From f0c28f518afec83b015d54ab92106416442b1513 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 18 Sep 2024 20:11:35 +0000 Subject: [PATCH] Update generated site files --- website/next-env.d.ts | 2 +- website/pages/tools/beyondtrust__bomgar_.mdx | 4 +- .../pages/tools/eset_remote_administrator.mdx | 2 +- website/pages/tools/instant_housecall.mdx | 4 +- .../tools/itsupport247__connectwise_.mdx | 2 +- website/pages/tools/microsoft_tsc.mdx | 2 +- website/public/api/rmm_tools.csv | 612 +- website/public/api/rmm_tools.json | 14156 ++++++++-------- website/public/rmm_tools_table.csv | 596 +- 9 files changed, 7690 insertions(+), 7690 deletions(-) diff --git a/website/next-env.d.ts b/website/next-env.d.ts index a4a7b3f5..4f11a03d 100644 --- a/website/next-env.d.ts +++ b/website/next-env.d.ts @@ -2,4 +2,4 @@ /// // NOTE: This file should not be edited -// see https://nextjs.org/docs/pages/building-your-application/configuring/typescript for more information. +// see https://nextjs.org/docs/basic-features/typescript for more information. diff --git a/website/pages/tools/beyondtrust__bomgar_.mdx b/website/pages/tools/beyondtrust__bomgar_.mdx index d3001293..2bfce27d 100644 --- a/website/pages/tools/beyondtrust__bomgar_.mdx +++ b/website/pages/tools/beyondtrust__bomgar_.mdx @@ -23,7 +23,7 @@ BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More info /> #### Installation Paths - + @@ -36,7 +36,7 @@ BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More info #### Network Artifacts - + diff --git a/website/pages/tools/eset_remote_administrator.mdx b/website/pages/tools/eset_remote_administrator.mdx index 5a947bbb..3763a7f0 100644 --- a/website/pages/tools/eset_remote_administrator.mdx +++ b/website/pages/tools/eset_remote_administrator.mdx @@ -23,7 +23,7 @@ ESET Remote Administrator is a remote monitoring and management (RMM) tool. More /> #### Installation Paths - + diff --git a/website/pages/tools/instant_housecall.mdx b/website/pages/tools/instant_housecall.mdx index acda126f..b1262f56 100644 --- a/website/pages/tools/instant_housecall.mdx +++ b/website/pages/tools/instant_housecall.mdx @@ -23,7 +23,7 @@ Instant Housecall is a remote monitoring and management (RMM) tool. More informa /> #### Installation Paths - + @@ -36,7 +36,7 @@ Instant Housecall is a remote monitoring and management (RMM) tool. More informa #### Network Artifacts - + diff --git a/website/pages/tools/itsupport247__connectwise_.mdx b/website/pages/tools/itsupport247__connectwise_.mdx index 407424dd..75a7e65a 100644 --- a/website/pages/tools/itsupport247__connectwise_.mdx +++ b/website/pages/tools/itsupport247__connectwise_.mdx @@ -36,7 +36,7 @@ ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. Mor #### Network Artifacts - + diff --git a/website/pages/tools/microsoft_tsc.mdx b/website/pages/tools/microsoft_tsc.mdx index d20a1a4b..67737e36 100644 --- a/website/pages/tools/microsoft_tsc.mdx +++ b/website/pages/tools/microsoft_tsc.mdx @@ -23,7 +23,7 @@ Microsoft TSC is a remote monitoring and management (RMM) tool. More information /> #### Installation Paths - + diff --git a/website/public/api/rmm_tools.csv b/website/public/api/rmm_tools.csv index 1414cd7a..c3c86874 100644 --- a/website/public/api/rmm_tools.csv +++ b/website/public/api/rmm_tools.csv @@ -1,340 +1,340 @@ Name,Category,Description,Author,Created,LastModified,Website,Filename,OriginalFileName,PEDescription,Product,Privileges,Free,Verification,SupportedOS,Capabilities,Vulnerabilities,InstallationPaths,Artifacts,Detections,References,Acknowledgement -Rapid7,,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"ir_agent.exe, rapid7_agent_core.exe, rapid7_endpoint_broker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.analytics.insight.rapid7.com"", ""*.endpoint.ingress.rapid7.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Rapid7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rapid7 RMM tool""}]",https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,[] -SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml"", ""Description"": ""Detects potential network activity of SunLogin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SunLogin RMM tool""}]",https://sunlogin.oray.com/en/embed/software.html,[] -CloudFuze,,CloudFuze is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Box,,Box is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Box\Box\*, *\Box\Box\*, *\Box.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Box RMM tool""}]",,[] -GoToAssist Agent Desktop Console,,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\G2RDesktopConsole-x64.msi, *\G2RDesktopConsole-x64.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Kaseya (VSA),,"Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml"", ""Description"": ""Detects potential network activity of Kaseya (VSA) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml"", ""Description"": ""Detects potential files activity of Kaseya (VSA) RMM tool""}]","https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] -PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PuTTY Tray RMM tool""}]",,[] -Azure Storage Explorer,,Azure Storage Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Microsoft Azure Storage Explorer\*, *\Microsoft Azure Storage Explorer\*, *\StorageExplorer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/azure_storage_explorer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Azure Storage Explorer RMM tool""}]",,[] -SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SysAid RMM tool""}]",,[] -Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Domotz RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Domotz RMM tool""}]",https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] -BeyondTrust,,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Netop Remote Control (aka Impero Connect),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com/impero-connect/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool""}]",,[] -Bomgar - Now BeyondTrust,,Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,termsrv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] -Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Jump Desktop RMM tool""}]",https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] -IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of IntelliAdmin Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of IntelliAdmin Remote Control RMM tool""}]",intelliadmin.com/remote-control,[] -Chrome SSH Extension,,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*, *Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml"", ""Description"": ""Detects potential network activity of ZeroTier RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZeroTier RMM tool""}]",https://my.zerotier.com/,[] -Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom AccessNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom AccessNow RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] -RealVNC,,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool""}]",,[] +Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zabbix Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zabbix Agent RMM tool""}]",https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] +Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Senso.cloud RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Senso.cloud RMM tool""}]",https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] +I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml"", ""Description"": ""Detects potential network activity of I'm InTouch RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of I'm InTouch RMM tool""}]",https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] +RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of RustDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RustDesk RMM tool""}]",https://rustdesk.com/docs/en/,[] +Electric AI (Kaseya),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,[] +ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZOC RMM tool""}]",,[] +Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml"", ""Description"": ""Detects potential network activity of Any Support RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Any Support RMM tool""}]",https://www.anysupport.net/introduce_howto.php,[] +PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of PDQ Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PDQ Connect RMM tool""}]",https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] Pcnow,,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mwcliun.exe, pcnmgr.exe, webexpcnow.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""au.pcmag.com/utilities/21470/webex-pcnow""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcnow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcnow RMM tool""}]",http://pcnow.webex.com/ - DOA as of 2024,[] -DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of DesktopNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DesktopNow RMM tool""}]",https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] -Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool""}]",https://pulse.soti.net/support/soti-xsight/help/,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] +Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Seetrol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Seetrol RMM tool""}]",http://www.seetrol.com/en/features/features3.php,[] +CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CarotDAV RMM tool""}]",,[] +Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml"", ""Description"": ""Detects potential network activity of Goverlan RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Goverlan RMM tool""}]",https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] +OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml"", ""Description"": ""Detects potential network activity of OptiTune RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OptiTune RMM tool""}]",https://www.bravurasoftware.com/optitune/support/faq.aspx,[] +EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml"", ""Description"": ""Detects potential network activity of EMCO Remote Console RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of EMCO Remote Console RMM tool""}]",,[] +N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tailscale RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tailscale RMM tool""}]",https://tailscale.com/kb/1023/troubleshooting,[] +Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pilixo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pilixo RMM tool""}]",https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] +Remote Desktop Manager (Devolutions),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] +Alpemix,,"Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml"", ""Description"": ""Detects potential network activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml"", ""Description"": ""Detects potential files activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Alpemix RMM tool""}]",https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +CloudBerry Explorer,,CloudBerry Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\CloudBerryLab\CloudBerry Drive\*, *\CloudBerryLab\CloudBerry Drive\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml"", ""Description"": ""Detects potential network activity of Auvik RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Auvik RMM tool""}]",https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] +Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] +Microsoft OneDrive,,Microsoft OneDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tactical RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tactical RMM RMM tool""}]",docs.tacticalrmm.com,[] +MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool""}]",https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] +Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Comodo RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Comodo RMM RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller RMM tool""}]",,[] +NordLocker,,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ExpanDrive,,ExpanDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExpanDrive.exe, *\ExpanDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/expandrive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExpanDrive RMM tool""}]",,[] +OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml"", ""Description"": ""Detects potential network activity of OCS inventory RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OCS inventory RMM tool""}]",https://ocsinventory-ng.org/?page_id=878&lang=en,[] +GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml"", ""Description"": ""Detects potential network activity of GotoHTTP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GotoHTTP RMM tool""}]",https://gotohttp.com/goto/help.12x,[] +CloudXplorer,,CloudXplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ClumsyLeaf Software\CloudXplorer\*, *\ClumsyLeaf Software\CloudXplorer\*, *\clumsyleaf.cloudxplorer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudXplorer RMM tool""}]",,[] +Terminals,,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml"", ""Description"": ""Detects potential network activity of RPort RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RPort RMM tool""}]",https://kb.rport.io/using-the-remote-access,[] CentraStage (Now Datto),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"CagService.exe, AEMAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rmm.datto.com"", ""*cc.centrastage.net"", ""datto.com/au/products/rmm/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml"", ""Description"": ""Detects potential network activity of CentraStage (Now Datto) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CentraStage (Now Datto) RMM tool""}]",https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm,[] -Core FTP,,Core FTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\coreftplite.exe, *\coreftplite.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Core FTP RMM tool""}]",,[] -Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Insync RMM tool""}]",,[] -Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] -LogMeIn rescue,,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.logmeinrescue.com"", ""*.logmeinrescue.eu"", ""logmeinrescue.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn rescue RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LogMeIn rescue RMM tool""}]",https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,[] -Electric AI (Kaseya),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,[] -Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Adobe Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Adobe Connect RMM tool""}]",https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] -CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of CloudFlare Tunnel RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudFlare Tunnel RMM tool""}]",cloudflare.com/products/tunnel/,[] -DriveMaker,,DriveMaker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\DriveMaker.exe, *\DriveMaker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/drivemaker_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DriveMaker RMM tool""}]",,[] +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +CruzControl,,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://resources.doradosoftware.com/cruz-rmm,[] +Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Mikogo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Mikogo RMM tool""}]",https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] +mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml"", ""Description"": ""Detects potential network activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml"", ""Description"": ""Detects potential files activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mRemoteNG RMM tool""}]",https://github.com/mRemoteNG/mRemoteNG,[] +LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml"", ""Description"": ""Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}]",,[] +ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenMeet RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenMeet RMM tool""}]",https://docs.screenmeet.com/docs/firewall-white-list,[] +RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of RES Automation Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RES Automation Manager RMM tool""}]",https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] +Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Anyplace Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Anyplace Control RMM tool""}]",http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] +Dropbox,,Dropbox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Dropbox\Client\*, *\Dropbox\Client\*, *\Dropbox.exe, *Users\*\Dropbox\bin\","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Dropbox RMM tool""}]",,[] +TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TightVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TightVNC RMM tool""}]",https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] +LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml"", ""Description"": ""Detects potential network activity of LiteManager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LiteManager RMM tool""}]",https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] +Box,,Box is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Box\Box\*, *\Box\Box\*, *\Box.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Box RMM tool""}]",,[] +Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sophos-Remote Management System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sophos-Remote Management System RMM tool""}]",community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] +ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ManageEngine RMM tool""}]",,[] +Cloud Explorer,,Cloud Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop Remote RMM tool""}]",https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] +Dameware-mini remote control Protocol,,Dameware-mini remote control Protocol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"dntus*.exe, dwrcs.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""dameware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Dameware-mini remote control Protocol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Dameware-mini remote control Protocol RMM tool""}]",,[] +rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdp2tcp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdp2tcp RMM tool""}]",github.com/V-E-O/rdp2tcp,[] +FleetDesk.io,,FleetDesk.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_agent.exe, fleetdeck_commander_launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDesk.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDesk.io RMM tool""}]",https://fleetdeck.io/faq/,[] +Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Cloud RMM tool""}]",https://jumpcloud.com/support/understand-remote-assist-agent,[] +RuDesktop,,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rd.exe, rudesktop*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rudesktop.ru"", ""rudesktop.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of RuDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RuDesktop RMM tool""}]",https://rudesktop.ru,[] +LogMeIn,,"LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn RMM tool""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +SmartFTP,,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\SmartFTP Client\en-US\, *\SmartFTP Client\*, *\SfShellTools.dll.mui","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +Pocket Cloud (Wyse),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcloud*.exe, pocketcloudservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Cloud (Wyse) RMM tool""}]",https://wyse-pocketcloud.informer.com/2.1/,[] +Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml"", ""Description"": ""Detects potential network activity of Guacamole RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Guacamole RMM tool""}]",guacamole.apache.org,[] +Cloudsfer,,Cloudsfer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of LANDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LANDesk RMM tool""}]",https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] +Cruz,,Cruz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""resources.doradosoftware.com/cruz-rmm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Cruz RMM tool""}]",,[] +pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of pcAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pcAnywhere RMM tool""}]",https://en.wikipedia.org/wiki/PcAnywhere,[] mstsc,,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Windows\System32\mstsc.exe, *Windows\System32\mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mstsc RMM tool""}]",,[] -Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml"", ""Description"": ""Detects potential network activity of Parallels Access RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Parallels Access RMM tool""}]",https://kb.parallels.com/en/129097,[] -ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] -Devolutions Remote Desktop Manager,,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -TigerVNC,,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"tigervnc*.exe, winvnc4.exe, C:\Program Files\TightVNC\*, *\TightVNC\*, *\tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TigerVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TigerVNC RMM tool""}]",https://github.com/TigerVNC/tigervnc/releases,[] -Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rocket Remote Desktop RMM tool""}]",,[] -NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoteOn-desktop sharing RMM tool""}]",,[] +FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeNX RMM tool""}]",,[] +PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC (Clone) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC (Clone) RMM tool""}]",https://www.poweradmin.com/paexec/,[] +SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of SpyAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SpyAnywhere RMM tool""}]",https://www.spyanywhere.com/support.shtml,[] +ODrive,,ODrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\current\, *Users\*\.odrive, *\Odriveapp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/odrive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ODrive RMM tool""}]",,[] +MultCloud,,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"requires sign up, requires sign up","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of Visual Studio Dev Tunnel RMM tool""}]",https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] +Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xpra RMM tool""}]",,[] +Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Apps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal Apps RMM tool""}]",https://www.royalapps.com/ts/win/download,[] +eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml"", ""Description"": ""Detects potential network activity of eHorus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of eHorus RMM tool""}]",,[] Bomgar,,Bomgar is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,bomgar-scc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beyondtrust.com/brand/bomgar""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_network_sigma.yml"", ""Description"": ""Detects potential network activity of Bomgar RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bomgar RMM tool""}]",,[] -pCloud,,pCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\pCloud Drive\, *\pCloud Drive\, *\pCloud.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pCloud RMM tool""}]",,[] -HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpU RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpU RMM tool""}]",https://helpu.co.kr/,[] -Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop Remote RMM tool""}]",https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] -X2Go,,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller RMM tool""}]",,[] -Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xshell RMM tool""}]",,[] -Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Client RMM tool""}]",,[] -Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Server RMM tool""}]",,[] -Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Manipulator System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Manipulator System RMM tool""}]",https://rmansys.ru/files/,[] -Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml"", ""Description"": ""Detects potential network activity of Manage Engine (Desktop Central) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Manage Engine (Desktop Central) RMM tool""}]",https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,[] -Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml"", ""Description"": ""Detects potential network activity of Auvik RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Auvik RMM tool""}]",https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] -Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml"", ""Description"": ""Detects potential network activity of Basecamp RMM tool""}]",basecamp.com - No specific RMM tool listed,[] -Free Tools Launcher,,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\*, *\ManageEngine\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -aws-cli,,aws-cli is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Amazon\AWSCLI\*, *\Amazon\AWSCLI\*, *\AWSCLIV*.msi, *\AWSCLISetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aws-cli_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of aws-cli RMM tool""}]",,[] +SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperPuTTY RMM tool""}]",,[] +ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml"", ""Description"": ""Detects potential network activity of ZeroTier RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZeroTier RMM tool""}]",https://my.zerotier.com/,[] +Devolutions Remote Desktop Manager,,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeAnyWhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeAnyWhere RMM tool""}]",https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] +WebEx (Remote Access),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,[] AnyDesk,RMM,"AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams. ","Ali Alwashali, Nasreddine Bencherchali",2023-09-29,2024-08-02,https://anydesk.com/en,anydesk.exe,AnyDesk.exe,AnyDesk,AnyDesk,User,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows","File Transfer, File System Access, Remote Control, GUI Support, Command line Support",https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html,"C:\Program Files (x86)\AnyDesk\*, C:\Program Files\AnyDesk\*","{""Disk"": [{""File"": ""%programdata%\\AnyDesk\\ad_svc.trace"", ""Description"": ""AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established."", ""OS"": ""Windows"", ""Example"": [""info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798""]}, {""File"": ""%programdata%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\ad.trace"", ""Description"": ""AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant."", ""OS"": ""Windows"", ""Example"": [""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30)."", ""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0.""]}, {""File"": ""%APPDATA%\\AnyDesk\\chat\\*.txt"", ""Description"": ""If the chat functionality is used, its entries will be printed in a text file in this folder."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\user.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\service.conf"", ""Description"": ""Password can be set to auto-validate the session. The password will be saved in a salted hash format."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\service.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""~/Library/Application Support/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Mac""}, {""File"": ""~/.config/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Linux""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""During setup the boot.net.anydesk.com domain is request over port 443"", ""Domains"": [""boot.net.anydesk.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""relay-[a-f0-9]{8}.net.anydesk.com:443""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.anydesk.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""User-Agent"", ""Value"": ""AnyDesk/*""}, {""Type"": ""NamedPipe"", ""Value"": ""adprinterpipe""}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml"", ""Description"": ""Anydesk Remote Access Software Service Installation""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"", ""Description"": ""Remote Access Tool - AnyDesk Silent Installation""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml"", ""Description"": ""Detects potential files activity of AnyDesk RMM tool""}]","https://support.anydesk.com/knowledge/firewall, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk, https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Ali Alwashali"", ""Handle"": ""@ali_alwashali""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -AnyViewer,,"AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyViewer RMM tool""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +Free Ping Tool,,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"can't find this one, can't find this one","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of S3 Browser RMM tool""}]",,[] +Azure Storage Explorer,,Azure Storage Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Microsoft Azure Storage Explorer\*, *\Microsoft Azure Storage Explorer\*, *\StorageExplorer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/azure_storage_explorer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Azure Storage Explorer RMM tool""}]",,[] +NinjaOne (formerly NinjaRMM),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,*ProgramData\NinjaRMMAgent\*,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Adobe Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Adobe Connect RMM tool""}]",https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] +CloudHQ,,CloudHQ is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Raidrive,,Raidrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\OpenBoxLab\RaiDrive\*, *\OpenBoxLab\RaiDrive\*, service = raidrive_*, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenBoxLab\RaiDrive\Drives","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePC RMM tool""}]",https://www.remotedesktop.com/helpdesk/faq-firewall,[] +LogMeIn rescue,,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.logmeinrescue.com"", ""*.logmeinrescue.eu"", ""logmeinrescue.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn rescue RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LogMeIn rescue RMM tool""}]",https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,[] +UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraViewer RMM tool""}]",https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] +aria2,,aria2 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\CentraStage\AEMAgent\*, *ProgramData\CentraStage\AEMAgent\*, *\Steinberg\Download Assistant\3rd Party\optional\aria2\*, *\aria2c.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of aria2 RMM tool""}]",,[] +Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pandora RC (eHorus) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pandora RC (eHorus) RMM tool""}]",https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] +IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of IntelliAdmin Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of IntelliAdmin Remote Control RMM tool""}]",intelliadmin.com/remote-control,[] +MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MEGAsync RMM tool""}]",,[] +Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Encapto RMM tool""}]",https://www.encapto.com - used to manage Cisco services,[] +ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of ShowMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ShowMyPC RMM tool""}]",https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] +Lite Manager,,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\LiteManager Pro – Viewer\*, *\LiteManager Pro – Viewer\*, *\LMNoIpServer.exe.","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Netop Remote Control (aka Impero Connect),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com/impero-connect/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool""}]",,[] +GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToAssist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoToAssist RMM tool""}]",https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] +Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom Connect RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] +TeamViewer,,"TeamViewer is a remote monitoring and management (RMM) tool. +","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml"", ""Description"": ""Detects potential files activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeamViewer RMM tool""}]","https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +Access Remote PC,,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"rpcgrab.exe, rpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Access Remote PC RMM tool""}]",,[] DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] -Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level RMM tool""}]",,[] -Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] -Cloudsfer,,Cloudsfer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-08-03,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]",https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,[] -SmartFTP,,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\SmartFTP Client\en-US\, *\SmartFTP Client\*, *\SfShellTools.dll.mui","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of SpyAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SpyAnywhere RMM tool""}]",https://www.spyanywhere.com/support.shtml,[] +SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SecureCRT RMM tool""}]",,[] +Acronic Cyber Protect (Remotix),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml"", ""Description"": ""Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool""}]",https://kb.acronis.com/content/47189,[] +Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sorillus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sorillus RMM tool""}]",https://sorillus.com/,[] +Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml"", ""Description"": ""Detects potential network activity of Barracuda RMM tool""}]",https://help.islonline.com/19799/166125,[] +DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskDay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskDay RMM tool""}]",https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] +RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteCall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteCall RMM tool""}]",https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] +Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml"", ""Description"": ""Detects potential files activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop RMM tool""}]",https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of ManageEngine RMM Central RMM tool""}]",,[] +AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of AeroAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AeroAdmin RMM tool""}]",https://support.aeroadmin.com/kb/faq.php?id=58,[] +Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] +AweRay (AweSun),,AweRay (AweSun) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi-us.aweray.net"", ""asapi.aweray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay (AweSun) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay (AweSun) RMM tool""}]",,[] +NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml"", ""Description"": ""Detects potential network activity of NoMachine RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoMachine RMM tool""}]",https://kb.nomachine.com/AR04S01122,[] +UltraVNC,,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,UltraVNC*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ultravnc.com"", ""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraVNC RMM tool""}]",https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,[] +TeraCLOUD,,TeraCLOUD is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\*\TeraCloud.Client*, *\TeraCloud.Client*, *\Livedrive-Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teracloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeraCLOUD RMM tool""}]",,[] +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] NinjaRMM,,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ninjarmmagent.exe, NinjaRMMAgent.exe, NinjaRMMAgenPatcher.exe, ninjarmm-cli.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ninjarmm.com"", ""*.ninjaone.com"", ""resources.ninjarmm.com"", ""ninjaone.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of NinjaRMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NinjaRMM RMM tool""}]",https://www.ninjaone.com/faq/,[] -CloudXplorer,,CloudXplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ClumsyLeaf Software\CloudXplorer\*, *\ClumsyLeaf Software\CloudXplorer\*, *\clumsyleaf.cloudxplorer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudXplorer RMM tool""}]",,[] -CruzControl,,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://resources.doradosoftware.com/cruz-rmm,[] -SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of SimpleHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SimpleHelp RMM tool""}]",https://simple-help.com/remote-support,[] -EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml"", ""Description"": ""Detects potential network activity of EMCO Remote Console RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of EMCO Remote Console RMM tool""}]",,[] ngrok,,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ngrok.exe, C:\*\ngrok.zip, *\ngrok*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ngrok.