick_assist.yaml b/yaml/microsoft_quick_assist.yaml index 5104da1..2451082 100644 --- a/yaml/microsoft_quick_assist.yaml +++ b/yaml/microsoft_quick_assist.yaml @@ -3,7 +3,7 @@ Description: Microsoft Quick Assist is a remote monitoring and management (RMM) More information will be added as it becomes available. Author: '' Created: '' -LastModified: 2/9/2024 +LastModified: '' Details: Website: '' PEMetadata: @@ -26,6 +26,7 @@ Artifacts: - Description: Known remote domains Domains: - user_managed + - '*.support.services.microsoft.com' Ports: [] Detections: - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml diff --git a/yaml/microsoft_rdp.yaml b/yaml/microsoft_rdp.yaml index e0e0c38..03ef749 100644 --- a/yaml/microsoft_rdp.yaml +++ b/yaml/microsoft_rdp.yaml @@ -17,7 +17,9 @@ Details: Capabilities: [] Vulnerabilities: [] InstallationPaths: + - termsrv.exe - mstsc.exe + - Microsoft Remote Desktop Artifacts: Disk: [] EventLog: [] diff --git a/yaml/microsoft_tsc.yaml b/yaml/microsoft_tsc.yaml index 393b9f5..8f46d55 100644 --- a/yaml/microsoft_tsc.yaml +++ b/yaml/microsoft_tsc.yaml @@ -18,6 +18,7 @@ Details: Vulnerabilities: [] InstallationPaths: - termsrv.exe + - mstsc.exe Artifacts: Disk: [] EventLog: [] diff --git a/yaml/microsoftrdp.yaml b/yaml/microsoftrdp.yaml deleted file mode 100644 index 03ef749..0000000 --- a/yaml/microsoftrdp.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: Microsoft RDP -Description: Microsoft RDP is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/8/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - termsrv.exe - - mstsc.exe - - Microsoft Remote Desktop -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml - Description: Detects potential processes activity of Microsoft RDP RMM tool -References: -- https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows -Acknowledgement: [] diff --git a/yaml/microsofttsc.yaml b/yaml/microsofttsc.yaml deleted file mode 100644 index 8f46d55..0000000 --- a/yaml/microsofttsc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: Microsoft TSC -Description: Microsoft TSC is a remote monitoring and management (RMM) tool. More - information will be added as it becomes available. -Author: '' -Created: '' -LastModified: 2/8/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - termsrv.exe - - mstsc.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml - Description: Detects potential processes activity of Microsoft TSC RMM tool -References: -- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application -Acknowledgement: [] diff --git a/yaml/ocamlfuse.yaml b/yaml/ocamlfuse.yaml deleted file mode 100644 index 8f34f50..0000000 --- a/yaml/ocamlfuse.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: Ocamlfuse -Description: Ocamlfuse is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/odrive.yaml b/yaml/odrive.yaml deleted file mode 100644 index 62fa4b3..0000000 --- a/yaml/odrive.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: ODrive -Description: ODrive is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Users\*\current\ - - '*Users\*\.odrive' - - '*\Odriveapp.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/odrive_processes_sigma.yml - Description: Detects potential processes activity of ODrive RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/pcloud.yaml b/yaml/pcloud.yaml deleted file mode 100644 index 1c885f9..0000000 --- a/yaml/pcloud.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: pCloud -Description: pCloud is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\pCloud Drive\ - - '*\pCloud Drive\' - - '*\pCloud.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcloud_processes_sigma.yml - Description: Detects potential processes activity of pCloud RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/proton_drive.yaml b/yaml/proton_drive.yaml deleted file mode 100644 index a35ee38..0000000 --- a/yaml/proton_drive.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: Proton Drive -Description: Proton Drive is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/quick_assist.yaml b/yaml/quick_assist.yaml deleted file mode 100644 index eac7728..0000000 --- a/yaml/quick_assist.yaml +++ /dev/null @@ -1,30 +0,0 @@ -Name: Quick Assist -Description: Quick Assist is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - quickassist.exe -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml - Description: Detects potential processes activity of Quick Assist RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/raidrive.yaml b/yaml/raidrive.yaml deleted file mode 100644 index 7c7e0b1..0000000 --- a/yaml/raidrive.yaml +++ /dev/null @@ -1,31 +0,0 @@ -Name: Raidrive -Description: Raidrive is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\*\OpenBoxLab\RaiDrive\* - - '*\OpenBoxLab\RaiDrive\*' - - service = raidrive_* - - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenBoxLab\RaiDrive\Drives -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/rclone.yaml b/yaml/rclone.yaml deleted file mode 100644 index dd18a13..0000000 --- a/yaml/rclone.yaml +++ /dev/null @@ -1,33 +0,0 @@ -Name: rclone -Description: rclone is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - portable tool. No install path - - portable tool. No install path - - rclone*.zip - - '*\rclone.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rclone_processes_sigma.yml - Description: Detects potential processes activity of rclone RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/royal_server.yaml b/yaml/royal_server.yaml index 7999560..5904c98 100644 --- a/yaml/royal_server.yaml +++ b/yaml/royal_server.yaml @@ -29,5 +29,6 @@ Artifacts: Detections: - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml Description: Detects potential network activity of Royal Server RMM tool -References: [] +References: +- https://royalapps.com/server/main/features Acknowledgement: [] diff --git a/yaml/rsync.yaml b/yaml/rsync.yaml deleted file mode 100644 index 3cfb752..0000000 --- a/yaml/rsync.yaml +++ /dev/null @@ -1,27 +0,0 @@ -Name: rsync -Description: rsync is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: [] -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: [] -References: [] -Acknowledgement: [] diff --git a/yaml/teracloud.yaml b/yaml/teracloud.yaml deleted file mode 100644 index 16563aa..0000000 --- a/yaml/teracloud.yaml +++ /dev/null @@ -1,32 +0,0 @@ -Name: TeraCLOUD -Description: TeraCLOUD is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: '' -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - c:\*\TeraCloud.Client* - - '*\TeraCloud.Client*' - - '*\Livedrive-Setup.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: [] -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teracloud_processes_sigma.yml - Description: Detects potential processes activity of TeraCLOUD RMM tool -References: [] -Acknowledgement: [] diff --git a/yaml/x2go.yaml b/yaml/x2go.yaml index 79c86e7..d551a6a 100644 --- a/yaml/x2go.yaml +++ b/yaml/x2go.yaml @@ -23,5 +23,6 @@ Artifacts: Registry: [] Network: [] Detections: [] -References: [] +References: +- https://wiki.x2go.org/doku.php Acknowledgement: []