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml"", ""Description"": ""Detects potential network activity of ngrok RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ngrok RMM tool""}]",https://ngrok.com/docs/guides/running-behind-firewalls/,[] -Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Apple Remote Desktop RMM tool""}]",https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] -Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer (GoToMeet) RMM tool""}]",Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] -NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml"", ""Description"": ""Detects potential network activity of NoMachine RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoMachine RMM tool""}]",https://kb.nomachine.com/AR04S01122,[] -MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool""}]",https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] -Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml"", ""Description"": ""Detects potential files activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop RMM tool""}]",https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" -RAdmin,,"RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml"", ""Description"": ""Detects potential files activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RAdmin RMM tool""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of LANDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LANDesk RMM tool""}]",https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] -SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml"", ""Description"": ""Detects potential network activity of SuperOps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperOps RMM tool""}]",https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] -Lite Manager,,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\LiteManager Pro – Viewer\*, *\LiteManager Pro – Viewer\*, *\LMNoIpServer.exe.","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Raidrive,,Raidrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\OpenBoxLab\RaiDrive\*, *\OpenBoxLab\RaiDrive\*, service = raidrive_*, Computer\HKEY_LOCAL_MACHINE\SOFTWARE\OpenBoxLab\RaiDrive\Drives","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Datto,,Datto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""datto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Datto RMM tool""}]",,[] -Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Supremo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Supremo RMM tool""}]",https://www.supremocontrol.com/frequently-asked-questions/,[] -Chicken (of the VNC),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] -KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of KHelpDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KHelpDesk RMM tool""}]",https://www.khelpdesk.com.br/en-us,[] -TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml"", ""Description"": ""Detects potential network activity of TurboMeeting RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TurboMeeting RMM tool""}]",http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] -RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml"", ""Description"": ""Detects potential network activity of RPort RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RPort RMM tool""}]",https://kb.rport.io/using-the-remote-access,[] -CloudBerry Explorer,,CloudBerry Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\CloudBerryLab\CloudBerry Drive\*, *\CloudBerryLab\CloudBerry Drive\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ExpanDrive,,ExpanDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExpanDrive.exe, *\ExpanDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/expandrive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExpanDrive RMM tool""}]",,[] -MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool""}]",,[] -OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml"", ""Description"": ""Detects potential network activity of OCS inventory RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OCS inventory RMM tool""}]",https://ocsinventory-ng.org/?page_id=878&lang=en,[] -RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePass RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePass RMM tool""}]",https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] Air Explorer,,Air Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\airexplorer\*, *\airexplorer\*, *\airexplorer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_explorer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Air Explorer RMM tool""}]",,[] -GoToAssist (GoTo Resolve),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramFiles*\GoTo Machine Installer\*, *\GoTo Machine Installer\*, *\GoTo\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Comodo RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Comodo RMM RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of ShowMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ShowMyPC RMM tool""}]",https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] -ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of ToDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ToDesk RMM tool""}]",https://www.todesk.com/,[] -RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml"", ""Description"": ""Detects potential network activity of RunSmart RMM tool""}]",,[] -VNC Connect,,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\RealVNC\VNC Server\*, *\RealVNC\VNC Server\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Echoware RMM tool""}]",,[] -Alpemix,,"Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml"", ""Description"": ""Detects potential network activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml"", ""Description"": ""Detects potential files activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Alpemix RMM tool""}]",https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal TS RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal TS RMM tool""}]",,[] -DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DragonDisk RMM tool""}]",,[] -Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcvisit RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcvisit RMM tool""}]",https://www.pcvisit.de/,[] -Connectwise Automate (LabTech),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.hostedrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml"", ""Description"": ""Detects potential network activity of Connectwise Automate (LabTech) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Connectwise Automate (LabTech) RMM tool""}]",https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,[] +Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Client RMM tool""}]",,[] +Chicken (of the VNC),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml"", ""Description"": ""Detects potential network activity of SkyFex RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SkyFex RMM tool""}]",https://skyfex.com/,[] +Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom AccessNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom AccessNow RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] +Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,mstsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] +Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Server RMM tool""}]",,[] +Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Solar-PuTTY RMM tool""}]",,[] +Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Duplicati RMM tool""}]",,[] +Remote Desktop Plus,,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""donkz.nl""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Desktop Plus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Desktop Plus RMM tool""}]",https://www.donkz.nl/,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +GoodSync,,GoodSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"installation requires paid version of GoodSync Server, installation requires paid version of GoodSync Server, GoodSync-vsub-Setup.exe, A40B81B36CDC2D24910FC58816E50DCDE21BD1A9","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goodsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoodSync RMM tool""}]",,[] +DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of DesktopNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DesktopNow RMM tool""}]",https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] +Remmina,,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +CloudMounter,,CloudMounter is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\CloudMounter\*, *\CloudMounter\*, *\CloudMounter\*, *\cloudmounter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudMounter RMM tool""}]",,[] +Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"distant-desktop.exe, dd.exe, ddsystem.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] DameWare,,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"SolarWinds-Dameware-DRS*.exe, DameWare Mini Remote Control*.exe, C:\Windows\dwrcs\* c:\Program File\SolarWinds\Dameware Mini Remote Control\*, dwrcs.exe, *\dwrcs\*, *\dwrcst.exe, DameWare Remote Support.exe, SolarWinds-Dameware-MRC*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DameWare RMM tool""}]",https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,[] -Onionshare,,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\OnionShare\*, *\OnionShare\*, *\onionshare*.exe, OnionShare-win*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Onionshare RMM tool""}]",,[] -Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tailscale RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tailscale RMM tool""}]",https://tailscale.com/kb/1023/troubleshooting,[] -Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Senso.cloud RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Senso.cloud RMM tool""}]",https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] -Proton Drive,,Proton Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraViewer RMM tool""}]",https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] -KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml"", ""Description"": ""Detects potential network activity of KickIdler RMM tool""}]",https://www.kickidler.com/for-it/faq/,[] -Remmina,,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml"", ""Description"": ""Detects potential network activity of eHorus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of eHorus RMM tool""}]",,[] -Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] -N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] -KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KiTTY RMM tool""}]",,[] -AweRay (AweSun),,AweRay (AweSun) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi-us.aweray.net"", ""asapi.aweray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay (AweSun) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay (AweSun) RMM tool""}]",,[] -FleetDeck,,FleetDeck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,fleetdeck_agent_svc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDeck RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDeck RMM tool""}]",,[] -TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeleDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeleDesktop RMM tool""}]",http://potomacsoft.com/ - DOA as of 2024,[] -Remote Utilities,,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rutview.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Utilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Utilities RMM tool""}]",https://www.remoteutilities.com/download/,[] -Cloud Explorer,,Cloud Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] -GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml"", ""Description"": ""Detects potential network activity of GotoHTTP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GotoHTTP RMM tool""}]",https://gotohttp.com/goto/help.12x,[] -RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteUtilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteUtilities RMM tool""}]",,[] -GoToMyPC,,"GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml"", ""Description"": ""Detects potential files activity of GoToMyPC RMM tool""}]","https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" -SmartCode Web VNC,,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\TightVNC\*, *\TightVNC\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Seetrol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Seetrol RMM tool""}]",http://www.seetrol.com/en/features/features3.php,[] -RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RDPView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RDPView RMM tool""}]",systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] -Zoho Assist,,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zaservice.exe, ZMAgent.exe, C:\*\ZA_Access.exe, ZohoMeeting.exe, Zohours.exe, zohotray.exe, ZohoURSService.exe, *\ZA_Access.exe, Zaservice.exe, za_connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.zoho.com.au"", ""*.zohoassist.jp"", ""assist.zoho.com"", ""zoho.com/assist/"", ""*.zoho.in"", ""downloads.zohodl.com.cn"", ""*.zohoassist.com"", ""downloads.zohocdn.com"", ""gateway.zohoassist.com"", ""*.zohoassist.com.cn"", ""*.zoho.com.cn"", ""*.zoho.com"", ""*.zoho.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zoho Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zoho Assist RMM tool""}]",https://www.zoho.com/assist/kb/firewall-configuration.html,[] -Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xpra RMM tool""}]",,[] +Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level RMM tool""}]",,[] +Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Insync RMM tool""}]",,[] +Bomgar - Now BeyondTrust,,Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] +Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote.it RMM tool""}]",https://docs.remote.it/introduction/get-started,[] +Core FTP,,Core FTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\coreftplite.exe, *\coreftplite.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Core FTP RMM tool""}]",,[] +Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netreo RMM tool""}]",https://solutions.netreo.com/docs/firewall-requirements,[] +CuteFTP,,CuteFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Globalscape\CuteFTP\*, *\Globalscape\CuteFTP\*, *\cuteftppro.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CuteFTP RMM tool""}]",,[] CloudBuckIt,,CloudBuckIt is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\CloudBuckIt\*, *\CloudBuckIt\*, *\CloudBuckIt*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudbuckit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudBuckIt RMM tool""}]",,[] +NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoteOn-desktop sharing RMM tool""}]",,[] +Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal TS RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal TS RMM tool""}]",,[] DeskNets,,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://www.desknets.com/en/download.html,[] -ODrive,,ODrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\current\, *Users\*\.odrive, *\Odriveapp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/odrive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ODrive RMM tool""}]",,[] +QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml"", ""Description"": ""Detects potential network activity of QQ IM-remote assistance RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of QQ IM-remote assistance RMM tool""}]",https://en.wikipedia.org/wiki/Tencent_QQ,[] +PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PuTTY Tray RMM tool""}]",,[] +FileZilla,,FileZilla is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\FileZilla FTP Client\*, *\FileZilla FTP Client\*, *\FileZilla.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/filezilla_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FileZilla RMM tool""}]",,[] XRDP,,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ManageEngine RMM tool""}]",,[] -Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Impero Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Impero Connect RMM tool""}]",,[] -Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remcos RMM tool""}]",,[] -PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of PDQ Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PDQ Connect RMM tool""}]",https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] -Terminals,,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Air Live Drive,,Air Live Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\AirLiveDrive\*, *\AirLiveDrive\*, *\AirLiveDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_live_drive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Air Live Drive RMM tool""}]",,[] -Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syncro RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncro RMM tool""}]",https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] -247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool""}]",Similar / replaced by ScreenConnect,[] -Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netviewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer RMM tool""}]",,[] -Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syspectr RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syspectr RMM tool""}]",https://www.syspectr.com/en/installation-in-a-network,[] -I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml"", ""Description"": ""Detects potential network activity of I'm InTouch RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of I'm InTouch RMM tool""}]",https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] -aria2,,aria2 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\CentraStage\AEMAgent\*, *ProgramData\CentraStage\AEMAgent\*, *\Steinberg\Download Assistant\3rd Party\optional\aria2\*, *\aria2c.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of aria2 RMM tool""}]",,[] -ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Light RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Light RMM tool""}]",,[] -Mocha VNC Lite,,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"This installs a modified VNC and cannot be blocked by path separate from VNC, This installs a modified VNC and cannot be blocked by path separate from VNC, *\RealVNC\VNC4\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom Connect RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] -Yandex.Disk,,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Yandex\*, *\Yandex\*, *\YandexDisk2.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Yandex.Disk RMM tool""}]",,[] -LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml"", ""Description"": ""Detects potential network activity of LiteManager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LiteManager RMM tool""}]",https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] -BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeAnyWhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeAnyWhere RMM tool""}]",https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] -Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Cloud RMM tool""}]",https://jumpcloud.com/support/understand-remote-assist-agent,[] -Remote Desktop Manager (Devolutions),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay RMM tool""}]",https://sun.aweray.com/help,[] -Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remobo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remobo RMM tool""}]",https://www.remobo.com - DOA as of 2024,[] -ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"era.exe, einstaller.exe, ezhelp*.exe, eratool.exe, ERAAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] +FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of FastViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FastViewer RMM tool""}]",https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] +Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Jump Desktop RMM tool""}]",https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] +pCloud,,pCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\pCloud Drive\, *\pCloud Drive\, *\pCloud.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pCloud RMM tool""}]",,[] +Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ivanti Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ivanti Remote Control RMM tool""}]",https://rc1.ivanticloud.com/,[] +BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeInSync RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeInSync RMM tool""}]",https://en.wikipedia.org/wiki/Phoenix_Technologies,[] +NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of NateOn-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NateOn-desktop sharing RMM tool""}]",http://rsupport.nate.com/rview/r8/main/index.aspx,[] +Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml"", ""Description"": ""Detects potential network activity of Xeox RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xeox RMM tool""}]",https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] +WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WinSCP RMM tool""}]",,[] +Desktop Central,,Desktop Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,dcagentservice.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of Desktop Central RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Desktop Central RMM tool""}]",,[] +DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] +NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of NTR Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NTR Remote RMM tool""}]",DOA as of 2024,[] +aws-cli,,aws-cli is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Amazon\AWSCLI\*, *\Amazon\AWSCLI\*, *\AWSCLIV*.msi, *\AWSCLISetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aws-cli_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of aws-cli RMM tool""}]",,[] +TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml"", ""Description"": ""Detects potential network activity of TurboMeeting RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TurboMeeting RMM tool""}]",http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] +RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteUtilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteUtilities RMM tool""}]",,[] BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc.exe, bomgar-rdp.exe, bomgar-scc-*.exe, bomgar-pac-*.exe, bomgar-pac.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""bomgarcloud.com"", ""*.bomgarcloud.com"", ""*.beyondtrustcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] -Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ultra VNC RMM tool""}]",,[] -pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of pcAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pcAnywhere RMM tool""}]",https://en.wikipedia.org/wiki/PcAnywhere,[] -Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote.it RMM tool""}]",https://docs.remote.it/introduction/get-started,[] -Cruz,,Cruz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""resources.doradosoftware.com/cruz-rmm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Cruz RMM tool""}]",,[] -Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml"", ""Description"": ""Detects potential network activity of Guacamole RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Guacamole RMM tool""}]",guacamole.apache.org,[] -Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Addigy RMM tool""}]",https://addigy.com/,[] -AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of AeroAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AeroAdmin RMM tool""}]",https://support.aeroadmin.com/kb/faq.php?id=58,[] -FleetDesk.io,,FleetDesk.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_agent.exe, fleetdeck_commander_launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDesk.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDesk.io RMM tool""}]",https://fleetdeck.io/faq/,[] -Dameware-mini remote control Protocol,,Dameware-mini remote control Protocol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"dntus*.exe, dwrcs.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""dameware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Dameware-mini remote control Protocol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Dameware-mini remote control Protocol RMM tool""}]",,[] -Access Remote PC,,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"rpcgrab.exe, rpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Access Remote PC RMM tool""}]",,[] -Acronic Cyber Protect (Remotix),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml"", ""Description"": ""Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool""}]",https://kb.acronis.com/content/47189,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] -SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml"", ""Description"": ""Detects potential network activity of SkyFex RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SkyFex RMM tool""}]",https://skyfex.com/,[] -PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC RMM tool""}]",https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] -MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] -SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SecureCRT RMM tool""}]",,[] -VNC,,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"winvnc*.exe, vncserver.exe, winwvc.exe, winvncsc.exe, vncserverui.exe, vncviewer.exe, winvnc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""realvnc.com/en/connect/download/vnc""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of VNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of VNC RMM tool""}]",https://realvnc.com/en/connect/download/vnc,[] +Pulseway,,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"PCMonitorManager.exe, pcmonitorsrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pulseway.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pulseway RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pulseway RMM tool""}]",https://intercom.help/pulseway/en/,[] Panorama9,,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,p9agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""trusted.panorama9.com"", ""changes.panorama9.com"", ""panorama9.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml"", ""Description"": ""Detects potential network activity of Panorama9 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Panorama9 RMM tool""}]",https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with,[] -FixMe,,FixMe is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fixme.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe RMM tool""}]",,[] -ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] -RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of RES Automation Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RES Automation Manager RMM tool""}]",https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] -rclone,,rclone is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"portable tool. No install path, portable tool. No install path, rclone*.zip, *\rclone.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rclone_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rclone RMM tool""}]",,[] Atera,,"Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement. ",,2024/08/03,,https://www.atera.com/,AteraAgent.exe,AteraAgent.exe,AteraAgent,,SYSTEM,30 day trial,None,"Windows, MacOS, Linux","Integrated remote access with Splashtop and AnyDesk, Remote monitoring and management, Patch management, Network discovery, Backup and disaster recovery, Helpdesk and ticketing, Reporting and analytics, Billing and invoicing, Customer portal, Mobile app","CVE-2023-26078, CVE-2023-26077","*\AgentPackageNetworkDiscovery.exe, *\AgentPackageTaskScheduler.exe, *\ATERA Networks\AteraAgent\*, *\AteraAgent.exe, atera_agent.exe, atera_agent.exe, ateraagent.exe, C:\Program Files\ATERA Networks\AteraAgent\*, C:\Program Files\Atera Networks, C:\Program Files (x86)\Atera Networks, syncrosetup.exe","{""Disk"": [{""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Atera Networks\\AlphaAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AteraAgent"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"""", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""WinRing0_1_2_0"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"""", ""Description"": ""Service installation event as result of Atera pakcage manager installation.""}, {""EventID"": 11707, ""ProviderName"": ""MsiInstaller"", ""LogFile"": ""Application.evtx"", ""Data"": ""Product: AteraAgent -- Installation completed successfully."", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]"", ""Description"": ""Service installation event as result of AteraAgent installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent"", ""Description"": null}, {""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc."", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\*"", ""Description"": null}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""pubsub.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""pubsub.pubnub.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreporting.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""getalphacontrol.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""app.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agenthb.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""packagesstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.pndsn.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agent-api.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""cacerts.thawte.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreportingstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera-agent-heartbeat.servicebus.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera.pubnubapi.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""appcdn.atera.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml"", ""Name"": ""AteraAgent malicious installations"", ""Description"": ""Detects AteraAgent installations with suspicious command line arguments.""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml"", ""Name"": ""Atera Agent Installation"", ""Description"": ""Detects Atera Agent installation.""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml"", ""Description"": ""Detects potential network activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml"", ""Description"": ""Detects potential files activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Atera RMM tool""}]","https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations, https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent, https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018, https://thedfirreport.com/?s=ateraagent","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}, {""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -CrossLoop,,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"crossloopservice.exe, CrossLoopConnect.exe, WinVNCStub.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.crossloop.com"", ""crossloop.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossLoop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossLoop RMM tool""}]",www.CrossLoop.com -> redirects to avast.com,[] -Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] -Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tactical RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tactical RMM RMM tool""}]",docs.tacticalrmm.com,[] -Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml"", ""Description"": ""Detects potential network activity of Fortra RMM tool""}]",https://www.fortra.com - No free/cloud RMM softwars listed,[] -Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sorillus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sorillus RMM tool""}]",https://sorillus.com/,[] -RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteCall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteCall RMM tool""}]",https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] -Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Everywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Everywhere RMM tool""}]",https://everywhere.laplink.com/docs,[] -MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MEGAsync RMM tool""}]",,[] +JollysFastVNC,,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml"", ""Description"": ""Detects potential network activity of RunSmart RMM tool""}]",,[] +Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] +Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer (GoToMeet) RMM tool""}]",Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] +Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netviewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer RMM tool""}]",,[] +ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] +ExtraPuTTY,,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *\ExtraPuTTY-0.30-2016-01-28-installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExtraPuTTY RMM tool""}]",,[] +FleetDeck,,FleetDeck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,fleetdeck_agent_svc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDeck RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDeck RMM tool""}]",,[] +HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpU RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpU RMM tool""}]",https://helpu.co.kr/,[] +ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"einstaller.exe, era.exe, ERAAgent.exe, ezhelp*.exe, eratool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] +ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of ToDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ToDesk RMM tool""}]",https://www.todesk.com/,[] +Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ddsystem.exe, dd.exe, distant-desktop.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] +RAdmin,,"RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml"", ""Description"": ""Detects potential files activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RAdmin RMM tool""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +CrossLoop,,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"crossloopservice.exe, CrossLoopConnect.exe, WinVNCStub.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.crossloop.com"", ""crossloop.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossLoop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossLoop RMM tool""}]",www.CrossLoop.com -> redirects to avast.com,[] +Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml"", ""Description"": ""Detects potential network activity of Centurion RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Centurion RMM tool""}]",https://data443.atlassian.net/servicedesk/customer/portal/20,[] +KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml"", ""Description"": ""Detects potential network activity of KickIdler RMM tool""}]",https://www.kickidler.com/for-it/faq/,[] +Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syncro RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncro RMM tool""}]",https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] +AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay RMM tool""}]",https://sun.aweray.com/help,[] +SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml"", ""Description"": ""Detects potential network activity of SunLogin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SunLogin RMM tool""}]",https://sunlogin.oray.com/en/embed/software.html,[] +Koofr,,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SysAid RMM tool""}]",,[] Neturo,,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"neturo*.exe, ntrntservice.exe, neturo.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""neturo.uplus.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Neturo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Neturo RMM tool""}]","Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",[] -Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"distant-desktop.exe, dd.exe, ddsystem.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] -rsync,,rsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Anyplace Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Anyplace Control RMM tool""}]",http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] -JollysFastVNC,,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ExtraPuTTY,,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *\ExtraPuTTY-0.30-2016-01-28-installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExtraPuTTY RMM tool""}]",,[] -rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdpwrap RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdpwrap RMM tool""}]",github.com/stascorp/rdpwrap,[] -N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-ABLE Remote Access Software RMM tool""}]",,[] -Google Drive,,Google Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Google\Drive File Stream\*, *\Google\Drive File Stream\*, *Users\*\AppData\*\Google\DriveFS*, G:\My Drive*, *\GoogleDriveFS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/google_drive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Google Drive RMM tool""}]",,[] -Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Solar-PuTTY RMM tool""}]",,[] -TeamViewer,,"TeamViewer is a remote monitoring and management (RMM) tool. -","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml"", ""Description"": ""Detects potential files activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeamViewer RMM tool""}]","https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" -Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml"", ""Description"": ""Detects potential network activity of Itarian RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Itarian RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of Visual Studio Dev Tunnel RMM tool""}]",https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] -LogMeIn,,"LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn RMM tool""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SmarTTY RMM tool""}]",,[] +Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Impero Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Impero Connect RMM tool""}]",,[] +247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool""}]",Similar / replaced by ScreenConnect,[] +Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remobo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remobo RMM tool""}]",https://www.remobo.com - DOA as of 2024,[] +CloudFuze,,CloudFuze is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Free Tools Launcher,,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\*, *\ManageEngine\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Echoware RMM tool""}]",,[] +Zoho Assist,,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zaservice.exe, ZMAgent.exe, C:\*\ZA_Access.exe, ZohoMeeting.exe, Zohours.exe, zohotray.exe, ZohoURSService.exe, *\ZA_Access.exe, Zaservice.exe, za_connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.zoho.com.au"", ""*.zohoassist.jp"", ""assist.zoho.com"", ""zoho.com/assist/"", ""*.zoho.in"", ""downloads.zohodl.com.cn"", ""*.zohoassist.com"", ""downloads.zohocdn.com"", ""gateway.zohoassist.com"", ""*.zohoassist.com.cn"", ""*.zoho.com.cn"", ""*.zoho.com"", ""*.zoho.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zoho Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zoho Assist RMM tool""}]",https://www.zoho.com/assist/kb/firewall-configuration.html,[] +KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KiTTY RMM tool""}]",,[] +Proton Drive,,Proton Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of SimpleHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SimpleHelp RMM tool""}]",https://simple-help.com/remote-support,[] +CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of CloudFlare Tunnel RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudFlare Tunnel RMM tool""}]",cloudflare.com/products/tunnel/,[] +GoTo Opener,,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\GoTo Opener, *\GoTo Opener","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcvisit RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcvisit RMM tool""}]",https://www.pcvisit.de/,[] +Mocha VNC Lite,,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"This installs a modified VNC and cannot be blocked by path separate from VNC, This installs a modified VNC and cannot be blocked by path separate from VNC, *\RealVNC\VNC4\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Gold RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Gold RMM tool""}]",wen.laplink.com/product/laplink-gold,[] Cyberduck,,Cyberduck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Cyberduck\*, *\Cyberduck\*, *\Cyberduck.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cyberduck_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Cyberduck RMM tool""}]",,[] -Electric,,Electric is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",,[] -PuTTY,,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -TeraCLOUD,,TeraCLOUD is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\*\TeraCloud.Client*, *\TeraCloud.Client*, *\Livedrive-Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teracloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeraCLOUD RMM tool""}]",,[] -Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netreo RMM tool""}]",https://solutions.netreo.com/docs/firewall-requirements,[] -Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool""}]",https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] +Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Iperius Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Iperius Remote RMM tool""}]",https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] +BeamYourScreen,,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"beamyourscreen.exe, beamyourscreen-host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beamyourscreen.com"", ""*.beamyourscreen.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeamYourScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeamYourScreen RMM tool""}]",beamyourscreen redirects to https://www.mikogo.com/,[] +TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeleDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeleDesktop RMM tool""}]",http://potomacsoft.com/ - DOA as of 2024,[] +Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml"", ""Description"": ""Detects potential network activity of Parallels Access RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Parallels Access RMM tool""}]",https://kb.parallels.com/en/129097,[] +Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml"", ""Description"": ""Detects potential network activity of Basecamp RMM tool""}]",basecamp.com - No specific RMM tool listed,[] +Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Weezo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Weezo RMM tool""}]",weezo.en.softonic.com,[] +X2Go,,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +DriveMaker,,DriveMaker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\DriveMaker.exe, *\DriveMaker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/drivemaker_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DriveMaker RMM tool""}]",,[] +Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml"", ""Description"": ""Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool""}]",,[] +Connectwise Automate (LabTech),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.hostedrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml"", ""Description"": ""Detects potential network activity of Connectwise Automate (LabTech) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Connectwise Automate (LabTech) RMM tool""}]",https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,[] Splashtop (Beta),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"SRServer.exe, SplashtopSOS.exe, Splashtop_Streamer_Windows*.exe, SRManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop (Beta) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop (Beta) RMM tool""}]",,[] -FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of FastViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FastViewer RMM tool""}]",https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] -RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of RustDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RustDesk RMM tool""}]",https://rustdesk.com/docs/en/,[] -MobaXterm,,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\MobaXterm_installer_12.1.msi, *\MobaXterm_installer_*.msi, *\Mobatek\MobaXterm\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToAssist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoToAssist RMM tool""}]",https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] -Free Ping Tool,,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"can't find this one, can't find this one","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Google Drive,,Google Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Google\Drive File Stream\*, *\Google\Drive File Stream\*, *Users\*\AppData\*\Google\DriveFS*, G:\My Drive*, *\GoogleDriveFS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/google_drive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Google Drive RMM tool""}]",,[] +Netop,,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Danware Data\NetOp Packn Deploy\*, *\Danware Data\NetOp Packn Deploy\*, *\Netop Remote Control\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Kaseya (VSA),,"Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml"", ""Description"": ""Detects potential network activity of Kaseya (VSA) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml"", ""Description"": ""Detects potential files activity of Kaseya (VSA) RMM tool""}]","https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] HelpBeam,,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,helpbeam*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpbeam.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpBeam RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpBeam RMM tool""}]",https://www.helpbeam.com domain for sale in 2024,[] -NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of NTR Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NTR Remote RMM tool""}]",DOA as of 2024,[] -ServerEye,,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"servereye*.exe, ServiceProxyLocalSys.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.server-eye.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml"", ""Description"": ""Detects potential network activity of ServerEye RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ServerEye RMM tool""}]",https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,[] -WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml"", ""Description"": ""Detects potential network activity of WebRDP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WebRDP RMM tool""}]",github.com/Mikej81/WebRDP,[] -GoTo Opener,,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\GoTo Opener, *\GoTo Opener","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of S3 Browser RMM tool""}]",,[] -Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml"", ""Description"": ""Detects potential network activity of Any Support RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Any Support RMM tool""}]",https://www.anysupport.net/introduce_howto.php,[] -BeamYourScreen,,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"beamyourscreen.exe, beamyourscreen-host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beamyourscreen.com"", ""*.beamyourscreen.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeamYourScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeamYourScreen RMM tool""}]",beamyourscreen redirects to https://www.mikogo.com/,[] -Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sophos-Remote Management System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sophos-Remote Management System RMM tool""}]",community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] -Amazon (Cloud) Drive,,Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Amazon\Cloud Drive\*, *\AppData\Local\Amazon\Cloud Drive\*, *\AmazonCloudDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/amazon__cloud__drive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Amazon (Cloud) Drive RMM tool""}]",,[] -Desktop Central,,Desktop Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,dcagentservice.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of Desktop Central RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Desktop Central RMM tool""}]",,[] -PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC (Clone) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC (Clone) RMM tool""}]",https://www.poweradmin.com/paexec/,[] -GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of GetScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GetScreen RMM tool""}]",https://docs.getscreen.me/self-hosted/system-requirements/,[] -RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePC RMM tool""}]",https://www.remotedesktop.com/helpdesk/faq-firewall,[] -Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tanium RMM tool""}]",https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] -GoodSync,,GoodSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"installation requires paid version of GoodSync Server, installation requires paid version of GoodSync Server, GoodSync-vsub-Setup.exe, A40B81B36CDC2D24910FC58816E50DCDE21BD1A9","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goodsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoodSync RMM tool""}]",,[] -LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool""}]",,[] -RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteView RMM tool""}]",https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] -UltraVNC,,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,UltraVNC*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ultravnc.com"", ""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraVNC RMM tool""}]",https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,[] -SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SmarTTY RMM tool""}]",,[] -Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Absolute (Computrace) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Absolute (Computrace) RMM tool""}]",https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] Quest KACE Agent (formerly Dell KACE),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,konea.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kace.com"", ""www.quest.com/kace/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}]",https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function,[] DeskShare,,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"TeamTaskManager.exe, DSGuest.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskShare RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskShare RMM tool""}]",https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx,[] -Pocket Cloud (Wyse),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcloud*.exe, pocketcloudservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Cloud (Wyse) RMM tool""}]",https://wyse-pocketcloud.informer.com/2.1/,[] -ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"einstaller.exe, era.exe, ERAAgent.exe, ezhelp*.exe, eratool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] -Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pilixo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pilixo RMM tool""}]",https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] -CloudMounter,,CloudMounter is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\CloudMounter\*, *\CloudMounter\*, *\CloudMounter\*, *\cloudmounter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudMounter RMM tool""}]",,[] -Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Mikogo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Mikogo RMM tool""}]",https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] -WebEx (Remote Access),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,[] -Koofr,,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Duplicati RMM tool""}]",,[] -ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of ManageEngine RMM Central RMM tool""}]",,[] -WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WinSCP RMM tool""}]",,[] +rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdpwrap RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdpwrap RMM tool""}]",github.com/stascorp/rdpwrap,[] +Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Total Software Deployment RMM tool""}]",,[] +PuTTY,,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Unattended Access Setup.exe, TiExpertStandalone.exe, FixMeitClient*.exe, FixMeit Client.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, no installation required | recommend blocking fixme[.]it SaaS portal, no installation required | recommend blocking fixme[.]it SaaS portal, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe.it RMM tool""}]",https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,[] +RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RDPView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RDPView RMM tool""}]",systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] +Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml"", ""Description"": ""Detects potential network activity of Fortra RMM tool""}]",https://www.fortra.com - No free/cloud RMM softwars listed,[] +ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Light RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Light RMM tool""}]",,[] +Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool""}]",https://pulse.soti.net/support/soti-xsight/help/,[] GatherPlace-desktop sharing,,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gp3.exe, gp4.exe, gp5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gatherplace.com"", ""*.gatherplace.net"", ""gatherplace.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of GatherPlace-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GatherPlace-desktop sharing RMM tool""}]",https://www.gatherplace.com/kb?id=136377,[] -Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Gold RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Gold RMM tool""}]",wen.laplink.com/product/laplink-gold,[] -Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml"", ""Description"": ""Detects potential network activity of Centurion RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Centurion RMM tool""}]",https://data443.atlassian.net/servicedesk/customer/portal/20,[] -Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ivanti Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ivanti Remote Control RMM tool""}]",https://rc1.ivanticloud.com/,[] -NordLocker,,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Cloud Turtle,,Cloud Turtle is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Genie9\*, *\Genie9\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -CloudExplorer,,CloudExplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -CloudHQ,,CloudHQ is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml"", ""Description"": ""Detects potential network activity of Xeox RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xeox RMM tool""}]",https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] -ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of ezHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ezHelp RMM tool""}]",https://www.exhelp.co.kr,[] -Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] -MultCloud,,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"requires sign up, requires sign up","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -CloudGopher,,CloudGopher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Synergy RMM tool""}]",https://symless.com/synergy,[] -ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"screenconnect.clientservice.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe, connectwisechat-customer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] -OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml"", ""Description"": ""Detects potential network activity of OptiTune RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OptiTune RMM tool""}]",https://www.bravurasoftware.com/optitune/support/faq.aspx,[] -Netop,,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Danware Data\NetOp Packn Deploy\*, *\Danware Data\NetOp Packn Deploy\*, *\Netop Remote Control\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ConnectWise,,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect*Client*\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Encapto RMM tool""}]",https://www.encapto.com - used to manage Cisco services,[] +Electric,,Electric is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",,[] +Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] +MeshCentral,,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"meshcentral*.exe, mesh*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}]",https://ylianst.github.io/MeshCentral/meshcentral/,[] +MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] +ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-08-03,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]",https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,[] +Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,termsrv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] +Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tanium RMM tool""}]",https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] +Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ultra VNC RMM tool""}]",,[] +Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Manipulator System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Manipulator System RMM tool""}]",https://rmansys.ru/files/,[] +Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Domotz RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Domotz RMM tool""}]",https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] +FixMe,,FixMe is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fixme.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe RMM tool""}]",,[] +rclone,,rclone is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"portable tool. No install path, portable tool. No install path, rclone*.zip, *\rclone.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rclone_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rclone RMM tool""}]",,[] +Tanium Deploy,,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""tanium.com/products/tanium-deploy""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium Deploy RMM tool""}]",,[] +N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-ABLE Remote Access Software RMM tool""}]",,[] +Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] +AnyViewer,,"AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyViewer RMM tool""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml"", ""Description"": ""Detects potential network activity of Naverisk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Naverisk RMM tool""}]",http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] +Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Addigy RMM tool""}]",https://addigy.com/,[] Action1,,"Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. ",@kostastsale,2024-08-03,2024-08-03,https://www.action1.com/,action1_connector.exe,,,,SYSTEM,Yes,Corporate email required although temporary email services are accepted,Windows,"Backup and disaster recovery, Billing and invoicing, Customer portal, HelpDesk and ticketing, Mobile app, Network discovery, Patch management, Remote monitoring and management, Reporting and analytics",,C:\Windows\Action1\*,"{""Disk"": [{""File"": ""C:\\Windows\\Action1\\action1_agent.exe"", ""Description"": ""Action1 service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\*"", ""Description"": ""Multiple files and binaries related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\scripts\\*"", ""Description"": ""Multiple scripts related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\rule_data\\*"", ""Description"": ""Files related to Action1 rules"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\action1_log_*.log"", ""Description"": ""Contains history, errors, system notifications. Incoming and outgoing connections."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Action1 Agent"", ""ImagePath"": ""\""C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"""", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe service"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe loggedonuser"", ""Description"": ""Executing command to get logged on user.""}], ""Registry"": [{""Path"": ""HKLM\\System\\CurrentControlSet\\Services\\A1Agent"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe"", ""Description"": ""Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Action1"", ""Description"": ""Storing its configuration settings and other relevant information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.action1.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""a1-backend-packages.s3.amazonaws.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml"", ""Description"": ""Detects potential network activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml"", ""Description"": ""Detects potential files activity of Action1 RMM tool""}]","https://www.action1.com/documentation/firewall-configuration/, https://www.action1.com/documentation/, https://twitter.com/Kostastsale/status/1646256901506605063?s=20, https://ruler-project.github.io/ruler-project/RULER/remote/Action1/","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDeck.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDeck.io RMM tool""}]",,[] -SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperPuTTY RMM tool""}]",,[] -Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Apps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal Apps RMM tool""}]",https://www.royalapps.com/ts/win/download,[] -Tanium Deploy,,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""tanium.com/products/tanium-deploy""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium Deploy RMM tool""}]",,[] -Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zabbix Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zabbix Agent RMM tool""}]",https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] -Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Weezo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Weezo RMM tool""}]",weezo.en.softonic.com,[] -BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeInSync RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeInSync RMM tool""}]",https://en.wikipedia.org/wiki/Phoenix_Technologies,[] -ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenMeet RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenMeet RMM tool""}]",https://docs.screenmeet.com/docs/firewall-white-list,[] -MyIVO,,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"myivomgr.exe, myivomanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""myivo-server.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyIVO RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyIVO RMM tool""}]",myivo.com - DOA as of 2024,[] -LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml"", ""Description"": ""Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}]",,[] -Kabuto,,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Kabuto.App.Runner.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kabuto.io"", ""repairtechsolutions.com/kabuto/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Kabuto RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Kabuto RMM tool""}]",https://www.repairtechsolutions.com/documentation/kabuto/,[] -FreeRDP,,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZOC RMM tool""}]",,[] AliWangWang-remote-control,,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,alitask.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""wangwang.taobao.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml"", ""Description"": ""Detects potential network activity of AliWangWang-remote-control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AliWangWang-remote-control RMM tool""}]",https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,[] -Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml"", ""Description"": ""Detects potential network activity of Goverlan RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Goverlan RMM tool""}]",https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] -Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Microsoft Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft Quick Assist RMM tool""}]",https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] -N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"BASupSrvc.exe, winagent.exe, BASupApp.exe, BASupTSHelper.exe, Agent_*_RW.exe, BASEClient.exe, BASupSrvcCnfg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beanywhere.com "", ""systemmonitor.co.uk"", ""*system-monitor.com"", ""cloudbackup.management"", ""*systemmonitor.co.uk"", ""n-able.com"", ""systemmonitor.us"", ""*systemmonitor.eu.com"", ""*.logicnow.com"", ""*.swi-tc.com"", ""*remote.management"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""remote.management"", ""logicnow.com"", ""system-monitor.com"", ""*systemmonitor.us"", ""systemmonitor.eu.com"", ""*.n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] -Ocamlfuse,,Ocamlfuse is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -MyGreenPC,,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,mygreenpc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*mygreenpc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyGreenPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyGreenPC RMM tool""}]",http://www.mygreenpc.com/,[] -Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncthing RMM tool""}]",,[] -Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] -Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] +FreeRDP,,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool""}]",,[] +SmartCode Web VNC,,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\TightVNC\*, *\TightVNC\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Onionshare,,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\OnionShare\*, *\OnionShare\*, *\onionshare*.exe, OnionShare-win*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Onionshare RMM tool""}]",,[] +Air Live Drive,,Air Live Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\AirLiveDrive\*, *\AirLiveDrive\*, *\AirLiveDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_live_drive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Air Live Drive RMM tool""}]",,[] +Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rocket Remote Desktop RMM tool""}]",,[] +WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml"", ""Description"": ""Detects potential network activity of WebRDP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WebRDP RMM tool""}]",github.com/Mikej81/WebRDP,[] +BeyondTrust,,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml"", ""Description"": ""Detects potential network activity of SuperOps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperOps RMM tool""}]",https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] +RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePass RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePass RMM tool""}]",https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] +Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml"", ""Description"": ""Detects potential network activity of Itarian RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Itarian RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC RMM tool""}]",https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] +Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] +ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of ezHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ezHelp RMM tool""}]",https://www.exhelp.co.kr,[] +Kabuto,,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Kabuto.App.Runner.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kabuto.io"", ""repairtechsolutions.com/kabuto/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Kabuto RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Kabuto RMM tool""}]",https://www.repairtechsolutions.com/documentation/kabuto/,[] +Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Synergy RMM tool""}]",https://symless.com/synergy,[] +ConnectWise,,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect*Client*\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +TigerVNC,,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"tigervnc*.exe, winvnc4.exe, C:\Program Files\TightVNC\*, *\TightVNC\*, *\tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TigerVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TigerVNC RMM tool""}]",https://github.com/TigerVNC/tigervnc/releases,[] +GoToMyPC,,"GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml"", ""Description"": ""Detects potential files activity of GoToMyPC RMM tool""}]","https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" +Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Everywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Everywhere RMM tool""}]",https://everywhere.laplink.com/docs,[] +Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syspectr RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syspectr RMM tool""}]",https://www.syspectr.com/en/installation-in-a-network,[] +Remote Utilities,,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rutview.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Utilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Utilities RMM tool""}]",https://www.remoteutilities.com/download/,[] +Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remcos RMM tool""}]",,[] +ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, *\ISLLight.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] +DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DragonDisk RMM tool""}]",,[] +FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDeck.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDeck.io RMM tool""}]",,[] Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop-pa.googleapis.com"", ""*remotedesktop.google.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] -Remote Desktop Plus,,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""donkz.nl""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Desktop Plus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Desktop Plus RMM tool""}]",https://www.donkz.nl/,[] -NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of NateOn-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NateOn-desktop sharing RMM tool""}]",http://rsupport.nate.com/rview/r8/main/index.aspx,[] -Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml"", ""Description"": ""Detects potential network activity of Barracuda RMM tool""}]",https://help.islonline.com/19799/166125,[] -Dropbox,,Dropbox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Dropbox\Client\*, *\Dropbox\Client\*, *\Dropbox.exe, *Users\*\Dropbox\bin\","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Dropbox RMM tool""}]",,[] -CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossTec Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossTec Remote Control RMM tool""}]",www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] -DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskDay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskDay RMM tool""}]",https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] -mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml"", ""Description"": ""Detects potential network activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml"", ""Description"": ""Detects potential files activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mRemoteNG RMM tool""}]",https://github.com/mRemoteNG/mRemoteNG,[] -FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeNX RMM tool""}]",,[] +RealVNC,,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +rsync,,rsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Datto,,Datto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""datto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Datto RMM tool""}]",,[] +CloudExplorer,,CloudExplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Supremo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Supremo RMM tool""}]",https://www.supremocontrol.com/frequently-asked-questions/,[] +GoToAssist Agent Desktop Console,,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\G2RDesktopConsole-x64.msi, *\G2RDesktopConsole-x64.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"screenconnect.clientservice.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe, connectwisechat-customer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] +RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteView RMM tool""}]",https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] +VNC Connect,,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\RealVNC\VNC Server\*, *\RealVNC\VNC Server\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncthing RMM tool""}]",,[] +KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of KHelpDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KHelpDesk RMM tool""}]",https://www.khelpdesk.com.br/en-us,[] +Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool""}]",https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] +Bitvise SSH Server,,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Bitvise SSH Server\*, *\Bitvise SSH Server\*, *\BvSshServer-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Server RMM tool""}]",,[] +Cloud Turtle,,Cloud Turtle is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Genie9\*, *\Genie9\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Apple Remote Desktop RMM tool""}]",https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] +Chrome SSH Extension,,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*, *Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +CloudGopher,,CloudGopher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, client32.exe, pcicfgui.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""geo.netsupportsoftware.com"", ""netsupportmanager.com"", ""*.netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] -rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdp2tcp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdp2tcp RMM tool""}]",github.com/V-E-O/rdp2tcp,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] -Pulseway,,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"PCMonitorManager.exe, pcmonitorsrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pulseway.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pulseway RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pulseway RMM tool""}]",https://intercom.help/pulseway/en/,[] -Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml"", ""Description"": ""Detects potential network activity of Naverisk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Naverisk RMM tool""}]",http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] -Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Total Software Deployment RMM tool""}]",,[] -ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, *\ISLLight.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] -NinjaOne (formerly NinjaRMM),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,*ProgramData\NinjaRMMAgent\*,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Microsoft OneDrive,,Microsoft OneDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml"", ""Description"": ""Detects potential network activity of QQ IM-remote assistance RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of QQ IM-remote assistance RMM tool""}]",https://en.wikipedia.org/wiki/Tencent_QQ,[] -Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ddsystem.exe, dd.exe, distant-desktop.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] -FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Unattended Access Setup.exe, TiExpertStandalone.exe, FixMeitClient*.exe, FixMeit Client.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, no installation required | recommend blocking fixme[.]it SaaS portal, no installation required | recommend blocking fixme[.]it SaaS portal, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe.it RMM tool""}]",https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use,[] -FileZilla,,FileZilla is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\FileZilla FTP Client\*, *\FileZilla FTP Client\*, *\FileZilla.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/filezilla_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FileZilla RMM tool""}]",,[] -Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,mstsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] -RuDesktop,,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rd.exe, rudesktop*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rudesktop.ru"", ""rudesktop.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of RuDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RuDesktop RMM tool""}]",https://rudesktop.ru,[] -BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] +ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"era.exe, einstaller.exe, ezhelp*.exe, eratool.exe, ERAAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] +Yandex.Disk,,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Yandex\*, *\Yandex\*, *\YandexDisk2.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Yandex.Disk RMM tool""}]",,[] +N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"BASupSrvc.exe, winagent.exe, BASupApp.exe, BASupTSHelper.exe, Agent_*_RW.exe, BASEClient.exe, BASupSrvcCnfg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beanywhere.com "", ""systemmonitor.co.uk"", ""*system-monitor.com"", ""cloudbackup.management"", ""*systemmonitor.co.uk"", ""n-able.com"", ""systemmonitor.us"", ""*systemmonitor.eu.com"", ""*.logicnow.com"", ""*.swi-tc.com"", ""*remote.management"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""remote.management"", ""logicnow.com"", ""system-monitor.com"", ""*systemmonitor.us"", ""systemmonitor.eu.com"", ""*.n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +MyIVO,,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"myivomgr.exe, myivomanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""myivo-server.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyIVO RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyIVO RMM tool""}]",myivo.com - DOA as of 2024,[] FreeFileSync,,FreeFileSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\FreeFileSync\*, *\FreeFileSync\*, *\FreeFileSync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freefilesync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeFileSync RMM tool""}]",,[] -TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TightVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TightVNC RMM tool""}]",https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] -MeshCentral,,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"meshcentral*.exe, mesh*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}]",https://ylianst.github.io/MeshCentral/meshcentral/,[] -CuteFTP,,CuteFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Globalscape\CuteFTP\*, *\Globalscape\CuteFTP\*, *\cuteftppro.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CuteFTP RMM tool""}]",,[] -Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml"", ""Description"": ""Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool""}]",,[] -CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CarotDAV RMM tool""}]",,[] -Bitvise SSH Server,,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Bitvise SSH Server\*, *\Bitvise SSH Server\*, *\BvSshServer-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Server RMM tool""}]",,[] -Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pandora RC (eHorus) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pandora RC (eHorus) RMM tool""}]",https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] -DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] -Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Iperius Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Iperius Remote RMM tool""}]",https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +VNC,,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"winvnc*.exe, vncserver.exe, winwvc.exe, winvncsc.exe, vncserverui.exe, vncviewer.exe, winvnc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""realvnc.com/en/connect/download/vnc""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of VNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of VNC RMM tool""}]",https://realvnc.com/en/connect/download/vnc,[] +ServerEye,,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"servereye*.exe, ServiceProxyLocalSys.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.server-eye.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml"", ""Description"": ""Detects potential network activity of ServerEye RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ServerEye RMM tool""}]",https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,[] +Rapid7,,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"ir_agent.exe, rapid7_agent_core.exe, rapid7_endpoint_broker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.analytics.insight.rapid7.com"", ""*.endpoint.ingress.rapid7.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Rapid7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rapid7 RMM tool""}]",https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,[] +GoToAssist (GoTo Resolve),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramFiles*\GoTo Machine Installer\*, *\GoTo Machine Installer\*, *\GoTo\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Ocamlfuse,,Ocamlfuse is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of GetScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GetScreen RMM tool""}]",https://docs.getscreen.me/self-hosted/system-requirements/,[] +MobaXterm,,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\MobaXterm_installer_12.1.msi, *\MobaXterm_installer_*.msi, *\Mobatek\MobaXterm\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossTec Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossTec Remote Control RMM tool""}]",www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] +Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Absolute (Computrace) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Absolute (Computrace) RMM tool""}]",https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] +Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xshell RMM tool""}]",,[] +Amazon (Cloud) Drive,,Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Amazon\Cloud Drive\*, *\AppData\Local\Amazon\Cloud Drive\*, *\AmazonCloudDrive.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/amazon__cloud__drive_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Amazon (Cloud) Drive RMM tool""}]",,[] +MyGreenPC,,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,mygreenpc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*mygreenpc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyGreenPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyGreenPC RMM tool""}]",http://www.mygreenpc.com/,[] +Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] +Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Microsoft Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft Quick Assist RMM tool""}]",https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] +Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml"", ""Description"": ""Detects potential network activity of Manage Engine (Desktop Central) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Manage Engine (Desktop Central) RMM tool""}]",https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html,[] diff --git a/website/public/api/rmm_tools.json b/website/public/api/rmm_tools.json index 6f14e0f3..c033b16b 100644 --- a/website/public/api/rmm_tools.json +++ b/website/public/api/rmm_tools.json @@ -1,7 +1,45 @@ [ { - "Name": "Rapid7", - "Description": "Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LabTeach (Connectwise Automate)", + "Description": "LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "ltsvc.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Zabbix Agent", + "Description": "Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/14/2024", @@ -19,9 +57,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ir_agent.exe", - "rapid7_agent_core.exe", - "rapid7_endpoint_broker.exe" + "zabbix_agent*.exe" ] }, "Artifacts": { @@ -32,8 +68,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.analytics.insight.rapid7.com", - "*.endpoint.ingress.rapid7.com" + "user_managed", + "zabbix.com" ], "Ports": [] } @@ -41,25 +77,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml", - "Description": "Detects potential network activity of Rapid7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml", + "Description": "Detects potential network activity of Zabbix Agent RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml", - "Description": "Detects potential processes activity of Rapid7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of Zabbix Agent RMM tool" } ], "References": [ - "https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/" + "https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent" ], "Acknowledgement": [] }, { - "Name": "SunLogin", - "Description": "SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Senso.cloud", + "Description": "Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -74,9 +110,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "OrayRemoteShell.exe", - "OrayRemoteService.exe", - "sunlogin*.exe" + "SensoClient.exe", + "SensoService.exe", + "aadg.exe" ] }, "Artifacts": { @@ -87,8 +123,8 @@ { "Description": "Known remote domains", "Domains": [ - "sunlogin.oray.com", - "client.oray.net" + "*.senso.cloud", + "senso.cloud" ], "Ports": [] } @@ -96,25 +132,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml", - "Description": "Detects potential network activity of SunLogin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml", + "Description": "Detects potential network activity of Senso.cloud RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml", - "Description": "Detects potential processes activity of SunLogin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml", + "Description": "Detects potential processes activity of Senso.cloud RMM tool" } ], "References": [ - "https://sunlogin.oray.com/en/embed/software.html" + "https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration" ], "Acknowledgement": [] }, { - "Name": "CloudFuze", - "Description": "CloudFuze is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "I'm InTouch", + "Description": "I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -128,24 +164,48 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "iit.exe", + "intouch.exe", + "I'm InTouch Go Installer.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.01com.com", + "01com.com/imintouch-remote-pc-desktop" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml", + "Description": "Detects potential network activity of I'm InTouch RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml", + "Description": "Detects potential processes activity of I'm InTouch RMM tool" + } + ], + "References": [ + "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" + ], "Acknowledgement": [] }, { - "Name": "Box", - "Description": "Box is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RustDesk", + "Description": "RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -160,29 +220,77 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Box\\Box\\*", - "*\\Box\\Box\\*", - "*\\Box.exe" + "rustdesk*.exe", + "rustdesk.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "rustdesk.com", + "user_managed", + "web.rustdesk.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml", - "Description": "Detects potential processes activity of Box RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml", + "Description": "Detects potential network activity of RustDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of RustDesk RMM tool" } ], - "References": [], + "References": [ + "https://rustdesk.com/docs/en/" + ], "Acknowledgement": [] }, { - "Name": "GoToAssist Agent Desktop Console", - "Description": "GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Electric AI (Kaseya)", + "Description": "Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [ + "https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf" + ], + "Acknowledgement": [] + }, + { + "Name": "ZOC", + "Description": "ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -200,8 +308,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\G2RDesktopConsole-x64.msi", - "*\\G2RDesktopConsole-x64.msi" + "C:\\Program Files\\ZOC8\\*", + "*\\ZOC?\\*", + "*\\zoc.exe" ] }, "Artifacts": { @@ -210,31 +319,28 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml", + "Description": "Detects potential processes activity of ZOC RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Kaseya (VSA)", - "Description": "Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "Any Support", + "Description": "Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/27/2024", "Details": { "Website": "", - "PEMetadata": [ - { - "Filename": "agentmon.exe" - }, - { - "Filename": "KaUpdHlp.exe" - }, - { - "Filename": "KaUsrTsk.exe", - "OriginalFileName": "", - "Description": "" - } - ], + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", @@ -242,102 +348,18 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Kaseya\\", - "C:\\ProgramData\\Kaseya\\" + "ManualLauncher.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*", - "Description": "Kaseya Live Connect logs", - "OS": "Windows" - }, - { - "File": "~/Library/Logs/com.kaseya/KaseyaLiveConnect/*", - "Description": "Kaseya Live Connect logs", - "OS": "MacOS" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*", - "Description": "Kaseya Endpoint logs", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\Kaseya\\*\\agentmon.log", - "Description": "Kaseya Agent Monitor log" - }, - { - "File": "/var/log/system.log", - "Description": "Kaseya Agent Monitor log", - "OS": "MacOS 32bit" - }, - { - "File": " ~/opt/kaseya/*/logs*", - "Description": "Kaseya Agent Monitor log", - "OS": "MacOS 64bit" - }, - { - "File": "C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log", - "Description": "Kaseya Setup log in user temp directory", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Temp\\KASetup.log", - "Description": "Kaseya Setup log in Windows temp directory", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*", - "Description": "Kaseya Edge Services logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.0\\logs\\", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.5\\endpoint\\logs", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.5\\endpoints\\logs", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\", - "Description": "Certificate creation", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\WebPages\\install\\makecert.txt", - "Description": "Certificate creation", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*", - "Description": "Endpoint service logs", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*", - "Description": "Session logs", - "OS": "Windows" - } - ], - "EventLog": [], - "Registry": [], - "Network": [ + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { "Description": "Known remote domains", "Domains": [ - "deploy01.kaseya.com", - "*managedsupport.kaseya.net", - "*.kaseya.net", - "kaseya.com" + "*.anysupport.net" ], "Ports": [] } @@ -345,28 +367,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml", - "Description": "Detects potential network activity of Kaseya (VSA) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml", + "Description": "Detects potential network activity of Any Support RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml", - "Description": "Detects potential files activity of Kaseya (VSA) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml", + "Description": "Detects potential processes activity of Any Support RMM tool" } ], "References": [ - "https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements", - "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations", - "https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/", - "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations" + "https://www.anysupport.net/introduce_howto.php" ], "Acknowledgement": [] }, { - "Name": "PuTTY Tray", - "Description": "PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PDQ Connect", + "Description": "PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -381,31 +400,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\puttytray.exe", - "*\\puttytray.exe" + "pdq-connect*.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "app.pdq.com", + "cfcdn.pdq.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml", - "Description": "Detects potential processes activity of PuTTY Tray RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml", + "Description": "Detects potential network activity of PDQ Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of PDQ Connect RMM tool" } ], - "References": [], + "References": [ + "https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements" + ], "Acknowledgement": [] }, { - "Name": "Azure Storage Explorer", - "Description": "Azure Storage Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pcnow", + "Description": "Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -420,29 +453,43 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\*", - "*\\Microsoft Azure Storage Explorer\\*", - "*\\StorageExplorer.exe" + "mwcliun.exe", + "pcnmgr.exe", + "webexpcnow.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "au.pcmag.com/utilities/21470/webex-pcnow" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/azure_storage_explorer_processes_sigma.yml", - "Description": "Detects potential processes activity of Azure Storage Explorer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml", + "Description": "Detects potential network activity of Pcnow RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcnow RMM tool" } ], - "References": [], + "References": [ + "http://pcnow.webex.com/ - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "SysAid", - "Description": "SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Quick Assist", + "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -460,10 +507,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\SysAidServer\\*", - "*\\SysAidServer\\*", - "*\\SysAid\\*", - "*\\IliAS.exe" + "quickassist.exe" ] }, "Artifacts": { @@ -474,16 +518,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml", - "Description": "Detects potential processes activity of SysAid RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Quick Assist RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Domotz", - "Description": "Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Seetrol", + "Description": "Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -501,12 +545,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "domotz.exe", - "Domotz Pro Desktop App.exe", - "domotz_bash.exe", - "domotz*.exe", - "Domotz Pro Desktop App Setup*.exe", - "domotz-windows*.exe" + "seetrolcenter.exe", + "seetrolclient.exe", + "seetrolmyservice.exe", + "seetrolremote.exe", + "seetrolsetting.exe" ] }, "Artifacts": { @@ -517,9 +560,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.domotz.co", - "domotz.com", - "*cell-1.domotz.com" + "seetrol.co.kr" ], "Ports": [] } @@ -527,22 +568,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml", - "Description": "Detects potential network activity of Domotz RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml", + "Description": "Detects potential network activity of Seetrol RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml", - "Description": "Detects potential processes activity of Domotz RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml", + "Description": "Detects potential processes activity of Seetrol RMM tool" } ], "References": [ - "https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/" + "http://www.seetrol.com/en/features/features3.php" ], "Acknowledgement": [] }, { - "Name": "BeyondTrust", - "Description": "BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CarotDAV", + "Description": "CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -559,7 +600,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\Rei Software\\CarotDAV\\*", + "*\\Rei Software\\CarotDAV\\*", + "*\\CarotDAV.exe" + ] }, "Artifacts": { "Disk": [], @@ -567,16 +612,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml", + "Description": "Detects potential processes activity of CarotDAV RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Netop Remote Control (aka Impero Connect)", - "Description": "Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Goverlan", + "Description": "Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -591,10 +641,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nhostsvc.exe", - "nhstw32.exe", - "nldrw32.exe", - "rmserverconsolemediator.exe" + "goverrmc.exe", + "govsrv*.exe", + "GovAgentInstallHelper.exe", + "GovAgentx64.exe", + "GovReachClient.exe", + "C:\\Program Files (x86)\\PJ Technologies\\GOVsrv\\*", + "*\\PJ Technologies\\GOVsrv\\*", + "*\\GovSrv.exe" ] }, "Artifacts": { @@ -605,7 +659,8 @@ { "Description": "Known remote domains", "Domains": [ - "imperosoftware.com/impero-connect/" + "user_managed", + "goverlan.com" ], "Ports": [] } @@ -613,54 +668,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml", - "Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml", + "Description": "Detects potential network activity of Goverlan RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml", - "Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml", + "Description": "Detects potential processes activity of Goverlan RMM tool" } ], - "References": [], + "References": [ + "https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf" + ], "Acknowledgement": [] }, { - "Name": "Bomgar - Now BeyondTrust", - "Description": "Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "OptiTune", + "Description": "OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Microsoft TSC", - "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -675,32 +701,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "termsrv.exe" + "OTService.exe", + "OTPowerShell.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.optitune.us", + "*.opti-tune.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft TSC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml", + "Description": "Detects potential network activity of OptiTune RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml", + "Description": "Detects potential processes activity of OptiTune RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" + "https://www.bravurasoftware.com/optitune/support/faq.aspx" ], "Acknowledgement": [] }, { - "Name": "Jump Desktop", - "Description": "Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "EMCO Remote Console", + "Description": "EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -715,11 +755,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "jumpclient.exe", - "jumpdesktop.exe", - "jumpservice.exe", - "jumpconnect.exe", - "jumpupdater.exe" + "remoteconsole.exe" ] }, "Artifacts": { @@ -730,10 +766,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.jumpdesktop.com", - "jumpdesktop.com", - "jumpto.me", - "*.jumpto.me" + "user_managed", + "emcosoftware.com" ], "Ports": [] } @@ -741,25 +775,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Jump Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml", + "Description": "Detects potential network activity of EMCO Remote Console RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Jump Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml", + "Description": "Detects potential processes activity of EMCO Remote Console RMM tool" } ], - "References": [ - "https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "IntelliAdmin Remote Control", - "Description": "IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-Able Advanced Monitoring Agent", + "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -774,11 +806,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iadmin.exe", - "intelliadmin.exe", - "agent32.exe", - "agent64.exe", - "agent_setup_5.exe" + "Agent_*_RW.exe", + "BASEClient.exe", + "BASupApp.exe", + "BASupSrvc.exe", + "BASupSrvcCnfg.exe", + "BASupTSHelper.exe" ] }, "Artifacts": { @@ -789,9 +822,17 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "*.intelliadmin.com", - "intelliadmin.com/remote-control" + "*remote.management", + "*.logicnow.com", + "*systemmonitor.us", + "*systemmonitor.eu.com", + "*system-monitor.com", + "systemmonitor.us.cdn.cloudflare.net", + "*cloudbackup.management", + "*systemmonitor.co.uk", + "*.n-able.com", + "*.beanywhere.com ", + "*.swi-tc.com" ], "Ports": [] } @@ -799,56 +840,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" } ], "References": [ - "intelliadmin.com/remote-control" + "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" ], "Acknowledgement": [] }, { - "Name": "Chrome SSH Extension", - "Description": "Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*", - "*Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "ZeroTier", - "Description": "ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tailscale", + "Description": "Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/14/2024", @@ -866,9 +873,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zerotier*.msi", - "zerotier*.exe", - "zero-powershell.exe" + "tailscale-*.exe", + "tailscaled.exe", + "tailscale-ipn.exe" ] }, "Artifacts": { @@ -879,8 +886,9 @@ { "Description": "Known remote domains", "Domains": [ - "zerotier.com", - "*.zerotier.com" + "*.tailscale.com", + "*.tailscale.io", + "tailscale.com" ], "Ports": [] } @@ -888,25 +896,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml", - "Description": "Detects potential network activity of ZeroTier RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml", + "Description": "Detects potential network activity of Tailscale RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml", - "Description": "Detects potential processes activity of ZeroTier RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml", + "Description": "Detects potential processes activity of Tailscale RMM tool" } ], "References": [ - "https://my.zerotier.com/" + "https://tailscale.com/kb/1023/troubleshooting" ], "Acknowledgement": [] }, { - "Name": "Ericom AccessNow", - "Description": "Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pilixo", + "Description": "Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -921,8 +929,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "accessserver*.exe", - "accessserver.exe" + "rdp.exe", + "Pilixo_Installer*.exe" ] }, "Artifacts": { @@ -933,8 +941,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ericom.com" + "pilixo.com", + "download.pilixo.com", + "*.pilixo.com" ], "Ports": [] } @@ -942,22 +951,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml", - "Description": "Detects potential network activity of Ericom AccessNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml", + "Description": "Detects potential network activity of Pilixo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml", - "Description": "Detects potential processes activity of Ericom AccessNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml", + "Description": "Detects potential processes activity of Pilixo RMM tool" } ], "References": [ - "https://www.ericom.com/connect-accessnow/" + "https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls" ], "Acknowledgement": [] }, { - "Name": "RealVNC", - "Description": "RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Desktop Manager (Devolutions)", + "Description": "Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -987,11 +996,11 @@ "Acknowledgement": [] }, { - "Name": "Pcnow", - "Description": "Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeyondTrust (Bomgar)", + "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1006,9 +1015,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mwcliun.exe", - "pcnmgr.exe", - "webexpcnow.exe" + "bomgar-scc-*.exe", + "bomgar-scc.exe", + "bomgar-pac-*.exe", + "bomgar-pac.exe", + "bomgar-rdp.exe" ] }, "Artifacts": { @@ -1019,7 +1030,9 @@ { "Description": "Known remote domains", "Domains": [ - "au.pcmag.com/utilities/21470/webex-pcnow" + "*.beyondtrustcloud.com", + "*.bomgarcloud.com", + "bomgarcloud.com" ], "Ports": [] } @@ -1027,77 +1040,161 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml", - "Description": "Detects potential network activity of Pcnow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", + "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml", - "Description": "Detects potential processes activity of Pcnow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", + "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" } ], "References": [ - "http://pcnow.webex.com/ - DOA as of 2024" + "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" ], "Acknowledgement": [] }, { - "Name": "DesktopNow", - "Description": "DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", + "Name": "Alpemix", + "Description": "Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", + "Website": "https://www.alpemix.com/en/Home", + "PEMetadata": [ + { + "Filename": "Alpemix.exe", + "OriginalFileName": "Alpemix", + "Description": "Alpemix", + "Product": "Alpemix", + "InternalName": "Alpemix" + } + ], + "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "SupportedOS": [ + "Windows", + "Linux", + "Android", + "Mac", + "IOS" + ], + "Capabilities": [ + "5 Different Solutions for Remote Support", + "Access to Unattended Computers", + "Access to User Account Control (UAC) Screens", + "Add Your Own Logo", + "Auto Sizing", + "Automatic Update", + "Clipboard Transfer", + "Computer Independent Licensing", + "Contact List and Groups", + "Encrypted Communication", + "External Communication Barrier", + "File Transfer", + "Instant Messaging", + "Multi-Platform Support", + "Multiple Chat", + "Multiple Connections", + "No Port Forwarding Required", + "Peer to Peer Connection (p2p)", + "Receiving Offline Message", + "Remote Restart", + "ReportingRestricting The Authority", + "Screen Sharing", + "Sending Announcement Message", + "Sharing a certain part of the screen", + "Video Recording", + "Voice Communication", + "Who is currently supporting?", + "Working in Black Screen Mode" + ], "Vulnerabilities": [], "InstallationPaths": [ - "desktopnow.exe" + "C:\\AlpemixService.exe", + "C:\\AlpemixSrvc\\" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "%localappdata%\\Alpemix\\Alpemix.ini", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "AlpemixSrvc", + "ImagePath": "*\\Alpemix.exe servicestartxxx", + "Description": "Service installation event as result of Alpemix installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx", + "Description": "N/A" + } + ], "Network": [ { - "Description": "Known remote domains", "Domains": [ - "*.nchuser.com" + "*.alpemix.com" ], - "Ports": [] + "Ports": [ + 443 + ], + "Description": "N/A" + }, + { + "Domains": [ + "*.teknopars.com" + ], + "Ports": [ + 80 + ], + "Description": "N/A" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml", - "Description": "Detects potential network activity of DesktopNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml", + "Description": "Detects potential registry activity of Alpemix RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml", - "Description": "Detects potential processes activity of DesktopNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml", + "Description": "Detects potential network activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml", + "Description": "Detects potential files activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml", + "Description": "Detects potential processes activity of Alpemix RMM tool" } ], "References": [ - "https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US" + "https://www.alpemix.com/en/remote-access" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, { - "Name": "Pocket Controller (Soti Xsight)", - "Description": "Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudBerry Explorer", + "Description": "CloudBerry Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1112,46 +1209,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcontroller.exe", - "wysebrowser.exe", - "XSightService.exe" + "C:\\Program Files\\CloudBerryLab\\CloudBerry Drive\\*", + "*\\CloudBerryLab\\CloudBerry Drive\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*soti.net" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml", - "Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool" - } - ], - "References": [ - "https://pulse.soti.net/support/soti-xsight/help/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Instant Housecall", - "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Auvik", + "Description": "Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1166,10 +1243,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "hsloader.exe", - "ihcserver.exe", - "instanthousecall.exe", - "instanthousecall.exe" + "auvik.engine.exe", + "auvik.agent.exe" ] }, "Artifacts": { @@ -1180,10 +1255,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.instanthousecall.com", - "*.instanthousecall.net", - "instanthousecall.com", - "secure.instanthousecall.com" + "*.my.auvik.com", + "*.auvik.com", + "auvik.com" ], "Ports": [] } @@ -1191,25 +1265,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", - "Description": "Detects potential network activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml", + "Description": "Detects potential network activity of Auvik RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", - "Description": "Detects potential processes activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml", + "Description": "Detects potential processes activity of Auvik RMM tool" } ], "References": [ - "https://instanthousecall.com/features/" + "https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use" ], "Acknowledgement": [] }, { - "Name": "CentraStage (Now Datto)", - "Description": "CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft RDP", + "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -1224,44 +1298,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "CagService.exe", - "AEMAgent.exe" + "termsrv.exe", + "mstsc.exe", + "Microsoft Remote Desktop" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.rmm.datto.com", - "*cc.centrastage.net", - "datto.com/au/products/rmm/" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml", - "Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml", - "Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft RDP RMM tool" } ], "References": [ - "https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm" + "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" ], "Acknowledgement": [] }, { - "Name": "Core FTP", - "Description": "Core FTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft OneDrive", + "Description": "Microsoft OneDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1278,10 +1339,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\*\\coreftplite.exe", - "*\\coreftplite.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -1289,21 +1347,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml", - "Description": "Detects potential processes activity of Core FTP RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Insync", - "Description": "Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tactical RMM", + "Description": "Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -1318,90 +1371,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\USERNAME\\AppData\\Roaming\\Insync\\App\\Insync.exe", - "*Users\\*\\AppData\\Roaming\\Insync\\App\\Insync.exe", - "*\\Insync.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml", - "Description": "Detects potential processes activity of Insync RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Microsoft TSC", - "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "termsrv.exe", - "mstsc.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft TSC RMM tool" - } - ], - "References": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" - ], - "Acknowledgement": [] - }, - { - "Name": "LogMeIn rescue", - "Description": "LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "support-logmeinrescue*.exe", - "support-logmeinrescue.exe", - "lmi_rescue.exe" + "tacticalrmm.exe", + "tacticalrmm.exe" ] }, "Artifacts": { @@ -1412,9 +1383,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.logmeinrescue.com", - "*.logmeinrescue.eu", - "logmeinrescue.com" + "login.tailscale.com", + "login.tailscale.com", + "docs.tacticalrmm.com" ], "Ports": [] } @@ -1422,25 +1393,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml", - "Description": "Detects potential network activity of LogMeIn rescue RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Tactical RMM RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml", - "Description": "Detects potential processes activity of LogMeIn rescue RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Tactical RMM RMM tool" } ], "References": [ - "https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue" + "docs.tacticalrmm.com" ], "Acknowledgement": [] }, { - "Name": "Electric AI (Kaseya)", - "Description": "Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MioNet (WD Anywhere Access)", + "Description": "MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1454,7 +1425,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "mionet.exe", + "mionetmanager.exe" + ] }, "Artifacts": { "Disk": [], @@ -1462,18 +1436,23 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool" + } + ], "References": [ - "https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf" + "https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016" ], "Acknowledgement": [] }, { - "Name": "Adobe Connect", - "Description": "Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Comodo RMM", + "Description": "Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/27/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1488,10 +1467,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ConnectAppSetup*.exe", - "ConnectShellSetup*.exe", - "Connect.exe", - "ConnectDetector.exe" + "itsmagent.exe", + "rviewer.exe" ] }, "Artifacts": { @@ -1502,7 +1479,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.adobeconnect.com" + "*.itsm-us1.comodo.com", + "*mdmsupport.comodo.com", + "one.comodo.com" ], "Ports": [] } @@ -1510,25 +1489,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml", - "Description": "Detects potential network activity of Adobe Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Comodo RMM RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Adobe Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Comodo RMM RMM tool" } ], "References": [ - "https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html" + "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" ], "Acknowledgement": [] }, { - "Name": "CloudFlare Tunnel", - "Description": "CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Controller", + "Description": "Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1543,7 +1522,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "cloudflared.exe" + "pocketcontroller.exe", + "pocketcloudservice.exe", + "wysebrowser.exe" ] }, "Artifacts": { @@ -1554,7 +1535,7 @@ { "Description": "Known remote domains", "Domains": [ - "cloudflare.com/products/tunnel/" + "soti.net/products/soti-pocket-controller" ], "Ports": [] } @@ -1562,22 +1543,20 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml", - "Description": "Detects potential network activity of CloudFlare Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml", - "Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller RMM tool" } ], - "References": [ - "cloudflare.com/products/tunnel/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "DriveMaker", - "Description": "DriveMaker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NordLocker", + "Description": "NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1594,10 +1573,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\*\\DriveMaker.exe", - "*\\DriveMaker.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -1605,18 +1581,13 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/drivemaker_processes_sigma.yml", - "Description": "Detects potential processes activity of DriveMaker RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "mstsc", - "Description": "mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ExpanDrive", + "Description": "ExpanDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1634,8 +1605,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Windows\\System32\\mstsc.exe", - "*Windows\\System32\\mstsc.exe" + "C:\\Users\\*\\ExpanDrive.exe", + "*\\ExpanDrive.exe" ] }, "Artifacts": { @@ -1646,16 +1617,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml", - "Description": "Detects potential processes activity of mstsc RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/expandrive_processes_sigma.yml", + "Description": "Detects potential processes activity of ExpanDrive RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Parallels Access", - "Description": "Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "OCS inventory", + "Description": "OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -1673,11 +1644,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "parallelsaccess-*.exe", - "TSClient.exe", - "prl_deskctl_agent.exe", - "prl_deskctl_wizard.exe", - "prl_pm_service.exe" + "ocsinventory.exe", + "ocsservice.exe" ] }, "Artifacts": { @@ -1688,8 +1656,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.parallels.com", - "parallels.com/products/ras/try" + "user_managed", + "ocsinventory-ng.org" ], "Ports": [] } @@ -1697,25 +1665,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml", - "Description": "Detects potential network activity of Parallels Access RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml", + "Description": "Detects potential network activity of OCS inventory RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml", - "Description": "Detects potential processes activity of Parallels Access RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml", + "Description": "Detects potential processes activity of OCS inventory RMM tool" } ], "References": [ - "https://kb.parallels.com/en/129097" + "https://ocsinventory-ng.org/?page_id=878&lang=en" ], "Acknowledgement": [] }, { - "Name": "ConnectWise Control", - "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GotoHTTP", + "Description": "GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -1730,8 +1698,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "connectwisechat-customer.exe", - "connectwisecontrol.client.exe" + "GotoHTTP_x64.exe", + "gotohttp.exe", + "GotoHTTP*.exe" ] }, "Artifacts": { @@ -1742,7 +1711,8 @@ { "Description": "Known remote domains", "Domains": [ - "control.connectwise.com" + "*.gotohttp.com", + "gotohttp.com" ], "Ports": [] } @@ -1750,20 +1720,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", - "Description": "Detects potential network activity of ConnectWise Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml", + "Description": "Detects potential network activity of GotoHTTP RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", - "Description": "Detects potential processes activity of ConnectWise Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml", + "Description": "Detects potential processes activity of GotoHTTP RMM tool" } ], - "References": [], + "References": [ + "https://gotohttp.com/goto/help.12x" + ], "Acknowledgement": [] }, { - "Name": "Devolutions Remote Desktop Manager", - "Description": "Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudXplorer", + "Description": "CloudXplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1780,7 +1752,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files\\ClumsyLeaf Software\\CloudXplorer\\*", + "*\\ClumsyLeaf Software\\CloudXplorer\\*", + "*\\clumsyleaf.cloudxplorer*.exe" + ] }, "Artifacts": { "Disk": [], @@ -1788,16 +1764,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudXplorer RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "TigerVNC", - "Description": "TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", + "Name": "Terminals", + "Description": "Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1811,49 +1792,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "tigervnc*.exe", - "winvnc4.exe", - "C:\\Program Files\\TightVNC\\*", - "*\\TightVNC\\*", - "*\\tvnserver.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml", - "Description": "Detects potential network activity of TigerVNC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml", - "Description": "Detects potential processes activity of TigerVNC RMM tool" - } - ], - "References": [ - "https://github.com/TigerVNC/tigervnc/releases" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Rocket Remote Desktop", - "Description": "Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RPort", + "Description": "RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1868,31 +1824,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "RDConsole.exe", - "RocketRemoteDesktop_Setup.exe" + "rport.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "rport.io" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml", + "Description": "Detects potential network activity of RPort RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml", + "Description": "Detects potential processes activity of RPort RMM tool" } ], - "References": [], + "References": [ + "https://kb.rport.io/using-the-remote-access" + ], "Acknowledgement": [] }, { - "Name": "NoteOn-desktop sharing", - "Description": "NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CentraStage (Now Datto)", + "Description": "CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1907,32 +1877,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nateon*.exe", - "nateon.exe", - "nateonmain.exe" + "CagService.exe", + "AEMAgent.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.rmm.datto.com", + "*cc.centrastage.net", + "datto.com/au/products/rmm/" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml", + "Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml", + "Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool" } ], - "References": [], + "References": [ + "https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm" + ], "Acknowledgement": [] }, { - "Name": "Bomgar", - "Description": "Bomgar is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Instant Housecall", + "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -1947,7 +1932,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "bomgar-scc.exe" + "hsloader.exe", + "InstantHousecall.exe", + "ihcserver.exe", + "instanthousecall.exe" ] }, "Artifacts": { @@ -1958,7 +1946,10 @@ { "Description": "Known remote domains", "Domains": [ - "beyondtrust.com/brand/bomgar" + "*.instanthousecall.com", + "secure.instanthousecall.com", + "*.instanthousecall.net", + "instanthousecall.com" ], "Ports": [] } @@ -1966,23 +1957,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_network_sigma.yml", - "Description": "Detects potential network activity of Bomgar RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_processes_sigma.yml", - "Description": "Detects potential processes activity of Bomgar RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" } ], - "References": [], + "References": [ + "https://instanthousecall.com/features/" + ], "Acknowledgement": [] }, { - "Name": "pCloud", - "Description": "pCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CruzControl", + "Description": "CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1996,11 +1989,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\pCloud Drive\\", - "*\\pCloud Drive\\", - "*\\pCloud.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -2008,21 +1997,18 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcloud_processes_sigma.yml", - "Description": "Detects potential processes activity of pCloud RMM tool" - } + "Detections": [], + "References": [ + "https://resources.doradosoftware.com/cruz-rmm" ], - "References": [], "Acknowledgement": [] }, { - "Name": "HelpU", - "Description": "HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Mikogo", + "Description": "Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2037,9 +2023,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "helpu_install.exe", - "HelpuUpdater.exe", - "HelpuManager.exe" + "mikogo.exe", + "mikogo-starter.exe", + "mikogo-service.exe", + "mikogolauncher.exe", + "C:\\Users\\*\\AppData\\Roaming\\Mikogo\\*", + "*Users\\*\\AppData\\Roaming\\Mikogo\\*", + "*\\Mikogo-Service.exe", + "*\\Mikogo-Screen-Service.exe" ] }, "Artifacts": { @@ -2050,8 +2041,10 @@ { "Description": "Known remote domains", "Domains": [ - "helpu.co.kr", - "*.helpu.co.kr" + "*.real-time-collaboration.com", + "*.mikogo4.com", + "*.mikogo.com", + "mikogo.com" ], "Ports": [] } @@ -2059,22 +2052,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml", - "Description": "Detects potential network activity of HelpU RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml", + "Description": "Detects potential network activity of Mikogo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml", - "Description": "Detects potential processes activity of HelpU RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml", + "Description": "Detects potential processes activity of Mikogo RMM tool" } ], "References": [ - "https://helpu.co.kr/" + "https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services" ], "Acknowledgement": [] }, { - "Name": "Splashtop Remote", - "Description": "Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "mRemoteNG", + "Description": "mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -2092,27 +2085,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "strwinclt.exe", - "Splashtop_Streamer_Windows*.exe", - "SplashtopSOS.exe", - "sragent.exe", - "srmanager.exe", - "srserver.exe", - "srservice.exe" + "mRemoteNG.exe", + "C:\\Program Files (x86)\\mRemoteNG\\*", + "*\\mRemoteNG\\*", + "*\\mRemoteNG.exe", + "c:\\Program Files (x86)%\\mRemoteNG", + "*%\\mRemoteNG", + "mRemoteNG-Installer-*.msi", + "*\\mRemoteNG.exe" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log", + "Description": "mRemoteNG log file", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml", + "Description": "mRemoteNG configuration file", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config", + "Description": "mRemoteNG user configuration file", + "OS": "Windows" + } + ], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "splashtop.com", - "*.api.splashtop.com", - "*.relay.splashtop.com", - "*.api.splashtop.eu" + "user_managed", + "mremoteng.org" ], "Ports": [] } @@ -2120,22 +2128,26 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml", - "Description": "Detects potential network activity of Splashtop Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml", + "Description": "Detects potential network activity of mRemoteNG RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml", + "Description": "Detects potential files activity of mRemoteNG RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml", + "Description": "Detects potential processes activity of mRemoteNG RMM tool" } ], "References": [ - "https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services" + "https://github.com/mRemoteNG/mRemoteNG" ], "Acknowledgement": [] }, { - "Name": "X2Go", - "Description": "X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LabTech RMM (Now ConnectWise Automate)", + "Description": "LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -2152,24 +2164,45 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "ltsvc.exe", + "ltsvcmon.exe", + "lttray.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] - }, - "Detections": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "connectwise.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml", + "Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Pocket Controller", - "Description": "Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ScreenMeet", + "Description": "ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2184,9 +2217,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcontroller.exe", - "pocketcloudservice.exe", - "wysebrowser.exe" + "ScreenMeetSupport.exe", + "ScreenMeet.Support.exe" ] }, "Artifacts": { @@ -2197,7 +2229,8 @@ { "Description": "Known remote domains", "Domains": [ - "soti.net/products/soti-pocket-controller" + "*.screenmeet.com", + "*.scrn.mt" ], "Ports": [] } @@ -2205,23 +2238,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml", - "Description": "Detects potential network activity of Pocket Controller RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml", + "Description": "Detects potential network activity of ScreenMeet RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Controller RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenMeet RMM tool" } ], - "References": [], + "References": [ + "https://docs.screenmeet.com/docs/firewall-white-list" + ], "Acknowledgement": [] }, { - "Name": "Xshell", - "Description": "Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RES Automation Manager", + "Description": "RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -2236,32 +2271,48 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\NetSarang\\xShell\\*", - "*\\NetSarang\\xShell\\*", - "*\\xShell.exe" + "wisshell*.exe", + "wmc.exe", + "wmc_deployer.exe", + "wmcsvc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "ivanti.com/" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml", - "Description": "Detects potential processes activity of Xshell RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml", + "Description": "Detects potential network activity of RES Automation Manager RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of RES Automation Manager RMM tool" } ], - "References": [], + "References": [ + "https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1" + ], "Acknowledgement": [] }, { - "Name": "Bitvise SSH Client", - "Description": "Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Anyplace Control", + "Description": "Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2276,29 +2327,41 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Bitvise SSH Client\\*", - "*\\Bitvise SSH Client\\*", - "*\\BvSshClient-Inst.exe" + "apc_host.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "anyplace-control.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml", - "Description": "Detects potential processes activity of Bitvise SSH Client RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml", + "Description": "Detects potential network activity of Anyplace Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Anyplace Control RMM tool" } ], - "References": [], + "References": [ + "http://www.anyplace-control.com/anyplace-control/help/faq.htm" + ], "Acknowledgement": [] }, { - "Name": "Royal Server", - "Description": "Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Dropbox", + "Description": "Dropbox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -2315,37 +2378,34 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\Dropbox\\Client\\*", + "*\\Dropbox\\Client\\*", + "*\\Dropbox.exe", + "*Users\\*\\Dropbox\\bin\\" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "royalapps.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml", - "Description": "Detects potential network activity of Royal Server RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml", + "Description": "Detects potential processes activity of Dropbox RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Remote Manipulator System", - "Description": "Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TightVNC", + "Description": "TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -2360,8 +2420,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rfusclient.exe", - "rutserv.exe" + "tvnviewer.exe", + "TightVNCViewerPortable*.exe", + "tvnserver.exe" ] }, "Artifacts": { @@ -2372,8 +2433,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.internetid.ru", - "rmansys.ru" + "user_managed", + "tightvnc.com" ], "Ports": [] } @@ -2381,22 +2442,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml", - "Description": "Detects potential network activity of Remote Manipulator System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml", + "Description": "Detects potential network activity of TightVNC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Manipulator System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TightVNC RMM tool" } ], "References": [ - "https://rmansys.ru/files/" + "https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf" ], "Acknowledgement": [] }, { - "Name": "Manage Engine (Desktop Central)", - "Description": "Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LiteManager", + "Description": "LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -2414,8 +2475,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dcagentservice.exe", - "dcagentregister.exe" + "lmnoipserver.exe", + "ROMFUSClient.exe", + "romfusclient.exe", + "romviewer.exe", + "romserver.exe", + "ROMServer.exe" ] }, "Artifacts": { @@ -2426,12 +2491,9 @@ { "Description": "Known remote domains", "Domains": [ - "desktopcentral.manageengine.com", - "desktopcentral.manageengine.com.eu", - "desktopcentral.manageengine.cn", - "*.dms.zoho.com", - "*.dms.zoho.com.eu", - "*.-dms.zoho.com.cn" + "*.litemanager.ru", + "*.litemanager.com", + "litemanager.com" ], "Ports": [] } @@ -2439,25 +2501,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml", - "Description": "Detects potential network activity of Manage Engine (Desktop Central) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml", + "Description": "Detects potential network activity of LiteManager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml", - "Description": "Detects potential processes activity of Manage Engine (Desktop Central) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml", + "Description": "Detects potential processes activity of LiteManager RMM tool" } ], "References": [ - "https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html" + "https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/" ], "Acknowledgement": [] }, { - "Name": "Auvik", - "Description": "Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Box", + "Description": "Box is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -2472,47 +2534,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "auvik.engine.exe", - "auvik.agent.exe" + "C:\\Program Files\\Box\\Box\\*", + "*\\Box\\Box\\*", + "*\\Box.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.my.auvik.com", - "*.auvik.com", - "auvik.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml", - "Description": "Detects potential network activity of Auvik RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml", - "Description": "Detects potential processes activity of Auvik RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/box_processes_sigma.yml", + "Description": "Detects potential processes activity of Box RMM tool" } ], - "References": [ - "https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Basecamp", - "Description": "Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Sophos-Remote Management System", + "Description": "Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -2526,7 +2573,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "clientmrinit.exe", + "mgntsvc.exe", + "routernt.exe" + ] }, "Artifacts": { "Disk": [], @@ -2536,7 +2587,10 @@ { "Description": "Known remote domains", "Domains": [ - "basecamp.com" + "*.sophos.com", + "*.sophosupd.com", + "*.sophosupd.net", + "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" ], "Ports": [] } @@ -2544,18 +2598,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml", - "Description": "Detects potential network activity of Basecamp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml", + "Description": "Detects potential network activity of Sophos-Remote Management System RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool" } ], "References": [ - "basecamp.com - No specific RMM tool listed" + "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" ], "Acknowledgement": [] }, { - "Name": "Free Tools Launcher", - "Description": "Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ManageEngine", + "Description": "ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -2573,8 +2631,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\ManageEngine\\ManageEngine Free Tools\\Launcher\\*", - "*\\ManageEngine\\*" + "InstallShield Setup.exe", + "ManageEngine_Remote_Access_Plus.exe", + "*\\dcagentservice.exe", + "C:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\*", + "*\\DesktopCentral_Agent\\bin\\*" ] }, "Artifacts": { @@ -2583,13 +2644,110 @@ "Registry": [], "Network": [] }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml", + "Description": "Detects potential processes activity of ManageEngine RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Cloud Explorer", + "Description": "Cloud Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "aws-cli", - "Description": "aws-cli is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Splashtop Remote", + "Description": "Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "strwinclt.exe", + "Splashtop_Streamer_Windows*.exe", + "SplashtopSOS.exe", + "sragent.exe", + "srmanager.exe", + "srserver.exe", + "srservice.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "splashtop.com", + "*.api.splashtop.com", + "*.relay.splashtop.com", + "*.api.splashtop.eu" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop Remote RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop Remote RMM tool" + } + ], + "References": [ + "https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services" + ], + "Acknowledgement": [] + }, + { + "Name": "Dameware-mini remote control Protocol", + "Description": "Dameware-mini remote control Protocol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -2607,297 +2765,356 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Amazon\\AWSCLI\\*", - "*\\Amazon\\AWSCLI\\*", - "*\\AWSCLIV*.msi", - "*\\AWSCLISetup.exe" + "dntus*.exe", + "dwrcs.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "dameware.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aws-cli_processes_sigma.yml", - "Description": "Detects potential processes activity of aws-cli RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml", + "Description": "Detects potential network activity of Dameware-mini remote control Protocol RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml", + "Description": "Detects potential processes activity of Dameware-mini remote control Protocol RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "AnyDesk", - "Category": "RMM", - "Description": "AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams.\n", - "Author": "Ali Alwashali, Nasreddine Bencherchali", - "Created": "2023-09-29", - "LastModified": "2024-08-02", + "Name": "rdp2tcp", + "Description": "rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", "Details": { - "Website": "https://anydesk.com/en", - "PEMetadata": [ + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "tdp2tcp.exe", + "rdp2tcp.py" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "Filename": "anydesk.exe", - "OriginalFileName": "AnyDesk.exe", - "Description": "AnyDesk", - "Product": "AnyDesk" + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "github.com/V-E-O/rdp2tcp" + ], + "Ports": [] } - ], - "Privileges": "User", - "Free": true, - "Verification": false, - "SupportedOS": [ - "Android", - "ChromeOS", - "IOS", - "Linux", - "Mac", - "Windows" - ], - "Capabilities": [ - "File Transfer", - "File System Access", - "Remote Control", - "GUI Support", - "Command line Support" - ], - "Vulnerabilities": [ - "https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html" - ], + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml", + "Description": "Detects potential network activity of rdp2tcp RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml", + "Description": "Detects potential processes activity of rdp2tcp RMM tool" + } + ], + "References": [ + "github.com/V-E-O/rdp2tcp" + ], + "Acknowledgement": [] + }, + { + "Name": "FleetDesk.io", + "Description": "FleetDesk.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\AnyDesk\\*", - "C:\\Program Files\\AnyDesk\\*" + "fleetdeck_agent_svc.exe", + "fleetdeck_commander_svc.exe", + "fleetdeck_installer.exe", + "fleetdeck_agent.exe", + "fleetdeck_commander_launcher.exe" ] }, "Artifacts": { - "Disk": [ + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "File": "%programdata%\\AnyDesk\\ad_svc.trace", - "Description": "AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.", - "OS": "Windows", - "Example": [ - "info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798" - ] - }, - { - "File": "%programdata%\\AnyDesk\\connection_trace.txt", - "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", - "OS": "Windows", - "Example": [ - "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", - "Incoming 2022-09-28, 12:39 User 442226597 442226597" - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\connection_trace.txt", - "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", - "OS": "Windows", - "Example": [ - "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", - "Incoming 2022-09-28, 12:39 User 442226597 442226597" - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\ad.trace", - "Description": "AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.", - "OS": "Windows", - "Example": [ - "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).", - "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0." - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\chat\\*.txt", - "Description": "If the chat functionality is used, its entries will be printed in a text file in this folder.", - "OS": "Windows" - }, + "Description": "Known remote domains", + "Domains": [ + "*.fleetdeck.io", + "cognito-idp.us-west-2.amazonaws.com", + "fleetdeck.io" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml", + "Description": "Detects potential network activity of FleetDesk.io RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml", + "Description": "Detects potential processes activity of FleetDesk.io RMM tool" + } + ], + "References": [ + "https://fleetdeck.io/faq/" + ], + "Acknowledgement": [] + }, + { + "Name": "Jump Cloud", + "Description": "Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/26/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "JumpCloud*.exe " + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "File": "%APPDATA%\\AnyDesk\\user.conf", - "Description": "N/A", - "OS": "Windows" - }, + "Description": "Known remote domains", + "Domains": [ + "*.api.jumpcloud.com", + "*.assist.jumpcloud.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml", + "Description": "Detects potential network activity of Jump Cloud RMM tool" + } + ], + "References": [ + "https://jumpcloud.com/support/understand-remote-assist-agent" + ], + "Acknowledgement": [] + }, + { + "Name": "RuDesktop", + "Description": "RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "rd.exe", + "rudesktop*.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "File": "%PROGRAMDATA%\\AnyDesk\\service.conf", - "Description": "Password can be set to auto-validate the session. The password will be saved in a salted hash format.", - "OS": "Windows" - }, + "Description": "Known remote domains", + "Domains": [ + "*.rudesktop.ru", + "rudesktop.ru" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml", + "Description": "Detects potential network activity of RuDesktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of RuDesktop RMM tool" + } + ], + "References": [ + "https://rudesktop.ru" + ], + "Acknowledgement": [] + }, + { + "Name": "LogMeIn", + "Description": "LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", + "Details": { + "Website": "https://www.logmein.com/", + "PEMetadata": [ { - "File": "%APPDATA%\\AnyDesk\\service.conf", - "Description": "N/A", - "OS": "Windows" + "Filename": "lmiguardiansvc.exe" }, { - "File": "%APPDATA%\\AnyDesk\\system.conf", - "Description": "N/A", - "OS": "Windows" + "Filename": "lmiignition.exe" }, { - "File": "%PROGRAMDATA%\\AnyDesk\\system.conf", - "Description": "N/A", - "OS": "Windows" + "Filename": "logmeinsystray.exe" }, { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk", - "Description": "N/A", - "OS": "Windows" - }, + "Filename": "logmein.exe", + "OriginalFileName": "", + "Company": "LogMeIn, Inc.", + "Description": "LMIGuardianSvc", + "Product": "LMIGuardianSvc" + } + ], + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": null + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk", "Description": "N/A", - "OS": "Windows" + "Domains": [ + "logmein-gateway.com" + ], + "Ports": [ + 443 + ] }, { - "File": "C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk", "Description": "N/A", - "OS": "Windows" + "Domains": [ + "*.logmein.com" + ], + "Ports": [ + 443 + ] }, { - "File": "C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*", "Description": "N/A", - "OS": "Windows" + "Domains": [ + "*.logmein.eu" + ], + "Ports": [ + 443 + ] }, { - "File": "~/Library/Application Support/AnyDesk/Logs/", "Description": "N/A", - "OS": "Mac" + "Domains": [ + "logmeinrescue.com" + ], + "Ports": [ + 443 + ] }, { - "File": "~/.config/AnyDesk/Logs/", "Description": "N/A", - "OS": "Linux" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "AnyDesk Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", - "Description": "Service installation event as result of AnyDesk installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk", - "Description": "N/A" - } - ], - "Network": [ - { - "Description": "During setup the boot.net.anydesk.com domain is request over port 443", - "Domains": [ - "boot.net.anydesk.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "relay-[a-f0-9]{8}.net.anydesk.com:443" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.anydesk.com" - ], - "Ports": [ - 443 - ] - } - ], - "Other": [ - { - "Type": "User-Agent", - "Value": "AnyDesk/*" - }, - { - "Type": "NamedPipe", - "Value": "adprinterpipe" + "Domains": [ + "*.logmeininc.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml", - "Description": "Anydesk Remote Access Software Service Installation" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml", - "Description": "N/A" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml", - "Description": "N/A" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml", - "Description": "Remote Access Tool - AnyDesk Silent Installation" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml", - "Description": "Detects potential registry activity of AnyDesk RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml", + "Description": "DNS Query To Remote Access Software Domain From Non-Browser App" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml", - "Description": "Detects potential network activity of AnyDesk RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml", + "Description": "Remote Access Tool - LogMeIn Execution" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml", - "Description": "Detects potential files activity of AnyDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn RMM tool" } ], "References": [ - "https://support.anydesk.com/knowledge/firewall", - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", - "https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk", - "https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/" + "https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration" ], "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - }, - { - "Person": "Ali Alwashali", - "Handle": "@ali_alwashali" - }, { "Person": "Nasreddine Bencherchali", "Handle": "@nas_bench" @@ -2905,122 +3122,46 @@ ] }, { - "Name": "AnyViewer", - "Description": "AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "@kostastsale", - "Created": "2024-08-03", - "LastModified": "2024-08-03", + "Name": "SmartFTP", + "Description": "SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", "Details": { - "Website": "https://www.anyviewer.com/", - "PEMetadata": [ - { - "Filename": "AnyViewer.exe", - "OriginalFileName": "AnyViewer", - "Description": "Splash Window" - }, - { - "Filename": "RCClient.exe", - "OriginalFileName": "RCClient.exe", - "Description": "AnyViewer Core" - }, - { - "Filename": "ScreanCap.exe", - "Description": "Screan capture" - }, - { - "Filename": "AVCore.exe" - }, - { - "Filename": "RCService.exe" - } - ], - "Privileges": "System", - "Free": "up to 10 devices", - "Verification": "None", - "SupportedOS": [ - "Windows" - ], - "Capabilities": [ - "Remote desktop", - "Remote file transfer", - "Remote monitoring and management", - "Remote shell open" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\AnyViewer\\*" + "C:\\Program Files (x86)\\SmartFTP Client\\en-US\\", + "*\\SmartFTP Client\\*", + "*\\SfShellTools.dll.mui" ] }, "Artifacts": { "Disk": [], - "EventLog": [ - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "\"C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\" -d", - "Description": "Taking actions on the remote machine such as opening a command prompt." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "RCService", - "ImagePath": "C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe", - "Description": "AnyViewer service installation service." - } - ], + "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "N/A", - "Domains": [ - "*.anyviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.aomeisoftware.com" - ], - "Ports": [ - 443 - ] - } - ] + "Network": [] }, - "Detections": [ - { - "Name": "Arbitrary code execution and remote sessions via Action1 RMM", - "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", - "author": "@kostastsale", - "Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml", - "Description": "Detects potential network activity of AnyViewer RMM tool" - } - ], - "References": [ - "https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html", - "https://www.anyviewer.com/help/remote-technical-support.html" - ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] + "Detections": [], + "References": [], + "Acknowledgement": [] }, { - "Name": "DW Service", - "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NetSupport Manager", + "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3035,9 +3176,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dwagent.exe", - "dwagsvc.exe" - ] + "pcictlui.exe", + "pcicfgui.exe", + "client32.exe" + ] }, "Artifacts": { "Disk": [], @@ -3047,7 +3189,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.dwservice.net" + "*.netsupportmanager.com", + "netsupportmanager.com" ], "Ports": [] } @@ -3055,25 +3198,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", - "Description": "Detects potential network activity of DW Service RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", + "Description": "Detects potential network activity of NetSupport Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", - "Description": "Detects potential processes activity of DW Service RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of NetSupport Manager RMM tool" } ], "References": [ - "https://news.dwservice.net/dwservice-security-infrastructure/" + "https://www.netsupportmanager.com/resources/" ], "Acknowledgement": [] }, { - "Name": "Level", - "Description": "Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Cloud (Wyse)", + "Description": "Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3087,37 +3230,34 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "pocketcloud*.exe", + "pocketcloudservice.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "level.io" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml", - "Description": "Detects potential network activity of Level RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool" } ], - "References": [], + "References": [ + "https://wyse-pocketcloud.informer.com/2.1/" + ], "Acknowledgement": [] }, { - "Name": "Site24x7", - "Description": "Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Guacamole", + "Description": "Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -3132,10 +3272,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "MEAgentHelper.exe", - "MonitoringAgent.exe", - "Site24x7WindowsAgentTrayIcon.exe", - "Site24x7PluginAgent.exe" + "guacd.exe" ] }, "Artifacts": { @@ -3146,12 +3283,8 @@ { "Description": "Known remote domains", "Domains": [ - "plus*.site24x7.com", - "plus*.site24x7.eu", - "plus*.site24x7.in", - "plus*.site24x7.cn", - "plus*.site24x7.net.au", - "site24x7.com/msp" + "user_managed", + "guacamole.apache.org" ], "Ports": [] } @@ -3159,16 +3292,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml", - "Description": "Detects potential network activity of Site24x7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml", + "Description": "Detects potential network activity of Guacamole RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml", - "Description": "Detects potential processes activity of Site24x7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml", + "Description": "Detects potential processes activity of Guacamole RMM tool" } ], "References": [ - "https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent" + "guacamole.apache.org" ], "Acknowledgement": [] }, @@ -3204,86 +3337,48 @@ "Acknowledgement": [] }, { - "Name": "ScreenConnect", - "Description": "ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "Ali Alwashali, Nasreddine Bencherchali", - "Created": "2023-10-01", - "LastModified": "2024-08-03", + "Name": "LANDesk", + "Description": "LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/8/2024", "Details": { - "Website": "https://www.connectwise.com", - "PEMetadata": [ - { - "Filename": "", - "OriginalFileName": "", - "Description": "" - } - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", - "Free": "14-Days Free Trial", + "Free": "", "Verification": "", - "SupportedOS": [ - "Android", - "IOS", - "Linux", - "Mac", - "Windows" - ], - "Capabilities": [ - "Command Line Support", - "File Transfer", - "Install Windows updates", - "Receive notification when user performs a predefined event", - "Remote Command Line", - "Remote Control", - "Sound Capture", - "Start / Stop services", - "View event logs" - ], + "SupportedOS": [], + "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\ScreenConnect Client (Random)\\ScreenConnect.ClientService.exe", - "Remote Workforce Client.exe", - "*\\*\\ScreenConnect.ClientService.exe", - "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", - "*\\ScreenConnect Client*\\*", - "*\\*\\ScreenConnect.WindowsClient.exe", - "screenconnect*.exe", - "screenconnect.windowsclient.exe", - "Remote Workforce Client.exe", - "screenconnect*.exe", - "ConnectWiseControl*.exe", - "connectwise*.exe", - "screenconnect.windowsclient.exe", - "screenconnect.clientservice.exe" + "issuser.exe", + "landeskagentbootstrap.exe", + "LANDeskPortalManager.exe", + "ldinv32.exe", + "ldsensors.exe", + "C:\\Program Files (x86)\\LANDesk\\*", + "*\\LANDesk\\*", + "*\\issuser.exe", + "*\\softmon.exe", + "*\\tmcsvc.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db", - "Description": "ScreenConnect session database", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml", - "Description": "ScreenConnect user configuration", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\ScreenConnect Client*\\user.config", - "Description": "ScreenConnect client user configuration", - "OS": "Windows" - } - ], + "Disk": [], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "control.connectwise.com", - "*.connectwise.com", - "*.screenconnect.com" + "*.ivanticloud.com", + "*.ivanti.com", + "ivanti.com" ], "Ports": [] } @@ -3291,26 +3386,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml", - "Description": "Detects potential network activity of ScreenConnect RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml", - "Description": "Detects potential files activity of ScreenConnect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml", + "Description": "Detects potential network activity of LANDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml", - "Description": "Detects potential processes activity of ScreenConnect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml", + "Description": "Detects potential processes activity of LANDesk RMM tool" } ], "References": [ - "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/" + "https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US" ], "Acknowledgement": [] }, { - "Name": "SmartFTP", - "Description": "SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Cruz", + "Description": "Cruz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -3327,25 +3418,34 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\SmartFTP Client\\en-US\\", - "*\\SmartFTP Client\\*", - "*\\SfShellTools.dll.mui" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "resources.doradosoftware.com/cruz-rmm" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml", + "Description": "Detects potential network activity of Cruz RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "SpyAnywhere", - "Description": "SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "pcAnywhere", + "Description": "pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3363,7 +3463,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "sysdiag.exe" + "awhost32.exe", + "awrem32.exe", + "pcaquickconnect.exe", + "winaw32.exe" ] }, "Artifacts": { @@ -3374,8 +3477,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.spytech-web.com", - "spyanywhere.com" + "user_managed" ], "Ports": [] } @@ -3383,25 +3485,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml", - "Description": "Detects potential network activity of SpyAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml", + "Description": "Detects potential network activity of pcAnywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of SpyAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of pcAnywhere RMM tool" } ], "References": [ - "https://www.spyanywhere.com/support.shtml" + "https://en.wikipedia.org/wiki/PcAnywhere" ], "Acknowledgement": [] }, { - "Name": "NinjaRMM", - "Description": "NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "mstsc", + "Description": "mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -3416,47 +3518,28 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ninjarmmagent.exe", - "NinjaRMMAgent.exe", - "NinjaRMMAgenPatcher.exe", - "ninjarmm-cli.exe" + "C:\\Windows\\System32\\mstsc.exe", + "*Windows\\System32\\mstsc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.ninjarmm.com", - "*.ninjaone.com", - "resources.ninjarmm.com", - "ninjaone.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml", - "Description": "Detects potential network activity of NinjaRMM RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml", - "Description": "Detects potential processes activity of NinjaRMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml", + "Description": "Detects potential processes activity of mstsc RMM tool" } ], - "References": [ - "https://www.ninjaone.com/faq/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "CloudXplorer", - "Description": "CloudXplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FreeNX", + "Description": "FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -3474,9 +3557,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\ClumsyLeaf Software\\CloudXplorer\\*", - "*\\ClumsyLeaf Software\\CloudXplorer\\*", - "*\\clumsyleaf.cloudxplorer*.exe" + "C:\\*\\nxplayer.exe", + "*\\nxplayer.exe" ] }, "Artifacts": { @@ -3487,19 +3569,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudxplorer_processes_sigma.yml", - "Description": "Detects potential processes activity of CloudXplorer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml", + "Description": "Detects potential processes activity of FreeNX RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "CruzControl", - "Description": "CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PSEXEC (Clone)", + "Description": "PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3513,23 +3595,48 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "paexec.exe", + "PAExec-*.exe", + "csexec.exe ", + "remcom.exe", + "remcomsvc.exe", + "xcmd.exe", + "xcmdsvc.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC (Clone) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool" + } + ], "References": [ - "https://resources.doradosoftware.com/cruz-rmm" + "https://www.poweradmin.com/paexec/" ], "Acknowledgement": [] }, { - "Name": "SimpleHelp", - "Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SpyAnywhere", + "Description": "SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3547,11 +3654,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "simplehelpcustomer.exe", - "simpleservice.exe", - "simplegatewayservice.exe", - "remote access.exe", - "windowslauncher.exe" + "sysdiag.exe" ] }, "Artifacts": { @@ -3562,8 +3665,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "simple-help.com" + "*.spytech-web.com", + "spyanywhere.com" ], "Ports": [] } @@ -3571,25 +3674,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml", - "Description": "Detects potential network activity of SimpleHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml", + "Description": "Detects potential network activity of SpyAnywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml", - "Description": "Detects potential processes activity of SimpleHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of SpyAnywhere RMM tool" } ], "References": [ - "https://simple-help.com/remote-support" + "https://www.spyanywhere.com/support.shtml" ], "Acknowledgement": [] }, { - "Name": "EMCO Remote Console", - "Description": "EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ODrive", + "Description": "ODrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -3604,43 +3707,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remoteconsole.exe" + "C:\\Users\\*\\current\\", + "*Users\\*\\.odrive", + "*\\Odriveapp.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "emcosoftware.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml", - "Description": "Detects potential network activity of EMCO Remote Console RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml", - "Description": "Detects potential processes activity of EMCO Remote Console RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/odrive_processes_sigma.yml", + "Description": "Detects potential processes activity of ODrive RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "ngrok", - "Description": "ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MultCloud", + "Description": "MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -3655,47 +3747,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ngrok.exe", - "C:\\*\\ngrok.zip", - "*\\ngrok*" + "requires sign up", + "requires sign up" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "ngrok.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml", - "Description": "Detects potential network activity of ngrok RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml", - "Description": "Detects potential processes activity of ngrok RMM tool" - } - ], - "References": [ - "https://ngrok.com/docs/guides/running-behind-firewalls/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Apple Remote Desktop", - "Description": "Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Visual Studio Dev Tunnel", + "Description": "Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/24/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -3709,9 +3780,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ARDAgent.app" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -3721,7 +3790,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "global.rel.tunnels.api.visualstudio.com", + "*.rel.tunnels.api.visualstudio.com", + "*.devtunnels.ms" ], "Ports": [] } @@ -3729,21 +3800,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Apple Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool" } ], "References": [ - "https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac" + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security" ], "Acknowledgement": [] }, { - "Name": "Netviewer (GoToMeet)", - "Description": "Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xpra", + "Description": "Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -3758,8 +3829,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nvClient.exe", - "netviewer.exe" + "C:\\Program Files (x86)\\Xpra\\*", + "*\\Xpra\\*", + "*\\Xpra-Launcher.exe", + "*\\Xpra-x86_64_Setup.exe" ] }, "Artifacts": { @@ -3770,18 +3843,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml", - "Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml", + "Description": "Detects potential processes activity of Xpra RMM tool" } ], - "References": [ - "Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "NoMachine", - "Description": "NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal Apps", + "Description": "Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3799,9 +3870,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nomachine*.exe", - "nxservice*.ese", - "nxd.exe" + "royalserver.exe", + "royalts.exe" ] }, "Artifacts": { @@ -3812,8 +3882,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "nomachine.com" + "user_managed" ], "Ports": [] } @@ -3821,25 +3890,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml", - "Description": "Detects potential network activity of NoMachine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml", + "Description": "Detects potential network activity of Royal Apps RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml", - "Description": "Detects potential processes activity of NoMachine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal Apps RMM tool" } ], "References": [ - "https://kb.nomachine.com/AR04S01122" + "https://www.royalapps.com/ts/win/download" ], "Acknowledgement": [] }, { - "Name": "MioNet (WD Anywhere Access)", - "Description": "MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "eHorus", + "Description": "eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -3854,31 +3923,40 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mionet.exe", - "mionetmanager.exe" + "ehorus standalone.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "ehorus.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml", - "Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml", + "Description": "Detects potential network activity of eHorus RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml", + "Description": "Detects potential processes activity of eHorus RMM tool" } ], - "References": [ - "https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Splashtop", - "Description": "Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "Nasreddine Bencherchali", + "Name": "Bomgar", + "Description": "Bomgar is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", "Created": "", "LastModified": "", "Details": { @@ -3895,382 +3973,83 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Splashtop\\*", - "*\\Splashtop\\Splashtop Remote\\Client for RMM\\*", - "strwinclt.exe" + "bomgar-scc.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe", - "Description": "Splashtop Remote Service", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe", - "Description": "SplashTop Remote Agent", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe", - "Description": "Splashtop Updater", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Splashtop Software Updater Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"", - "Description": "Service installation event as result of Splashtop Software Updater Service installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Splashtop® Remote Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", - "Description": "Service installation event as result of Splashtop Remote Service installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "SplashtopRemoteService", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", - "Description": "Service installation event as result of Splashtop Remote Service installation." - } - ], - "Registry": [ - { - "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*", - "Description": "Splashtop Inc. registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", - "Description": "Splashtop Software Updater uninstall key" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService", - "Description": "Splashtop Remote Service registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational", - "Description": "Splashtop Streamer Remote Session event log channel" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational", - "Description": "Splashtop Streamer Status event log channel" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount", - "Description": "Splashtop Software Updater install reference count" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService", - "Description": "Splashtop Remote Service safe boot configuration" - }, - { - "Path": "HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*", - "Description": "Default user Splashtop Inc. registry key" - }, - { - "Path": "HKU\\SID\\Software\\Splashtop Inc.\\*", - "Description": "User-specific Splashtop Inc. registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer", - "Description": "Splashtop PDF Remote Printer configuration" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*", - "Description": "Splashtop Remote Server client information" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.splashtop.com" + "beyondtrust.com/brand/bomgar" ], - "Ports": [ - "N/A" - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml", - "Description": "Detects potential registry activity of Splashtop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml", - "Description": "Detects potential network activity of Splashtop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml", - "Description": "Detects potential files activity of Splashtop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_network_sigma.yml", + "Description": "Detects potential network activity of Bomgar RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bomgar_processes_sigma.yml", + "Description": "Detects potential processes activity of Bomgar RMM tool" } ], - "References": [ - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html" - ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - } - ] + "References": [], + "Acknowledgement": [] }, { - "Name": "RAdmin", - "Description": "RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "SuperPuTTY", + "Description": "SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", "Details": { - "Website": "https://www.radmin.com/", - "PEMetadata": [ - { - "Filename": "RServer3.exe", - "OriginalFileName": "RServer3.exe", - "InternalName": "RServer3", - "Description": "Radmin Server", - "Product": "Radmin Server", - "Comments": "Radmin - Remote Control Server" - }, - { - "Filename": "Radmin.exe", - "OriginalFileName": "Radmin.exe", - "InternalName": "Radmin", - "Description": "Radmin Viewer", - "Product": "Radmin Viewer", - "Comments": "Radmin Viewer" - } - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [ - "Windows" - ], + "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Radmin Viewer 3\\Radmin.exe", - "C:\\Windows\\SysWOW64\\rserver30\\rserver3.exe", - "C:\\Windows\\SysWOW64\\rserver30\\FamItrfc", - "C:\\Windows\\SysWOW64\\rserver30\\FamItrf2" + "C:\\Downloads\\SuperPuTTY\\*", + "*Downloads\\SuperPuTTY\\*", + "*\\superputty.exe", + "*\\SuperPuTTY\\*" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm", - "Description": "RAdmin log file (32-bit)", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\System32\\rserver30\\Radm_log.htm", - "Description": "RAdmin log file (64-bit)", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm", - "Description": "RAdmin chat logs", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm", - "Description": "RAdmin user chat logs", - "OS": "Windows" - } - ], - "EventLog": [], - "Registry": [ - { - "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security", - "Description": "N/A" - } - ], - "Network": [ - { - "Description": "N/A", - "Domains": [ - "radmin.com" - ], - "Ports": [ - 443 - ] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml", - "Description": "PUA - Radmin Viewer Utility Execution" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml", - "Description": "Enumeration for 3rd Party Creds From CLI" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml", - "Description": "Detects potential registry activity of RAdmin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml", - "Description": "Detects potential network activity of RAdmin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml", - "Description": "Detects potential files activity of RAdmin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml", - "Description": "Detects potential processes activity of RAdmin RMM tool" - } - ], - "References": [ - "https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/", - "https://helpdesk.radmin.com/radmin3help/", - "https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm", - "https://helpdesk.radmin.com/radmin3help/files/cmd.htm" - ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] - }, - { - "Name": "LANDesk", - "Description": "LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "issuser.exe", - "landeskagentbootstrap.exe", - "LANDeskPortalManager.exe", - "ldinv32.exe", - "ldsensors.exe", - "C:\\Program Files (x86)\\LANDesk\\*", - "*\\LANDesk\\*", - "*\\issuser.exe", - "*\\softmon.exe", - "*\\tmcsvc.exe" - ] - }, - "Artifacts": { - "Disk": [], + "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.ivanticloud.com", - "*.ivanti.com", - "ivanti.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml", - "Description": "Detects potential network activity of LANDesk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml", - "Description": "Detects potential processes activity of LANDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperPuTTY RMM tool" } ], - "References": [ - "https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "SuperOps", - "Description": "SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ZeroTier", + "Description": "ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -4285,8 +4064,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "superopsticket.exe", - "superops.exe" + "zerotier*.msi", + "zerotier*.exe", + "zero-powershell.exe" ] }, "Artifacts": { @@ -4297,11 +4077,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.superopsbeta.com", - "superops.ai", - "serv.superopsalpha.com", - "*.superops.ai", - "*.superopsalpha.com" + "zerotier.com", + "*.zerotier.com" ], "Ports": [] } @@ -4309,22 +4086,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml", - "Description": "Detects potential network activity of SuperOps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml", + "Description": "Detects potential network activity of ZeroTier RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml", - "Description": "Detects potential processes activity of SuperOps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml", + "Description": "Detects potential processes activity of ZeroTier RMM tool" } ], "References": [ - "https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent" + "https://my.zerotier.com/" ], "Acknowledgement": [] }, { - "Name": "Lite Manager", - "Description": "Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Devolutions Remote Desktop Manager", + "Description": "Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4341,11 +4118,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\LiteManager Pro – Viewer\\*", - "*\\LiteManager Pro – Viewer\\*", - "*\\LMNoIpServer.exe." - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -4358,11 +4131,11 @@ "Acknowledgement": [] }, { - "Name": "Raidrive", - "Description": "Raidrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeAnyWhere", + "Description": "BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4377,43 +4150,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\OpenBoxLab\\RaiDrive\\*", - "*\\OpenBoxLab\\RaiDrive\\*", - "service = raidrive_*", - "Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\OpenBoxLab\\RaiDrive\\Drives" + "basuptshelper.exe", + "basupsrvcupdate.exe", + "BASupApp.exe", + "BASupSysInf.exe", + "BASupAppSrvc.exe", + "TakeControl.exe", + "BASupAppElev.exe", + "basupsrvc.exe" ] }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Datto", - "Description": "Datto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, "Artifacts": { "Disk": [], "EventLog": [], @@ -4422,7 +4168,8 @@ { "Description": "Known remote domains", "Domains": [ - "datto.com" + "beanywhere.en.uptodown.com/windows", + "beanywhere.com" ], "Ports": [] } @@ -4430,19 +4177,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml", - "Description": "Detects potential network activity of Datto RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml", + "Description": "Detects potential network activity of BeAnyWhere RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of BeAnyWhere RMM tool" } ], - "References": [], + "References": [ + "https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx" + ], "Acknowledgement": [] }, { - "Name": "Supremo", - "Description": "Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WebEx (Remote Access)", + "Description": "WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -4456,52 +4209,506 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "supremo.exe", - "supremoservice.exe", - "supremosystem.exe", - "supremohelper.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "supremocontrol.com", - "*.supremocontrol.com", - "* .nanosystems.it" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml", - "Description": "Detects potential network activity of Supremo RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml", - "Description": "Detects potential processes activity of Supremo RMM tool" - } - ], + "Detections": [], "References": [ - "https://www.supremocontrol.com/frequently-asked-questions/" + "https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access" ], "Acknowledgement": [] }, { - "Name": "Chicken (of the VNC)", - "Description": "Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", + "Name": "AnyDesk", + "Category": "RMM", + "Description": "AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams.\n", + "Author": "Ali Alwashali, Nasreddine Bencherchali", + "Created": "2023-09-29", + "LastModified": "2024-08-02", + "Details": { + "Website": "https://anydesk.com/en", + "PEMetadata": [ + { + "Filename": "anydesk.exe", + "OriginalFileName": "AnyDesk.exe", + "Description": "AnyDesk", + "Product": "AnyDesk" + } + ], + "Privileges": "User", + "Free": true, + "Verification": false, + "SupportedOS": [ + "Android", + "ChromeOS", + "IOS", + "Linux", + "Mac", + "Windows" + ], + "Capabilities": [ + "File Transfer", + "File System Access", + "Remote Control", + "GUI Support", + "Command line Support" + ], + "Vulnerabilities": [ + "https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html" + ], + "InstallationPaths": [ + "C:\\Program Files (x86)\\AnyDesk\\*", + "C:\\Program Files\\AnyDesk\\*" + ] + }, + "Artifacts": { + "Disk": [ + { + "File": "%programdata%\\AnyDesk\\ad_svc.trace", + "Description": "AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.", + "OS": "Windows", + "Example": [ + "info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798" + ] + }, + { + "File": "%programdata%\\AnyDesk\\connection_trace.txt", + "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", + "OS": "Windows", + "Example": [ + "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", + "Incoming 2022-09-28, 12:39 User 442226597 442226597" + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\connection_trace.txt", + "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", + "OS": "Windows", + "Example": [ + "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", + "Incoming 2022-09-28, 12:39 User 442226597 442226597" + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\ad.trace", + "Description": "AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.", + "OS": "Windows", + "Example": [ + "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).", + "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0." + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\chat\\*.txt", + "Description": "If the chat functionality is used, its entries will be printed in a text file in this folder.", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\user.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\AnyDesk\\service.conf", + "Description": "Password can be set to auto-validate the session. The password will be saved in a salted hash format.", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\service.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\system.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\AnyDesk\\system.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "~/Library/Application Support/AnyDesk/Logs/", + "Description": "N/A", + "OS": "Mac" + }, + { + "File": "~/.config/AnyDesk/Logs/", + "Description": "N/A", + "OS": "Linux" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "AnyDesk Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", + "Description": "Service installation event as result of AnyDesk installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk", + "Description": "N/A" + } + ], + "Network": [ + { + "Description": "During setup the boot.net.anydesk.com domain is request over port 443", + "Domains": [ + "boot.net.anydesk.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "relay-[a-f0-9]{8}.net.anydesk.com:443" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.anydesk.com" + ], + "Ports": [ + 443 + ] + } + ], + "Other": [ + { + "Type": "User-Agent", + "Value": "AnyDesk/*" + }, + { + "Type": "NamedPipe", + "Value": "adprinterpipe" + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml", + "Description": "Anydesk Remote Access Software Service Installation" + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml", + "Description": "N/A" + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml", + "Description": "N/A" + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml", + "Description": "Remote Access Tool - AnyDesk Silent Installation" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml", + "Description": "Detects potential registry activity of AnyDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml", + "Description": "Detects potential network activity of AnyDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml", + "Description": "Detects potential files activity of AnyDesk RMM tool" + } + ], + "References": [ + "https://support.anydesk.com/knowledge/firewall", + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", + "https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk", + "https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/" + ], + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + }, + { + "Person": "Ali Alwashali", + "Handle": "@ali_alwashali" + }, + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] + }, + { + "Name": "Free Ping Tool", + "Description": "Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "can't find this one", + "can't find this one" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "S3 Browser", + "Description": "S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\S3 Browser\\*", + "*\\S3 Browser\\*", + "*\\s3browser*.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml", + "Description": "Detects potential processes activity of S3 Browser RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Azure Storage Explorer", + "Description": "Azure Storage Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\Microsoft Azure Storage Explorer\\*", + "*\\Microsoft Azure Storage Explorer\\*", + "*\\StorageExplorer.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/azure_storage_explorer_processes_sigma.yml", + "Description": "Detects potential processes activity of Azure Storage Explorer RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "NinjaOne (formerly NinjaRMM)", + "Description": "NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "*ProgramData\\NinjaRMMAgent\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Adobe Connect", + "Description": "Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/27/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "ConnectAppSetup*.exe", + "ConnectShellSetup*.exe", + "Connect.exe", + "ConnectDetector.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.adobeconnect.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml", + "Description": "Detects potential network activity of Adobe Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Adobe Connect RMM tool" + } + ], + "References": [ + "https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html" + ], + "Acknowledgement": [] + }, + { + "Name": "CloudHQ", + "Description": "CloudHQ is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", "PEMetadata": { "Filename": "", "OriginalFileName": "", @@ -4526,8 +4733,8 @@ "Acknowledgement": [] }, { - "Name": "Quick Assist", - "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Raidrive", + "Description": "Raidrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4545,30 +4752,148 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "quickassist.exe" + "C:\\*\\OpenBoxLab\\RaiDrive\\*", + "*\\OpenBoxLab\\RaiDrive\\*", + "service = raidrive_*", + "Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\OpenBoxLab\\RaiDrive\\Drives" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "RemotePC", + "Description": "RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\RemotePC\\*", + "Idrive.File-Transfer", + "*\\RemotePC\\*", + "remotepcservice.exe", + "RemotePC.exe", + "remotepchost.exe", + "idrive.RemotePCAgent", + "rpcsuite.exe", + "*\\RemotePCService.exe", + "RemotePCService.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.remotedesktop.com", + "*.remotepc.com", + "www.remotepc.com", + "remotepc.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml", + "Description": "Detects potential network activity of RemotePC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePC RMM tool" + } + ], + "References": [ + "https://www.remotedesktop.com/helpdesk/faq-firewall" + ], + "Acknowledgement": [] + }, + { + "Name": "LogMeIn rescue", + "Description": "LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/8/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "support-logmeinrescue*.exe", + "support-logmeinrescue.exe", + "lmi_rescue.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.logmeinrescue.com", + "*.logmeinrescue.eu", + "logmeinrescue.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn rescue RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml", + "Description": "Detects potential processes activity of LogMeIn rescue RMM tool" } ], - "References": [], + "References": [ + "https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue" + ], "Acknowledgement": [] }, { - "Name": "KHelpDesk", - "Description": "KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "UltraViewer", + "Description": "UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -4583,7 +4908,18 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "KHelpDesk.exe" + "UltraViewer_Service.exe", + "UltraViewer_setup*", + "UltraViewer_Desktop.exe", + "ultraviewer.exe", + "C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe", + "*\\UltraViewer\\", + "*\\UltraViewer_Desktop.exe", + "ultraviewer_desktop.exe", + "ultraviewer_service.exe", + "UltraViewer_Desktop.exe", + "UltraViewer_setup*", + "UltraViewer_Service.exe" ] }, "Artifacts": { @@ -4594,7 +4930,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.khelpdesk.com.br" + "* .ultraviewer.net", + "ultraviewer.net" ], "Ports": [] } @@ -4602,25 +4939,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml", - "Description": "Detects potential network activity of KHelpDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml", + "Description": "Detects potential network activity of UltraViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml", - "Description": "Detects potential processes activity of KHelpDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraViewer RMM tool" } ], "References": [ - "https://www.khelpdesk.com.br/en-us" + "https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html" ], "Acknowledgement": [] }, { - "Name": "TurboMeeting", - "Description": "TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "aria2", + "Description": "aria2 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4635,9 +4972,49 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcstarter.exe", - "turbomeeting.exe", - "turbomeetingstarter.exe" + "C:\\ProgramData\\CentraStage\\AEMAgent\\*", + "*ProgramData\\CentraStage\\AEMAgent\\*", + "*\\Steinberg\\Download Assistant\\3rd Party\\optional\\aria2\\*", + "*\\aria2c.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml", + "Description": "Detects potential processes activity of aria2 RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Pandora RC (eHorus)", + "Description": "Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "ehorus standalone.exe", + "ehorus_agent.exe" ] }, "Artifacts": { @@ -4648,8 +5025,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "acceo.com/turbomeeting/" + "portal.ehorus.com" ], "Ports": [] } @@ -4657,25 +5033,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml", - "Description": "Detects potential network activity of TurboMeeting RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml", + "Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml", - "Description": "Detects potential processes activity of TurboMeeting RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml", + "Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool" } ], "References": [ - "http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv" + "https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction" ], "Acknowledgement": [] }, { - "Name": "RPort", - "Description": "RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "IntelliAdmin Remote Control", + "Description": "IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -4690,7 +5066,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rport.exe" + "iadmin.exe", + "intelliadmin.exe", + "agent32.exe", + "agent64.exe", + "agent_setup_5.exe" ] }, "Artifacts": { @@ -4702,7 +5082,8 @@ "Description": "Known remote domains", "Domains": [ "user_managed", - "rport.io" + "*.intelliadmin.com", + "intelliadmin.com/remote-control" ], "Ports": [] } @@ -4710,22 +5091,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml", - "Description": "Detects potential network activity of RPort RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml", - "Description": "Detects potential processes activity of RPort RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool" } ], "References": [ - "https://kb.rport.io/using-the-remote-access" + "intelliadmin.com/remote-control" ], "Acknowledgement": [] }, { - "Name": "CloudBerry Explorer", - "Description": "CloudBerry Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MEGAsync", + "Description": "MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4743,8 +5124,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\CloudBerryLab\\CloudBerry Drive\\*", - "*\\CloudBerryLab\\CloudBerry Drive\\*" + "C:\\Users\\*\\AppData\\Local\\MEGAsync\\*", + "*Users\\*\\AppData\\Local\\MEGAsync\\*", + "*Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "*ProgramData\\MEGAsync\\*", + "*\\MEGAsyncSetup64.exe", + "*\\MEGAupdater.exe" ] }, "Artifacts": { @@ -4753,16 +5138,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml", + "Description": "Detects potential processes activity of MEGAsync RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "ExpanDrive", - "Description": "ExpanDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Encapto", + "Description": "Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4776,32 +5166,39 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\*\\ExpanDrive.exe", - "*\\ExpanDrive.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "encapto.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/expandrive_processes_sigma.yml", - "Description": "Detects potential processes activity of ExpanDrive RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml", + "Description": "Detects potential network activity of Encapto RMM tool" } ], - "References": [], + "References": [ + "https://www.encapto.com - used to manage Cisco services" + ], "Acknowledgement": [] }, { - "Name": "MioNet (Also known as WD Anywhere Access)", - "Description": "MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ShowMyPC", + "Description": "ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -4816,31 +5213,48 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mionet.exe", - "mionetmanager.exe" + "SMPCSetup.exe", + "showmypc*.exe", + "showmypc.exe", + "smpcsetup.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.showmypc.com", + "showmypc.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml", - "Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml", + "Description": "Detects potential network activity of ShowMyPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml", + "Description": "Detects potential processes activity of ShowMyPC RMM tool" } ], - "References": [], + "References": [ + "https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf" + ], "Acknowledgement": [] }, { - "Name": "OCS inventory", - "Description": "OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Lite Manager", + "Description": "Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4855,43 +5269,24 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ocsinventory.exe", - "ocsservice.exe" + "C:\\Program Files\\LiteManager Pro – Viewer\\*", + "*\\LiteManager Pro – Viewer\\*", + "*\\LMNoIpServer.exe." ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "ocsinventory-ng.org" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml", - "Description": "Detects potential network activity of OCS inventory RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml", - "Description": "Detects potential processes activity of OCS inventory RMM tool" - } - ], - "References": [ - "https://ocsinventory-ng.org/?page_id=878&lang=en" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "RemotePass", - "Description": "RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop Remote Control (aka Impero Connect)", + "Description": "Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4909,9 +5304,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remotepass-access.exe", - "rpaccess.exe", - "rpwhostscr.exe" + "nhostsvc.exe", + "nhstw32.exe", + "nldrw32.exe", + "rmserverconsolemediator.exe" ] }, "Artifacts": { @@ -4922,7 +5318,7 @@ { "Description": "Known remote domains", "Domains": [ - "remotepass.com" + "imperosoftware.com/impero-connect/" ], "Ports": [] } @@ -4930,25 +5326,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml", - "Description": "Detects potential network activity of RemotePass RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml", - "Description": "Detects potential processes activity of RemotePass RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool" } ], - "References": [ - "https://www.remotepass.com/rpaccess.html - DOA as of 2024" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Air Explorer", - "Description": "Air Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist", + "Description": "GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4963,32 +5357,53 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\airexplorer\\*", - "*\\airexplorer\\*", - "*\\airexplorer.exe" + "gotoassist.exe", + "g2a*.exe", + "GoTo Assist Opener.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "goto.com", + "*.getgo.com", + "*.fastsupport.com", + "*.gotoassist.com", + "helpme.net", + "*.gotoassist.me", + "*.gotoassist.at", + "*.desktopstreaming.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_explorer_processes_sigma.yml", - "Description": "Detects potential processes activity of Air Explorer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml", + "Description": "Detects potential network activity of GoToAssist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml", + "Description": "Detects potential processes activity of GoToAssist RMM tool" } ], - "References": [], + "References": [ + "https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5" + ], "Acknowledgement": [] }, { - "Name": "GoToAssist (GoTo Resolve)", - "Description": "GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ericom Connect", + "Description": "Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5003,195 +5418,333 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\ProgramFiles*\\GoTo Machine Installer\\*", - "*\\GoTo Machine Installer\\*", - "*\\GoTo\\*" + "EricomConnectRemoteHost*.exe", + "ericomconnnectconfigurationtool.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "ericom.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml", + "Description": "Detects potential network activity of Ericom Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom Connect RMM tool" + } + ], + "References": [ + "https://www.ericom.com/connect-accessnow/" + ], "Acknowledgement": [] }, { - "Name": "Comodo RMM", - "Description": "Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", + "Name": "TeamViewer", + "Description": "TeamViewer is a remote monitoring and management (RMM) tool.\n", + "Author": "Nasreddine Bencherchali, Michael Haag", + "Created": "2024-08-02", + "LastModified": "2024-08-02", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], + "Website": "https://www.teamviewer.com/en", + "PEMetadata": [ + { + "Filename": "TeamViewer.exe", + "OriginalFileName": "", + "Description": "", + "Product": "TeamViewer" + } + ], + "Privileges": "user", + "Free": true, + "Verification": false, + "SupportedOS": [ + "Android", + "ChromeOS", + "IOS", + "Linux", + "Mac", + "Windows" + ], "Capabilities": [], - "Vulnerabilities": [], + "Vulnerabilities": [ + "https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html" + ], "InstallationPaths": [ - "itsmagent.exe", - "rviewer.exe" + "C:\\Program Files\\TeamViewer\\", + "teamviewer_desktop.exe", + "teamviewer_service.exe", + "teamviewerhost" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "TeamViewer\\d\\d_Logfile\\.log", + "Description": "N/A", + "OS": "Windows", + "Type": "Regex" + }, + { + "File": "C:\\Program Files\\TeamViewer\\Connections_incoming.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\TeamViewer\\TVNetwork.log", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log", + "Description": "N/A", + "OS": "Windows", + "Type": "Regex" + }, + { + "File": "teamviewerqs.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "tv_w32.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "tv_w64.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "tv_x64.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "teamviewer.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "teamviewer_service.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db", + "Description": "SQlite 3 database storing cache about TeamViewer chat", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db", + "Description": "SQlite 3 database storing TeamViewer print jobs", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\TeamViewer\\connections*.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "TeamViewer", + "ImagePath": "\"C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"", + "Description": "Service installation event as result of TeamViewer installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKU\\\\SOFTWARE\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions", + "Description": "N/A" + } + ], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.itsm-us1.comodo.com", - "*mdmsupport.comodo.com", - "one.comodo.com" + "*.teamviewer.com" ], "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml", - "Description": "Detects potential network activity of Comodo RMM RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml", - "Description": "Detects potential processes activity of Comodo RMM RMM tool" - } - ], - "References": [ - "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" - ], - "Acknowledgement": [] - }, - { - "Name": "ShowMyPC", - "Description": "ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "SMPCSetup.exe", - "showmypc*.exe", - "showmypc.exe", - "smpcsetup.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "*.showmypc.com", - "showmypc.com" + "router15.teamviewer.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "client.teamviewer.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "taf.teamviewer.com" + ], + "Ports": [ + 443 + ] + } + ], + "Other": [ + { + "Type": "Mutex", + "Value": "TeamViewer_LogMutex" + }, + { + "Type": "Mutex", + "Value": "TeamViewerHooks_DynamicMemMutex" + }, + { + "Type": "Mutex", + "Value": "TeamViewer3_Win32_Instance_Mutex" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml", - "Description": "Detects potential network activity of ShowMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml", + "Description": "Detects potential registry activity of TeamViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml", - "Description": "Detects potential processes activity of ShowMyPC RMM tool" - } - ], - "References": [ - "https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf" - ], - "Acknowledgement": [] - }, - { - "Name": "ToDesk", - "Description": "ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/14/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml", + "Description": "Detects potential network activity of TeamViewer RMM tool" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "todesk.exe", - "ToDesk_Service.exe", - "ToDesk_Setup.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "todesk.com", - "*.todesk.com", - "*.todesk.com", - "todesktop.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml", - "Description": "Detects potential network activity of ToDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml", + "Description": "Detects potential files activity of TeamViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml", - "Description": "Detects potential processes activity of ToDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of TeamViewer RMM tool" } ], "References": [ - "https://www.todesk.com/" + "https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer", + "https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#", + "https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/", + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", + "https://github.com/Purp1eW0lf/Blue-Team-Notes" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + } + ] }, { - "Name": "RunSmart", - "Description": "RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Access Remote PC", + "Description": "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5205,37 +5758,32 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "rpcgrab.exe", + "rpcsetup.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "runsmart.io" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml", - "Description": "Detects potential network activity of RunSmart RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml", + "Description": "Detects potential processes activity of Access Remote PC RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "VNC Connect", - "Description": "VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DW Service", + "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5250,26 +5798,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\RealVNC\\VNC Server\\*", - "*\\RealVNC\\VNC Server\\*" + "dwagent.exe", + "dwagsvc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.dwservice.net" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", + "Description": "Detects potential network activity of DW Service RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", + "Description": "Detects potential processes activity of DW Service RMM tool" + } + ], + "References": [ + "https://news.dwservice.net/dwservice-security-infrastructure/" + ], "Acknowledgement": [] }, { - "Name": "Echoware", - "Description": "Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SecureCRT", + "Description": "SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5284,8 +5851,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "echoserver*.exe", - "echoware.dll" + "C:\\*\\SecureCRT.EXE", + "*\\SecureCRT.EXE", + "*\\VanDyke Software\\ClientPack\\*" ] }, "Artifacts": { @@ -5296,155 +5864,75 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml", - "Description": "Detects potential processes activity of Echoware RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml", + "Description": "Detects potential processes activity of SecureCRT RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Alpemix", - "Description": "Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "Acronic Cyber Protect (Remotix)", + "Description": "Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/26/2024", "Details": { - "Website": "https://www.alpemix.com/en/Home", - "PEMetadata": [ - { - "Filename": "Alpemix.exe", - "OriginalFileName": "Alpemix", - "Description": "Alpemix", - "Product": "Alpemix", - "InternalName": "Alpemix" - } - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [ - "Windows", - "Linux", - "Android", - "Mac", - "IOS" - ], - "Capabilities": [ - "5 Different Solutions for Remote Support", - "Access to Unattended Computers", - "Access to User Account Control (UAC) Screens", - "Add Your Own Logo", - "Auto Sizing", - "Automatic Update", - "Clipboard Transfer", - "Computer Independent Licensing", - "Contact List and Groups", - "Encrypted Communication", - "External Communication Barrier", - "File Transfer", - "Instant Messaging", - "Multi-Platform Support", - "Multiple Chat", - "Multiple Connections", - "No Port Forwarding Required", - "Peer to Peer Connection (p2p)", - "Receiving Offline Message", - "Remote Restart", - "ReportingRestricting The Authority", - "Screen Sharing", - "Sending Announcement Message", - "Sharing a certain part of the screen", - "Video Recording", - "Voice Communication", - "Who is currently supporting?", - "Working in Black Screen Mode" - ], + "SupportedOS": [], + "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\AlpemixService.exe", - "C:\\AlpemixSrvc\\" + "AcronisCyberProtectConnectQuickAssist*.exe", + "AcronisCyberProtectConnectAgent.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "%localappdata%\\Alpemix\\Alpemix.ini", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "AlpemixSrvc", - "ImagePath": "*\\Alpemix.exe servicestartxxx", - "Description": "Service installation event as result of Alpemix installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx", - "Description": "N/A" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { + "Description": "Known remote domains", "Domains": [ - "*.alpemix.com" - ], - "Ports": [ - 443 - ], - "Description": "N/A" - }, - { - "Domains": [ - "*.teknopars.com" - ], - "Ports": [ - 80 + "cloud.acronis.com", + "agents*-cloud.acronis.com", + "gw.remotix.com", + "connect.acronis.com" ], - "Description": "N/A" + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml", - "Description": "Detects potential registry activity of Alpemix RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml", - "Description": "Detects potential network activity of Alpemix RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml", - "Description": "Detects potential files activity of Alpemix RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml", + "Description": "Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml", - "Description": "Detects potential processes activity of Alpemix RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml", + "Description": "Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool" } ], "References": [ - "https://www.alpemix.com/en/remote-access" + "https://kb.acronis.com/content/47189" ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] + "Acknowledgement": [] }, { - "Name": "Royal TS", - "Description": "Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Sorillus", + "Description": "Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5459,7 +5947,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "royalts.exe" + "Sorillus-Launcher*.exe", + "Sorillus Launcher.exe" ] }, "Artifacts": { @@ -5470,7 +5959,8 @@ { "Description": "Known remote domains", "Domains": [ - "royalapps.com" + "*.sorillus.com", + "sorillus.com" ], "Ports": [] } @@ -5478,23 +5968,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml", - "Description": "Detects potential network activity of Royal TS RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml", + "Description": "Detects potential network activity of Sorillus RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml", - "Description": "Detects potential processes activity of Royal TS RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml", + "Description": "Detects potential processes activity of Sorillus RMM tool" } ], - "References": [], + "References": [ + "https://sorillus.com/" + ], "Acknowledgement": [] }, { - "Name": "DragonDisk", - "Description": "DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Barracuda", + "Description": "Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5508,33 +6000,41 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\Almageste\\DragonDisk\\*", - "*\\Almageste\\DragonDisk\\*", - "*\\DragonDisk.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.islonline.net", + "rmm.barracudamsp.com", + "barracudamsp.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml", - "Description": "Detects potential processes activity of DragonDisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml", + "Description": "Detects potential network activity of Barracuda RMM tool" } ], - "References": [], + "References": [ + "https://help.islonline.com/19799/166125" + ], "Acknowledgement": [] }, { - "Name": "Pcvisit", - "Description": "Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DeskDay", + "Description": "DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5549,10 +6049,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcvisit.exe", - "pcvisit_client.exe", - "pcvisit-easysupport.exe", - "pcvisit_service_client.exe" + "ultimate_*.exe" ] }, "Artifacts": { @@ -5563,8 +6060,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.pcvisit.de", - "pcvisit.de" + "deskday.ai", + "app.deskday.ai" ], "Ports": [] } @@ -5572,25 +6069,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml", - "Description": "Detects potential network activity of Pcvisit RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml", + "Description": "Detects potential network activity of DeskDay RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml", - "Description": "Detects potential processes activity of Pcvisit RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskDay RMM tool" } ], "References": [ - "https://www.pcvisit.de/" + "https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate" ], "Acknowledgement": [] }, { - "Name": "Connectwise Automate (LabTech)", - "Description": "Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteCall", + "Description": "RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5605,9 +6102,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ltsvc.exe", - "ltsvcmon.exe", - "lttray.exe" + "rcengmgru.exe", + "rcmgrsvc.exe", + "rxstartsupport.exe", + "rcstartsupport.exe", + "raautoup.exe", + "agentu.exe", + "remotesupportplayeru.exe" ] }, "Artifacts": { @@ -5618,7 +6119,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.hostedrmm.com" + "*.remotecall.com", + "*.startsupport.com", + "remotecall.com" ], "Ports": [] } @@ -5626,25 +6129,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml", - "Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml", + "Description": "Detects potential network activity of RemoteCall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml", - "Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteCall RMM tool" } ], "References": [ - "https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate" + "https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall" ], "Acknowledgement": [] }, { - "Name": "DameWare", - "Description": "DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", + "Name": "Splashtop", + "Description": "Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "Nasreddine Bencherchali", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5659,36 +6162,194 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SolarWinds-Dameware-DRS*.exe", - "DameWare Mini Remote Control*.exe", - "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\*", - "dwrcs.exe", - "*\\dwrcs\\*", - "*\\dwrcst.exe", - "DameWare Remote Support.exe", - "SolarWinds-Dameware-MRC*.exe" + "C:\\Program Files (x86)\\Splashtop\\*", + "*\\Splashtop\\Splashtop Remote\\Client for RMM\\*", + "strwinclt.exe" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] + "Disk": [ + { + "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe", + "Description": "Splashtop Remote Service", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe", + "Description": "SplashTop Remote Agent", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe", + "Description": "Splashtop Updater", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Splashtop Software Updater Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"", + "Description": "Service installation event as result of Splashtop Software Updater Service installation." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Splashtop® Remote Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", + "Description": "Service installation event as result of Splashtop Remote Service installation." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "SplashtopRemoteService", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", + "Description": "Service installation event as result of Splashtop Remote Service installation." + } + ], + "Registry": [ + { + "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*", + "Description": "Splashtop Inc. registry key" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", + "Description": "Splashtop Software Updater uninstall key" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService", + "Description": "Splashtop Remote Service registry key" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational", + "Description": "Splashtop Streamer Remote Session event log channel" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational", + "Description": "Splashtop Streamer Status event log channel" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount", + "Description": "Splashtop Software Updater install reference count" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService", + "Description": "Splashtop Remote Service safe boot configuration" + }, + { + "Path": "HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*", + "Description": "Default user Splashtop Inc. registry key" + }, + { + "Path": "HKU\\SID\\Software\\Splashtop Inc.\\*", + "Description": "User-specific Splashtop Inc. registry key" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer", + "Description": "Splashtop PDF Remote Printer configuration" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*", + "Description": "Splashtop Remote Server client information" + } + ], + "Network": [ + { + "Description": "N/A", + "Domains": [ + "*.splashtop.com" + ], + "Ports": [ + "N/A" + ] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml", - "Description": "Detects potential processes activity of DameWare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml", + "Description": "Detects potential registry activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml", + "Description": "Detects potential files activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop RMM tool" } ], "References": [ - "https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm" + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + } + ] }, { - "Name": "Onionshare", - "Description": "Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ManageEngine RMM Central", + "Description": "ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -5705,34 +6366,37 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\OnionShare\\*", - "*\\OnionShare\\*", - "*\\onionshare*.exe", - "OnionShare-win*.msi" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "manageengine.com/remote-monitoring-management/" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml", - "Description": "Detects potential processes activity of Onionshare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml", + "Description": "Detects potential network activity of ManageEngine RMM Central RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Tailscale", - "Description": "Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AeroAdmin", + "Description": "AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5747,9 +6411,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tailscale-*.exe", - "tailscaled.exe", - "tailscale-ipn.exe" + "aeroadmin.exe", + "AeroAdmin.exe" ] }, "Artifacts": { @@ -5760,9 +6423,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.tailscale.com", - "*.tailscale.io", - "tailscale.com" + "auth*.aeroadmin.com", + "aeroadmin.com" ], "Ports": [] } @@ -5770,25 +6432,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml", - "Description": "Detects potential network activity of Tailscale RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml", + "Description": "Detects potential network activity of AeroAdmin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml", - "Description": "Detects potential processes activity of Tailscale RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml", + "Description": "Detects potential processes activity of AeroAdmin RMM tool" } ], "References": [ - "https://tailscale.com/kb/1023/troubleshooting" + "https://support.aeroadmin.com/kb/faq.php?id=58" ], "Acknowledgement": [] }, { - "Name": "Senso.cloud", - "Description": "Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft TSC", + "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -5803,44 +6465,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SensoClient.exe", - "SensoService.exe", - "aadg.exe" + "termsrv.exe", + "mstsc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.senso.cloud", - "senso.cloud" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml", - "Description": "Detects potential network activity of Senso.cloud RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml", - "Description": "Detects potential processes activity of Senso.cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft TSC RMM tool" } ], "References": [ - "https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration" + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" ], "Acknowledgement": [] }, { - "Name": "Proton Drive", - "Description": "Proton Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AweRay (AweSun)", + "Description": "AweRay (AweSun) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -5857,24 +6505,45 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "aweray_remote*.exe", + "AweSun.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "asapi-us.aweray.net", + "asapi.aweray.net" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__network_sigma.yml", + "Description": "Detects potential network activity of AweRay (AweSun) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__processes_sigma.yml", + "Description": "Detects potential processes activity of AweRay (AweSun) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "UltraViewer", - "Description": "UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NoMachine", + "Description": "NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5889,18 +6558,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "UltraViewer_Service.exe", - "UltraViewer_setup*", - "UltraViewer_Desktop.exe", - "ultraviewer.exe", - "C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe", - "*\\UltraViewer\\", - "*\\UltraViewer_Desktop.exe", - "ultraviewer_desktop.exe", - "ultraviewer_service.exe", - "UltraViewer_Desktop.exe", - "UltraViewer_setup*", - "UltraViewer_Service.exe" + "nomachine*.exe", + "nxservice*.ese", + "nxd.exe" ] }, "Artifacts": { @@ -5911,8 +6571,8 @@ { "Description": "Known remote domains", "Domains": [ - "* .ultraviewer.net", - "ultraviewer.net" + "user_managed", + "nomachine.com" ], "Ports": [] } @@ -5920,25 +6580,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml", - "Description": "Detects potential network activity of UltraViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml", + "Description": "Detects potential network activity of NoMachine RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of UltraViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml", + "Description": "Detects potential processes activity of NoMachine RMM tool" } ], "References": [ - "https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html" + "https://kb.nomachine.com/AR04S01122" ], "Acknowledgement": [] }, { - "Name": "KickIdler", - "Description": "KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "UltraVNC", + "Description": "UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -5953,8 +6613,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "grabberEM.*msi", - "grabberTT*.msi" + "UltraVNC*.exe" ] }, "Artifacts": { @@ -5965,8 +6624,8 @@ { "Description": "Known remote domains", "Domains": [ - "kickidler.com", - "my.kickidler.com" + "ultravnc.com", + "user_managed" ], "Ports": [] } @@ -5974,18 +6633,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml", - "Description": "Detects potential network activity of KickIdler RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml", + "Description": "Detects potential network activity of UltraVNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraVNC RMM tool" } ], "References": [ - "https://www.kickidler.com/for-it/faq/" + "https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html" ], "Acknowledgement": [] }, { - "Name": "Remmina", - "Description": "Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TeraCLOUD", + "Description": "TeraCLOUD is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6002,7 +6665,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "c:\\*\\TeraCloud.Client*", + "*\\TeraCloud.Client*", + "*\\Livedrive-Setup.exe" + ] }, "Artifacts": { "Disk": [], @@ -6010,16 +6677,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teracloud_processes_sigma.yml", + "Description": "Detects potential processes activity of TeraCLOUD RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "eHorus", - "Description": "eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Instant Housecall", + "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6034,7 +6706,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ehorus standalone.exe" + "hsloader.exe", + "ihcserver.exe", + "instanthousecall.exe", + "instanthousecall.exe" ] }, "Artifacts": { @@ -6045,7 +6720,10 @@ { "Description": "Known remote domains", "Domains": [ - "ehorus.com" + "*.instanthousecall.com", + "*.instanthousecall.net", + "instanthousecall.com", + "secure.instanthousecall.com" ], "Ports": [] } @@ -6053,23 +6731,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml", - "Description": "Detects potential network activity of eHorus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml", - "Description": "Detects potential processes activity of eHorus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" } ], - "References": [], + "References": [ + "https://instanthousecall.com/features/" + ], "Acknowledgement": [] }, { - "Name": "Quick Assist", - "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NinjaRMM", + "Description": "NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -6084,7 +6764,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "quickassist.exe" + "ninjarmmagent.exe", + "NinjaRMMAgent.exe", + "NinjaRMMAgenPatcher.exe", + "ninjarmm-cli.exe" ] }, "Artifacts": { @@ -6095,7 +6778,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.support.services.microsoft.com" + "*.ninjarmm.com", + "*.ninjaone.com", + "resources.ninjarmm.com", + "ninjaone.com" ], "Ports": [] } @@ -6103,20 +6789,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml", - "Description": "Detects potential network activity of Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml", + "Description": "Detects potential network activity of NinjaRMM RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml", + "Description": "Detects potential processes activity of NinjaRMM RMM tool" } ], - "References": [], + "References": [ + "https://www.ninjaone.com/faq/" + ], "Acknowledgement": [] }, { - "Name": "N-Able Advanced Monitoring Agent", - "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ngrok", + "Description": "ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -6134,12 +6822,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Agent_*_RW.exe", - "BASEClient.exe", - "BASupApp.exe", - "BASupSrvc.exe", - "BASupSrvcCnfg.exe", - "BASupTSHelper.exe" + "ngrok.exe", + "C:\\*\\ngrok.zip", + "*\\ngrok*" ] }, "Artifacts": { @@ -6150,17 +6835,8 @@ { "Description": "Known remote domains", "Domains": [ - "*remote.management", - "*.logicnow.com", - "*systemmonitor.us", - "*systemmonitor.eu.com", - "*system-monitor.com", - "systemmonitor.us.cdn.cloudflare.net", - "*cloudbackup.management", - "*systemmonitor.co.uk", - "*.n-able.com", - "*.beanywhere.com ", - "*.swi-tc.com" + "user_managed", + "ngrok.com" ], "Ports": [] } @@ -6168,22 +6844,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", - "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml", + "Description": "Detects potential network activity of ngrok RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml", + "Description": "Detects potential processes activity of ngrok RMM tool" } ], "References": [ - "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" + "https://ngrok.com/docs/guides/running-behind-firewalls/" ], "Acknowledgement": [] }, { - "Name": "KiTTY", - "Description": "KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Air Explorer", + "Description": "Air Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6201,8 +6877,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\kitty.exe", - "*\\kitty.exe" + "C:\\Program Files\\airexplorer\\*", + "*\\airexplorer\\*", + "*\\airexplorer.exe" ] }, "Artifacts": { @@ -6213,16 +6890,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml", - "Description": "Detects potential processes activity of KiTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_explorer_processes_sigma.yml", + "Description": "Detects potential processes activity of Air Explorer RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "AweRay (AweSun)", - "Description": "AweRay (AweSun) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Bitvise SSH Client", + "Description": "Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6240,41 +6917,29 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "aweray_remote*.exe", - "AweSun.exe" + "C:\\Program Files (x86)\\Bitvise SSH Client\\*", + "*\\Bitvise SSH Client\\*", + "*\\BvSshClient-Inst.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "asapi-us.aweray.net", - "asapi.aweray.net" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__network_sigma.yml", - "Description": "Detects potential network activity of AweRay (AweSun) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray__awesun__processes_sigma.yml", - "Description": "Detects potential processes activity of AweRay (AweSun) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Client RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "FleetDeck", - "Description": "FleetDeck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chicken (of the VNC)", + "Description": "Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6291,43 +6956,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "fleetdeck_agent_svc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "fleetdeck.io" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml", - "Description": "Detects potential network activity of FleetDeck RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml", - "Description": "Detects potential processes activity of FleetDeck RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "TeleDesktop", - "Description": "TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SkyFex", + "Description": "SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -6342,9 +6988,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pstlaunch.exe", - "ptdskclient.exe", - "ptdskhost.exe" + "Deskroll.exe", + "DeskRollUA.exe" ] }, "Artifacts": { @@ -6355,8 +7000,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "tele-desk.com" + "skyfex.com", + "deskroll.com", + "*.deskroll.com" ], "Ports": [] } @@ -6364,25 +7010,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml", - "Description": "Detects potential network activity of TeleDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml", + "Description": "Detects potential network activity of SkyFex RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml", - "Description": "Detects potential processes activity of TeleDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml", + "Description": "Detects potential processes activity of SkyFex RMM tool" } ], "References": [ - "http://potomacsoft.com/ - DOA as of 2024" + "https://skyfex.com/" ], "Acknowledgement": [] }, { - "Name": "Remote Utilities", - "Description": "Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ericom AccessNow", + "Description": "Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -6397,8 +7043,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rutview.exe", - "rutserv.exe" + "accessserver*.exe", + "accessserver.exe" ] }, "Artifacts": { @@ -6409,7 +7055,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.internetid.ru" + "user_managed", + "ericom.com" ], "Ports": [] } @@ -6417,25 +7064,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml", - "Description": "Detects potential network activity of Remote Utilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml", + "Description": "Detects potential network activity of Ericom AccessNow RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Utilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom AccessNow RMM tool" } ], "References": [ - "https://www.remoteutilities.com/download/" + "https://www.ericom.com/connect-accessnow/" ], "Acknowledgement": [] }, { - "Name": "Cloud Explorer", - "Description": "Cloud Explorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft RDP", + "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6449,7 +7096,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "mstsc.exe" + ] }, "Artifacts": { "Disk": [], @@ -6457,16 +7106,23 @@ "Registry": [], "Network": [] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft RDP RMM tool" + } + ], + "References": [ + "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" + ], "Acknowledgement": [] }, { - "Name": "NetSupport Manager", - "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal Server", + "Description": "Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6480,11 +7136,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "pcictlui.exe", - "pcicfgui.exe", - "client32.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -6494,8 +7146,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.netsupportmanager.com", - "netsupportmanager.com" + "royalapps.com" ], "Ports": [] } @@ -6503,25 +7154,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", - "Description": "Detects potential network activity of NetSupport Manager RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of NetSupport Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml", + "Description": "Detects potential network activity of Royal Server RMM tool" } ], - "References": [ - "https://www.netsupportmanager.com/resources/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "GotoHTTP", - "Description": "GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Solar-PuTTY", + "Description": "Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6536,47 +7181,71 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "GotoHTTP_x64.exe", - "gotohttp.exe", - "GotoHTTP*.exe" + "C:\\Program Files\\Solar-Putty-v4\\*", + "*\\Solar-Putty-v4\\*", + "*\\Solar-PuTTY.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.gotohttp.com", - "gotohttp.com" - ], - "Ports": [] - } + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml", + "Description": "Detects potential processes activity of Solar-PuTTY RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Duplicati", + "Description": "Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "c:\\Program Files\\*\\Duplicati.Server.exe", + "*\\*\\Duplicati.Server.exe" ] }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml", - "Description": "Detects potential network activity of GotoHTTP RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml", - "Description": "Detects potential processes activity of GotoHTTP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml", + "Description": "Detects potential processes activity of Duplicati RMM tool" } ], - "References": [ - "https://gotohttp.com/goto/help.12x" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "RemoteUtilities", - "Description": "RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Desktop Plus", + "Description": "Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -6591,12 +7260,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rutview.exe", - "*\\Remote Manipulator System - Server\\*", - "C:\\Program Files\\Remote Utilities\\*", - "*\\Remote Utilities\\*", - "rutserv.exe", - "*\\rutserv.exe" + "rdp.exe" ] }, "Artifacts": { @@ -6607,7 +7271,7 @@ { "Description": "Known remote domains", "Domains": [ - "remoteutilities.com" + "donkz.nl" ], "Ports": [] } @@ -6615,146 +7279,32 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml", - "Description": "Detects potential network activity of RemoteUtilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml", + "Description": "Detects potential network activity of Remote Desktop Plus RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteUtilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Desktop Plus RMM tool" } ], - "References": [], + "References": [ + "https://www.donkz.nl/" + ], "Acknowledgement": [] }, { - "Name": "GoToMyPC", - "Description": "GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "ITSupport247 (ConnectWise)", + "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/8/2024", "Details": { "Website": "", - "PEMetadata": [ - { - "Filename": "AppCore.exe" - }, - { - "Filename": "g2comm.exe" - }, - { - "Filename": "g2file*.exe" - }, - { - "Filename": "g2fileh.exe" - }, - { - "Filename": "g2host.exe" - }, - { - "Filename": "g2m_download.exe" - }, - { - "Filename": "g2mainh.exe" - }, - { - "Filename": "G2MChat.exe" - }, - { - "Filename": "G2MCodecInstExtractor.exe" - }, - { - "Filename": "G2MComm.exe" - }, - { - "Filename": "G2MCoreInstExtractor.exe" - }, - { - "Filename": "G2MFeedback.exe" - }, - { - "Filename": "G2MHost.exee" - }, - { - "Filename": "G2MInstaller.exe" - }, - { - "Filename": "G2MInstallerExtractor.exe" - }, - { - "Filename": "G2MInstHigh.exe" - }, - { - "Filename": "G2MLauncher.exe" - }, - { - "Filename": "G2MMatchMaking.exe" - }, - { - "Filename": "G2MMaterials.exe" - }, - { - "Filename": "G2MPolling.exe" - }, - { - "Filename": "G2MQandA.exe" - }, - { - "Filename": "G2MRecorder.exe" - }, - { - "Filename": "G2MScrUtil64.exe" - }, - { - "Filename": "G2MSessionControl.exe" - }, - { - "Filename": "G2MStart.exe" - }, - { - "Filename": "G2MTesting.exe" - }, - { - "Filename": "G2MTranscoder.exe" - }, - { - "Filename": "G2MUI.exe" - }, - { - "Filename": "G2MUninstall.exe" - }, - { - "Filename": "g2mupload.exe" - }, - { - "Filename": "g2mvideoconference.exe" - }, - { - "Filename": "G2MView.exe" - }, - { - "Filename": "g2printh.exe" - }, - { - "Filename": "g2quick.exe" - }, - { - "Filename": "g2svc.exe" - }, - { - "Filename": "g2tray.exe" - }, - { - "Filename": "gopcsrv.exe" - }, - { - "Filename": "GoToScrUtils.exe" - }, - { - "Filename": "GoTo.exe", - "OriginalFileName": "", - "Description": "" - } - ], + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", @@ -6762,77 +7312,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\GoToMyPC\\*" + "saazapsc.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "%AppData%\\GoTo\\Logs\\goto.log", - "Description": "N/A", - "OS": "Windows" - } - ], + "Disk": [], "EventLog": [], - "Registry": [ - { - "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc", - "Description": "Configuration settings including registration email" - }, - { - "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite", - "Description": "Guest invites send to connect" - }, - { - "Path": "HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", - "Description": "hostname of the computer making connections and location of transferred files" - }, - { - "Path": "HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", - "Description": "hostname of the computer making connections and location of transferred files" - } - ], + "Registry": [], "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.GoToMyPC.com" + "*.itsupport247.net", + "itsupport247.net" ], - "Ports": [ - "N/A" - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml", - "Description": "Detects potential registry activity of GoToMyPC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml", - "Description": "Detects potential network activity of GoToMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml", - "Description": "Detects potential files activity of GoToMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" } ], "References": [ - "https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#", - "https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls", - "https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/" + "https://control.itsupport247.net/" ], - "Acknowledgement": [ - { - "Person": "Phill Moore", - "Handle": "@phillmoore" - } - ] + "Acknowledgement": [] }, { - "Name": "SmartCode Web VNC", - "Description": "SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoodSync", + "Description": "GoodSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6850,8 +7365,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\TightVNC\\*", - "*\\TightVNC\\*" + "installation requires paid version of GoodSync Server", + "installation requires paid version of GoodSync Server", + "GoodSync-vsub-Setup.exe", + "A40B81B36CDC2D24910FC58816E50DCDE21BD1A9" ] }, "Artifacts": { @@ -6860,16 +7377,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goodsync_processes_sigma.yml", + "Description": "Detects potential processes activity of GoodSync RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Seetrol", - "Description": "Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DesktopNow", + "Description": "DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -6884,11 +7406,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "seetrolcenter.exe", - "seetrolclient.exe", - "seetrolmyservice.exe", - "seetrolremote.exe", - "seetrolsetting.exe" + "desktopnow.exe" ] }, "Artifacts": { @@ -6899,7 +7417,7 @@ { "Description": "Known remote domains", "Domains": [ - "seetrol.co.kr" + "*.nchuser.com" ], "Ports": [] } @@ -6907,25 +7425,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml", - "Description": "Detects potential network activity of Seetrol RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml", + "Description": "Detects potential network activity of DesktopNow RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml", - "Description": "Detects potential processes activity of Seetrol RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml", + "Description": "Detects potential processes activity of DesktopNow RMM tool" } ], "References": [ - "http://www.seetrol.com/en/features/features3.php" + "https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US" ], "Acknowledgement": [] }, { - "Name": "RDPView", - "Description": "RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remmina", + "Description": "Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6939,46 +7457,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "dwrcs.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "systemmanager.ru/dntu.en/rdp_view.htm" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml", - "Description": "Detects potential network activity of RDPView RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml", - "Description": "Detects potential processes activity of RDPView RMM tool" - } - ], - "References": [ - "systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Zoho Assist", - "Description": "Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudMounter", + "Description": "CloudMounter is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6993,65 +7489,33 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zaservice.exe", - "ZMAgent.exe", - "C:\\*\\ZA_Access.exe", - "ZohoMeeting.exe", - "Zohours.exe", - "zohotray.exe", - "ZohoURSService.exe", - "*\\ZA_Access.exe", - "Zaservice.exe", - "za_connect.exe" + "C:\\Program Files\\CloudMounter\\*", + "*\\CloudMounter\\*", + "*\\CloudMounter\\*", + "*\\cloudmounter.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.zoho.com.au", - "*.zohoassist.jp", - "assist.zoho.com", - "zoho.com/assist/", - "*.zoho.in", - "downloads.zohodl.com.cn", - "*.zohoassist.com", - "downloads.zohocdn.com", - "gateway.zohoassist.com", - "*.zohoassist.com.cn", - "*.zoho.com.cn", - "*.zoho.com", - "*.zoho.eu" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml", - "Description": "Detects potential network activity of Zoho Assist RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Zoho Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudMounter RMM tool" } ], - "References": [ - "https://www.zoho.com/assist/kb/firewall-configuration.html" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Xpra", - "Description": "Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Distant Desktop", + "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -7066,33 +7530,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Xpra\\*", - "*\\Xpra\\*", - "*\\Xpra-Launcher.exe", - "*\\Xpra-x86_64_Setup.exe" + "distant-desktop.exe", + "dd.exe", + "ddsystem.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.distantdesktop.com", + "*signalserver.xyz" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml", - "Description": "Detects potential processes activity of Xpra RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Distant Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Distant Desktop RMM tool" } ], - "References": [], + "References": [ + "https://www.distantdesktop.com/manual/first-start.htm" + ], "Acknowledgement": [] }, { - "Name": "CloudBuckIt", - "Description": "CloudBuckIt is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DameWare", + "Description": "DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -7107,9 +7585,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\CloudBuckIt\\*", - "*\\CloudBuckIt\\*", - "*\\CloudBuckIt*.exe" + "SolarWinds-Dameware-DRS*.exe", + "DameWare Mini Remote Control*.exe", + "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\*", + "dwrcs.exe", + "*\\dwrcs\\*", + "*\\dwrcst.exe", + "DameWare Remote Support.exe", + "SolarWinds-Dameware-MRC*.exe" ] }, "Artifacts": { @@ -7120,19 +7603,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudbuckit_processes_sigma.yml", - "Description": "Detects potential processes activity of CloudBuckIt RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml", + "Description": "Detects potential processes activity of DameWare RMM tool" } ], - "References": [], + "References": [ + "https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm" + ], "Acknowledgement": [] }, { - "Name": "DeskNets", - "Description": "DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level", + "Description": "Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7152,17 +7637,28 @@ "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "level.io" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [ - "https://www.desknets.com/en/download.html" + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml", + "Description": "Detects potential network activity of Level RMM tool" + } ], + "References": [], "Acknowledgement": [] }, { - "Name": "ODrive", - "Description": "ODrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Insync", + "Description": "Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7180,9 +7676,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\current\\", - "*Users\\*\\.odrive", - "*\\Odriveapp.exe" + "C:\\Users\\USERNAME\\AppData\\Roaming\\Insync\\App\\Insync.exe", + "*Users\\*\\AppData\\Roaming\\Insync\\App\\Insync.exe", + "*\\Insync.exe" ] }, "Artifacts": { @@ -7193,16 +7689,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/odrive_processes_sigma.yml", - "Description": "Detects potential processes activity of ODrive RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml", + "Description": "Detects potential processes activity of Insync RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "XRDP", - "Description": "XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Bomgar - Now BeyondTrust", + "Description": "Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7232,11 +7728,11 @@ "Acknowledgement": [] }, { - "Name": "ManageEngine", - "Description": "ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Online", + "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -7251,34 +7747,52 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "InstallShield Setup.exe", - "ManageEngine_Remote_Access_Plus.exe", - "*\\dcagentservice.exe", - "C:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\*", - "*\\DesktopCentral_Agent\\bin\\*" + "*\\ISLLight.exe", + "isllight.exe", + "ISLLightClient.exe", + "C:\\Program Files (x86)\\ISL Online\\ISL Light*", + "*\\ISL Online\\ISL Light*", + "ISLLight.exe", + "isllightservice.exe", + "islalwaysonmonitor.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.islonline.com", + "*.islonline.net" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml", - "Description": "Detects potential processes activity of ManageEngine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" } ], - "References": [], + "References": [ + "https://help.islonline.com/19818/165940" + ], "Acknowledgement": [] }, { - "Name": "Impero Connect", - "Description": "Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote.it", + "Description": "Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7293,7 +7807,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ImperoClientSVC.exe" + "remote-it-installer.exe", + "remote.it.exe", + "remoteit.exe" ] }, "Artifacts": { @@ -7304,7 +7820,9 @@ { "Description": "Known remote domains", "Domains": [ - "imperosoftware.com" + "auth.api.remote.it", + "api.remote.it", + "remote.it" ], "Ports": [] } @@ -7312,20 +7830,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml", - "Description": "Detects potential network activity of Impero Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml", + "Description": "Detects potential network activity of Remote.it RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Impero Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote.it RMM tool" } ], - "References": [], + "References": [ + "https://docs.remote.it/introduction/get-started" + ], "Acknowledgement": [] }, { - "Name": "Remcos", - "Description": "Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Core FTP", + "Description": "Core FTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7343,7 +7863,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remcos*.exe" + "C:\\*\\coreftplite.exe", + "*\\coreftplite.exe" ] }, "Artifacts": { @@ -7354,19 +7875,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml", - "Description": "Detects potential processes activity of Remcos RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/core_ftp_processes_sigma.yml", + "Description": "Detects potential processes activity of Core FTP RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "PDQ Connect", - "Description": "PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netreo", + "Description": "Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7380,9 +7901,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "pdq-connect*.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -7392,8 +7911,10 @@ { "Description": "Known remote domains", "Domains": [ - "app.pdq.com", - "cfcdn.pdq.com" + "charon.netreo.net", + "activation.netreo.net", + "*.api.netreo.com", + "netreo.com" ], "Ports": [] } @@ -7401,22 +7922,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml", - "Description": "Detects potential network activity of PDQ Connect RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of PDQ Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml", + "Description": "Detects potential network activity of Netreo RMM tool" } ], "References": [ - "https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements" + "https://solutions.netreo.com/docs/firewall-requirements" ], "Acknowledgement": [] }, { - "Name": "Terminals", - "Description": "Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CuteFTP", + "Description": "CuteFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7433,7 +7950,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\Globalscape\\CuteFTP\\*", + "*\\Globalscape\\CuteFTP\\*", + "*\\cuteftppro.exe" + ] }, "Artifacts": { "Disk": [], @@ -7441,13 +7962,18 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml", + "Description": "Detects potential processes activity of CuteFTP RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Air Live Drive", - "Description": "Air Live Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudBuckIt", + "Description": "CloudBuckIt is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7465,9 +7991,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\AirLiveDrive\\*", - "*\\AirLiveDrive\\*", - "*\\AirLiveDrive.exe" + "C:\\Program Files (x86)\\CloudBuckIt\\*", + "*\\CloudBuckIt\\*", + "*\\CloudBuckIt*.exe" ] }, "Artifacts": { @@ -7478,19 +8004,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_live_drive_processes_sigma.yml", - "Description": "Detects potential processes activity of Air Live Drive RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudbuckit_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudBuckIt RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Syncro", - "Description": "Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NoteOn-desktop sharing", + "Description": "NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7505,63 +8031,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Syncro.Installer.exe", - "Kabuto.App.Runner.exe", - "Syncro.Overmind.Service.exe", - "Kabuto.Installer.exe", - "KabutoSetup.exe", - "Syncro.Service.exe", - "Kabuto.Service.Runner.exe", - "Syncro.App.Runner.exe", - "SyncroLive.Service.exe", - "SyncroLive.Agent.exe" + "nateon*.exe", + "nateon.exe", + "nateonmain.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "kabuto.io", - "*.syncromsp.com", - "*.syncroapi.com", - "syncromsp.com", - "servably.com", - "ld.aurelius.host", - "app.kabuto.io ", - "*.kabutoservices.com", - "repairshopr.com", - "kabutoservices.com", - "attachments.servably.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml", - "Description": "Detects potential network activity of Syncro RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml", - "Description": "Detects potential processes activity of Syncro RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool" } ], - "References": [ - "https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "247ithelp.com (ConnectWise)", - "Description": "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal TS", + "Description": "Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7576,7 +8071,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Remote Workforce Client.exe" + "royalts.exe" ] }, "Artifacts": { @@ -7587,7 +8082,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.247ithelp.com" + "royalapps.com" ], "Ports": [] } @@ -7595,25 +8090,56 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml", + "Description": "Detects potential network activity of Royal TS RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal TS RMM tool" } ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "DeskNets", + "Description": "DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/26/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], "References": [ - "Similar / replaced by ScreenConnect" + "https://www.desknets.com/en/download.html" ], "Acknowledgement": [] }, { - "Name": "Netviewer", - "Description": "Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "QQ IM-remote assistance", + "Description": "QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7628,8 +8154,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "netviewer*.exe", - "netviewer.exe" + "qq.exe", + "QQProtect.exe", + "qqpcmgr.exe" ] }, "Artifacts": { @@ -7640,7 +8167,10 @@ { "Description": "Known remote domains", "Domains": [ - "download.cnet.com/Net-Viewer/3000-2370_4-10034828.html" + "*.mdt.qq.com", + "*.desktop.qq.com", + "upload_data.qq.com", + "qq-messenger.en.softonic.com" ], "Ports": [] } @@ -7648,23 +8178,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml", - "Description": "Detects potential network activity of Netviewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml", + "Description": "Detects potential network activity of QQ IM-remote assistance RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of Netviewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml", + "Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool" } ], - "References": [], + "References": [ + "https://en.wikipedia.org/wiki/Tencent_QQ" + ], "Acknowledgement": [] }, { - "Name": "Syspectr", - "Description": "Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PuTTY Tray", + "Description": "PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7679,46 +8211,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "oo-syspectr*.exe", - "OOSysAgent.exe" + "C:\\*\\puttytray.exe", + "*\\puttytray.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "atled.syspectr.com", - "app.syspectr.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml", - "Description": "Detects potential network activity of Syspectr RMM tool" - }, + "Network": [] + }, + "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml", - "Description": "Detects potential processes activity of Syspectr RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml", + "Description": "Detects potential processes activity of PuTTY Tray RMM tool" } ], - "References": [ - "https://www.syspectr.com/en/installation-in-a-network" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "I'm InTouch", - "Description": "I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FileZilla", + "Description": "FileZilla is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7733,44 +8250,29 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iit.exe", - "intouch.exe", - "I'm InTouch Go Installer.exe" + "C:\\Program Files\\FileZilla FTP Client\\*", + "*\\FileZilla FTP Client\\*", + "*\\FileZilla.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.01com.com", - "01com.com/imintouch-remote-pc-desktop" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml", - "Description": "Detects potential network activity of I'm InTouch RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml", - "Description": "Detects potential processes activity of I'm InTouch RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/filezilla_processes_sigma.yml", + "Description": "Detects potential processes activity of FileZilla RMM tool" } ], - "References": [ - "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "aria2", - "Description": "aria2 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "XRDP", + "Description": "XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7787,12 +8289,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\ProgramData\\CentraStage\\AEMAgent\\*", - "*ProgramData\\CentraStage\\AEMAgent\\*", - "*\\Steinberg\\Download Assistant\\3rd Party\\optional\\aria2\\*", - "*\\aria2c.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -7800,21 +8297,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aria2_processes_sigma.yml", - "Description": "Detects potential processes activity of aria2 RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "ISL Light", - "Description": "ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FastViewer", + "Description": "FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -7829,9 +8321,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "islalwaysonmonitor.exe", - "isllight.exe", - "isllightservice.exe" + "fastclient.exe", + "fastmaster.exe", + "FastViewer.exe" ] }, "Artifacts": { @@ -7842,7 +8334,8 @@ { "Description": "Known remote domains", "Domains": [ - "islonline.com" + "*.fastviewer.com", + "fastviewer.com" ], "Ports": [] } @@ -7850,23 +8343,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml", - "Description": "Detects potential network activity of ISL Light RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml", + "Description": "Detects potential network activity of FastViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Light RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of FastViewer RMM tool" } ], - "References": [], + "References": [ + "https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf" + ], "Acknowledgement": [] }, { - "Name": "Mocha VNC Lite", - "Description": "Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Jump Desktop", + "Description": "Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7881,27 +8376,51 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "This installs a modified VNC and cannot be blocked by path separate from VNC", - "This installs a modified VNC and cannot be blocked by path separate from VNC", - "*\\RealVNC\\VNC4\\*" + "jumpclient.exe", + "jumpdesktop.exe", + "jumpservice.exe", + "jumpconnect.exe", + "jumpupdater.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.jumpdesktop.com", + "jumpdesktop.com", + "jumpto.me", + "*.jumpto.me" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Jump Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Jump Desktop RMM tool" + } + ], + "References": [ + "https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect" + ], "Acknowledgement": [] }, { - "Name": "Ericom Connect", - "Description": "Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "pCloud", + "Description": "pCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7916,46 +8435,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "EricomConnectRemoteHost*.exe", - "ericomconnnectconfigurationtool.exe" + "C:\\Program Files (x86)\\pCloud Drive\\", + "*\\pCloud Drive\\", + "*\\pCloud.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "ericom.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml", - "Description": "Detects potential network activity of Ericom Connect RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Ericom Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcloud_processes_sigma.yml", + "Description": "Detects potential processes activity of pCloud RMM tool" } ], - "References": [ - "https://www.ericom.com/connect-accessnow/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Yandex.Disk", - "Description": "Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ivanti Remote Control", + "Description": "Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7970,32 +8475,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Yandex\\*", - "*\\Yandex\\*", - "*\\YandexDisk2.exe" + "IvantiRemoteControl.exe", + "ArcUI.exe", + "AgentlessRC.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ivanticloud.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml", - "Description": "Detects potential processes activity of Yandex.Disk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of Ivanti Remote Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Ivanti Remote Control RMM tool" } ], - "References": [], + "References": [ + "https://rc1.ivanticloud.com/" + ], "Acknowledgement": [] }, { - "Name": "LiteManager", - "Description": "LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeInSync", + "Description": "BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -8010,12 +8529,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "lmnoipserver.exe", - "ROMFUSClient.exe", - "romfusclient.exe", - "romviewer.exe", - "romserver.exe", - "ROMServer.exe" + "Beinsync*.exe" ] }, "Artifacts": { @@ -8026,9 +8540,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.litemanager.ru", - "*.litemanager.com", - "litemanager.com" + "*.beinsync.net", + "*.beinsync.com" ], "Ports": [] } @@ -8036,25 +8549,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml", - "Description": "Detects potential network activity of LiteManager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml", + "Description": "Detects potential network activity of BeInSync RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml", - "Description": "Detects potential processes activity of LiteManager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml", + "Description": "Detects potential processes activity of BeInSync RMM tool" } ], "References": [ - "https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/" + "https://en.wikipedia.org/wiki/Phoenix_Technologies" ], "Acknowledgement": [] }, { - "Name": "BeAnyWhere", - "Description": "BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NateOn-desktop sharing", + "Description": "NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -8069,14 +8582,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "basuptshelper.exe", - "basupsrvcupdate.exe", - "BASupApp.exe", - "BASupSysInf.exe", - "BASupAppSrvc.exe", - "TakeControl.exe", - "BASupAppElev.exe", - "basupsrvc.exe" + "nateon*.exe", + "nateon.exe", + "nateonmain.exe" ] }, "Artifacts": { @@ -8087,8 +8595,7 @@ { "Description": "Known remote domains", "Domains": [ - "beanywhere.en.uptodown.com/windows", - "beanywhere.com" + "*.nate.com" ], "Ports": [] } @@ -8096,25 +8603,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml", - "Description": "Detects potential network activity of BeAnyWhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of NateOn-desktop sharing RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of BeAnyWhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NateOn-desktop sharing RMM tool" } ], "References": [ - "https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx" + "http://rsupport.nate.com/rview/r8/main/index.aspx" ], "Acknowledgement": [] }, { - "Name": "Jump Cloud", - "Description": "Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xeox", + "Description": "Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -8129,7 +8636,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "JumpCloud*.exe " + "xeox-agent_x64.exe", + "xeox_service_windows.exe", + "xeox-agent_*.exe", + "xeox-agent_x86.exe" ] }, "Artifacts": { @@ -8140,8 +8650,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.api.jumpcloud.com", - "*.assist.jumpcloud.com" + "*.xeox.com", + "xeox.com" ], "Ports": [] } @@ -8149,18 +8659,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml", - "Description": "Detects potential network activity of Jump Cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml", + "Description": "Detects potential network activity of Xeox RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml", + "Description": "Detects potential processes activity of Xeox RMM tool" } ], "References": [ - "https://jumpcloud.com/support/understand-remote-assist-agent" + "https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW" ], "Acknowledgement": [] }, { - "Name": "Remote Desktop Manager (Devolutions)", - "Description": "Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WinSCP", + "Description": "WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -8177,7 +8691,12 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Users\\IEUser\\Downloads\\WinSCP-5.21.6-Portable\\*", + "*\\WinSCP*Portable\\*", + "*\\WinSCP.exe", + "*\\WinSCP\\*" + ] }, "Artifacts": { "Disk": [], @@ -8185,16 +8704,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml", + "Description": "Detects potential processes activity of WinSCP RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "AweRay", - "Description": "AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Desktop Central", + "Description": "Desktop Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -8209,8 +8733,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "aweray_remote*.exe", - "AweSun.exe" + "dcagentservice.exe" ] }, "Artifacts": { @@ -8221,8 +8744,7 @@ { "Description": "Known remote domains", "Domains": [ - "asapi*.aweray.net", - "client-api.aweray.com" + "desktopcentral.manageengine.com" ], "Ports": [] } @@ -8230,25 +8752,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml", - "Description": "Detects potential network activity of AweRay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml", + "Description": "Detects potential network activity of Desktop Central RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml", - "Description": "Detects potential processes activity of AweRay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml", + "Description": "Detects potential processes activity of Desktop Central RMM tool" } ], - "References": [ - "https://sun.aweray.com/help" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Remobo", - "Description": "Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DW Service", + "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -8263,9 +8783,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remobo.exe", - "remobo_client.exe", - "remobo_tracker.exe" + "dwagsvc.exe", + "dwagent.exe", + "dwagsvc.exe" ] }, "Artifacts": { @@ -8276,8 +8796,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "remobo.en.softonic.com" + "*.dwservice.net" ], "Ports": [] } @@ -8285,25 +8804,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml", - "Description": "Detects potential network activity of Remobo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", + "Description": "Detects potential network activity of DW Service RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml", - "Description": "Detects potential processes activity of Remobo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", + "Description": "Detects potential processes activity of DW Service RMM tool" } ], "References": [ - "https://www.remobo.com - DOA as of 2024" + "https://news.dwservice.net/dwservice-security-infrastructure/" ], "Acknowledgement": [] }, { - "Name": "ESET Remote Administrator", - "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NTR Remote", + "Description": "NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -8318,11 +8837,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "era.exe", - "einstaller.exe", - "ezhelp*.exe", - "eratool.exe", - "ERAAgent.exe" + "NTRsupportPro_EN.exe" ] }, "Artifacts": { @@ -8333,8 +8848,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "eset.com/me/business/remote-management/remote-administrator/" + "*.ntrsupport.com" ], "Ports": [] } @@ -8342,25 +8856,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", - "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml", + "Description": "Detects potential network activity of NTR Remote RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", - "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of NTR Remote RMM tool" } ], "References": [ - "eset.com/me/business/remote-management/remote-administrator/" + "DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "BeyondTrust (Bomgar)", - "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "aws-cli", + "Description": "aws-cli is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -8375,11 +8889,50 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "bomgar-scc.exe", - "bomgar-rdp.exe", - "bomgar-scc-*.exe", - "bomgar-pac-*.exe", - "bomgar-pac.exe" + "C:\\Program Files\\Amazon\\AWSCLI\\*", + "*\\Amazon\\AWSCLI\\*", + "*\\AWSCLIV*.msi", + "*\\AWSCLISetup.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aws-cli_processes_sigma.yml", + "Description": "Detects potential processes activity of aws-cli RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "TurboMeeting", + "Description": "TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/14/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "pcstarter.exe", + "turbomeeting.exe", + "turbomeetingstarter.exe" ] }, "Artifacts": { @@ -8390,9 +8943,8 @@ { "Description": "Known remote domains", "Domains": [ - "bomgarcloud.com", - "*.bomgarcloud.com", - "*.beyondtrustcloud.com" + "user_managed", + "acceo.com/turbomeeting/" ], "Ports": [] } @@ -8400,22 +8952,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", - "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml", + "Description": "Detects potential network activity of TurboMeeting RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", - "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml", + "Description": "Detects potential processes activity of TurboMeeting RMM tool" } ], "References": [ - "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" + "http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv" ], "Acknowledgement": [] }, { - "Name": "Ultra VNC", - "Description": "Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteUtilities", + "Description": "RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -8433,34 +8985,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\uvnc bvba\\UltraVNC\\*", - "*\\uvnc bvba\\UltraVNC\\*", - "*\\UVNC_Launch.exe", - "*\\winvnc.exe", - "*\\vncviewer.exe" + "rutview.exe", + "*\\Remote Manipulator System - Server\\*", + "C:\\Program Files\\Remote Utilities\\*", + "*\\Remote Utilities\\*", + "rutserv.exe", + "*\\rutserv.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "remoteutilities.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml", - "Description": "Detects potential processes activity of Ultra VNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml", + "Description": "Detects potential network activity of RemoteUtilities RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteUtilities RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "pcAnywhere", - "Description": "pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeyondTrust (Bomgar)", + "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -8475,10 +9040,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "awhost32.exe", - "awrem32.exe", - "pcaquickconnect.exe", - "winaw32.exe" + "bomgar-scc.exe", + "bomgar-rdp.exe", + "bomgar-scc-*.exe", + "bomgar-pac-*.exe", + "bomgar-pac.exe" ] }, "Artifacts": { @@ -8489,7 +9055,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "bomgarcloud.com", + "*.bomgarcloud.com", + "*.beyondtrustcloud.com" ], "Ports": [] } @@ -8497,22 +9065,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml", - "Description": "Detects potential network activity of pcAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", + "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of pcAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", + "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" } ], "References": [ - "https://en.wikipedia.org/wiki/PcAnywhere" + "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" ], "Acknowledgement": [] }, { - "Name": "Remote.it", - "Description": "Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pulseway", + "Description": "Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -8530,9 +9098,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remote-it-installer.exe", - "remote.it.exe", - "remoteit.exe" + "PCMonitorManager.exe", + "pcmonitorsrv.exe" ] }, "Artifacts": { @@ -8543,9 +9110,7 @@ { "Description": "Known remote domains", "Domains": [ - "auth.api.remote.it", - "api.remote.it", - "remote.it" + "pulseway.com" ], "Ports": [] } @@ -8553,25 +9118,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml", - "Description": "Detects potential network activity of Remote.it RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml", + "Description": "Detects potential network activity of Pulseway RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote.it RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml", + "Description": "Detects potential processes activity of Pulseway RMM tool" } ], "References": [ - "https://docs.remote.it/introduction/get-started" + "https://intercom.help/pulseway/en/" ], "Acknowledgement": [] }, { - "Name": "Cruz", - "Description": "Cruz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Panorama9", + "Description": "Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -8585,7 +9150,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "p9agent*.exe" + ] }, "Artifacts": { "Disk": [], @@ -8595,7 +9162,9 @@ { "Description": "Known remote domains", "Domains": [ - "resources.doradosoftware.com/cruz-rmm" + "trusted.panorama9.com", + "changes.panorama9.com", + "panorama9.com" ], "Ports": [] } @@ -8603,438 +9172,382 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cruz_network_sigma.yml", - "Description": "Detects potential network activity of Cruz RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml", + "Description": "Detects potential network activity of Panorama9 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml", + "Description": "Detects potential processes activity of Panorama9 RMM tool" } ], - "References": [], + "References": [ + "https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with" + ], "Acknowledgement": [] }, { - "Name": "Guacamole", - "Description": "Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", + "Name": "Atera", + "Description": "Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement.\n", + "Created": "2024/08/03", + "LastModified": "", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], + "Website": "https://www.atera.com/", + "PEMetadata": [ + { + "Filename": "AteraAgent.exe", + "OriginalFileName": "AteraAgent.exe", + "Description": "AteraAgent" + } + ], + "Privileges": "SYSTEM", + "Free": "30 day trial", + "Verification": "None", + "SupportedOS": [ + "Windows", + "MacOS", + "Linux" + ], + "Capabilities": [ + "Integrated remote access with Splashtop and AnyDesk", + "Remote monitoring and management", + "Patch management", + "Network discovery", + "Backup and disaster recovery", + "Helpdesk and ticketing", + "Reporting and analytics", + "Billing and invoicing", + "Customer portal", + "Mobile app" + ], + "Vulnerabilities": [ + "CVE-2023-26078", + "CVE-2023-26077" + ], "InstallationPaths": [ - "guacd.exe" + "*\\AgentPackageNetworkDiscovery.exe", + "*\\AgentPackageTaskScheduler.exe", + "*\\ATERA Networks\\AteraAgent\\*", + "*\\AteraAgent.exe", + "atera_agent.exe", + "atera_agent.exe", + "ateraagent.exe", + "C:\\Program Files\\ATERA Networks\\AteraAgent\\*", + "C:\\Program Files\\Atera Networks", + "C:\\Program Files (x86)\\Atera Networks", + "syncrosetup.exe" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe", + "Description": "Atera service binary", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\Atera Networks\\AlphaAgent.exe", + "Description": "Atera service binary", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "AteraAgent", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"", + "Description": "Service installation event as result of AteraAgent installation." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "WinRing0_1_2_0", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"", + "Description": "Service installation event as result of Atera pakcage manager installation." + }, + { + "EventID": 11707, + "ProviderName": "MsiInstaller", + "LogFile": "Application.evtx", + "Data": "Product: AteraAgent -- Installation completed successfully.", + "Description": "Service installation event as result of AteraAgent installation." + }, + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]", + "Description": "Service installation event as result of AteraAgent installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent", + "Description": null + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent", + "Description": null + }, + { + "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.", + "Description": null + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", + "Description": null + }, + { + "Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent", + "Description": null + }, + { + "Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent", + "Description": null + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32", + "Description": null + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS", + "Description": null + }, + { + "Path": "HKLM\\SOFTWARE\\ATERA Networks\\*", + "Description": null + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", + "Domains": [ + "pubsub.atera.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "pubsub.pubnub.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "agentreporting.atera.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", "Domains": [ - "user_managed", - "guacamole.apache.org" + "getalphacontrol.com" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml", - "Description": "Detects potential network activity of Guacamole RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml", - "Description": "Detects potential processes activity of Guacamole RMM tool" - } - ], - "References": [ - "guacamole.apache.org" - ], - "Acknowledgement": [] - }, - { - "Name": "Addigy", - "Description": "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/27/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "addigy-*.pkg" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Ports": [ + "N/A" + ] + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "prod.addigy.com", - "grtmprod.addigy.com", - "agents.addigy.com" + "app.atera.com" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml", - "Description": "Detects potential network activity of Addigy RMM tool" - } - ], - "References": [ - "https://addigy.com/" - ], - "Acknowledgement": [] - }, - { - "Name": "AeroAdmin", - "Description": "AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "aeroadmin.exe", - "AeroAdmin.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Ports": [ + "N/A" + ] + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "auth*.aeroadmin.com", - "aeroadmin.com" + "agenthb.atera.com" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml", - "Description": "Detects potential network activity of AeroAdmin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml", - "Description": "Detects potential processes activity of AeroAdmin RMM tool" - } - ], - "References": [ - "https://support.aeroadmin.com/kb/faq.php?id=58" - ], - "Acknowledgement": [] - }, - { - "Name": "FleetDesk.io", - "Description": "FleetDesk.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "fleetdeck_agent_svc.exe", - "fleetdeck_commander_svc.exe", - "fleetdeck_installer.exe", - "fleetdeck_agent.exe", - "fleetdeck_commander_launcher.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Ports": [ + "N/A" + ] + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "*.fleetdeck.io", - "cognito-idp.us-west-2.amazonaws.com", - "fleetdeck.io" + "packagesstore.blob.core.windows.net" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml", - "Description": "Detects potential network activity of FleetDesk.io RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml", - "Description": "Detects potential processes activity of FleetDesk.io RMM tool" - } - ], - "References": [ - "https://fleetdeck.io/faq/" - ], - "Acknowledgement": [] - }, - { - "Name": "Dameware-mini remote control Protocol", - "Description": "Dameware-mini remote control Protocol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "dntus*.exe", - "dwrcs.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "ps.pndsn.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "agent-api.atera.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "cacerts.thawte.com" + ], + "Ports": [ + "N/A" + ] + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "dameware.com" + "agentreportingstore.blob.core.windows.net" ], - "Ports": [] + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "atera-agent-heartbeat.servicebus.windows.net" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "ps.atera.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "atera.pubnubapi.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "appcdn.atera.com" + ], + "Ports": [ + "N/A" + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml", - "Description": "Detects potential network activity of Dameware-mini remote control Protocol RMM tool" + "Sigma": "https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml", + "Name": "AteraAgent malicious installations", + "Description": "Detects AteraAgent installations with suspicious command line arguments." }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_processes_sigma.yml", - "Description": "Detects potential processes activity of Dameware-mini remote control Protocol RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Access Remote PC", - "Description": "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml", + "Name": "Atera Agent Installation", + "Description": "Detects Atera Agent installation." }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "rpcgrab.exe", - "rpcsetup.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml", - "Description": "Detects potential processes activity of Access Remote PC RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Acronic Cyber Protect (Remotix)", - "Description": "Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml", + "Description": "Detects potential registry activity of Atera RMM tool" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "AcronisCyberProtectConnectQuickAssist*.exe", - "AcronisCyberProtectConnectAgent.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "cloud.acronis.com", - "agents*-cloud.acronis.com", - "gw.remotix.com", - "connect.acronis.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml", - "Description": "Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml", + "Description": "Detects potential network activity of Atera RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml", - "Description": "Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml", + "Description": "Detects potential files activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml", + "Description": "Detects potential processes activity of Atera RMM tool" } ], "References": [ - "https://kb.acronis.com/content/47189" + "https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations", + "https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent", + "https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018", + "https://thedfirreport.com/?s=ateraagent" ], - "Acknowledgement": [] - }, - { - "Name": "Instant Housecall", - "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "hsloader.exe", - "InstantHousecall.exe", - "ihcserver.exe", - "instanthousecall.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.instanthousecall.com", - "secure.instanthousecall.com", - "*.instanthousecall.net", - "instanthousecall.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", - "Description": "Detects potential network activity of Instant Housecall RMM tool" + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", - "Description": "Detects potential processes activity of Instant Housecall RMM tool" + "Person": "Kostas", + "Handle": "@kostastsale" } - ], - "References": [ - "https://instanthousecall.com/features/" - ], - "Acknowledgement": [] + ] }, { - "Name": "SkyFex", - "Description": "SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "JollysFastVNC", + "Description": "JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9048,48 +9561,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "Deskroll.exe", - "DeskRollUA.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "skyfex.com", - "deskroll.com", - "*.deskroll.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml", - "Description": "Detects potential network activity of SkyFex RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml", - "Description": "Detects potential processes activity of SkyFex RMM tool" - } - ], - "References": [ - "https://skyfex.com/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "PSEXEC", - "Description": "PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RunSmart", + "Description": "RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9103,10 +9592,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "psexec.exe", - "psexecsvc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -9116,7 +9602,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "runsmart.io" ], "Ports": [] } @@ -9124,25 +9610,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml", - "Description": "Detects potential network activity of PSEXEC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml", - "Description": "Detects potential processes activity of PSEXEC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml", + "Description": "Detects potential network activity of RunSmart RMM tool" } ], - "References": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "MSP360", - "Description": "MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chrome Remote Desktop", + "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9157,17 +9637,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Online Backup.exe", - "CBBackupPlan.exe", - "Cloud.Backup.Scheduler.exe", - "Cloud.Backup.RM.Service.exe", - "cbb.exe", - "CloudRaService.exe", - "CloudRaSd.exe", - "CloudRaCmd.exe", - "CloudRaUtilities.exe", - "Remote Desktop.exe", - "Connect.exe" + "remote_host.exe", + "remoting_host.exe", + "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", + "*\\Google\\Chrome Remote Desktop\\*", + "*\\remoting_host.exe" ] }, "Artifacts": { @@ -9178,10 +9652,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.cloudberrylab.com", - "*.msp360.com", - "*.mspbackups.com", - "msp360.com" + "*remotedesktop.google.com", + "*remotedesktop-pa.googleapis.com", + "remotedesktop.google.com" ], "Ports": [] } @@ -9189,25 +9662,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml", - "Description": "Detects potential network activity of MSP360 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml", - "Description": "Detects potential processes activity of MSP360 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" } ], "References": [ - "https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#" + "https://support.google.com/chrome/a/answer/2799701?hl=en" ], "Acknowledgement": [] }, { - "Name": "SecureCRT", - "Description": "SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netviewer (GoToMeet)", + "Description": "Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -9222,9 +9695,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\SecureCRT.EXE", - "*\\SecureCRT.EXE", - "*\\VanDyke Software\\ClientPack\\*" + "nvClient.exe", + "netviewer.exe" ] }, "Artifacts": { @@ -9235,78 +9707,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml", - "Description": "Detects potential processes activity of SecureCRT RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "VNC", - "Description": "VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/14/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "winvnc*.exe", - "vncserver.exe", - "winwvc.exe", - "winvncsc.exe", - "vncserverui.exe", - "vncviewer.exe", - "winvnc.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "realvnc.com/en/connect/download/vnc" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml", - "Description": "Detects potential network activity of VNC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml", - "Description": "Detects potential processes activity of VNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool" } ], "References": [ - "https://realvnc.com/en/connect/download/vnc" + "Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html" ], "Acknowledgement": [] }, { - "Name": "Panorama9", - "Description": "Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netviewer", + "Description": "Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9321,7 +9736,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "p9agent*.exe" + "netviewer*.exe", + "netviewer.exe" ] }, "Artifacts": { @@ -9332,9 +9748,7 @@ { "Description": "Known remote domains", "Domains": [ - "trusted.panorama9.com", - "changes.panorama9.com", - "panorama9.com" + "download.cnet.com/Net-Viewer/3000-2370_4-10034828.html" ], "Ports": [] } @@ -9342,22 +9756,20 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml", - "Description": "Detects potential network activity of Panorama9 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml", + "Description": "Detects potential network activity of Netviewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml", - "Description": "Detects potential processes activity of Panorama9 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer RMM tool" } ], - "References": [ - "https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "FixMe", - "Description": "FixMe is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ConnectWise Control", + "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9375,12 +9787,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "FixMeit Client.exe", - "TiExpertStandalone.exe", - "FixMeitClient*.exe", - "TiExpertCore.exe", - "FixMeit Unattended Access Setup.exe", - "FixMeit Expert Setup.exe" + "connectwisechat-customer.exe", + "connectwisecontrol.client.exe" ] }, "Artifacts": { @@ -9391,7 +9799,7 @@ { "Description": "Known remote domains", "Domains": [ - "fixme.it" + "control.connectwise.com" ], "Ports": [] } @@ -9399,23 +9807,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml", - "Description": "Detects potential network activity of FixMe RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", + "Description": "Detects potential network activity of ConnectWise Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml", - "Description": "Detects potential processes activity of FixMe RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", + "Description": "Detects potential processes activity of ConnectWise Control RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "ISL Online", - "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ExtraPuTTY", + "Description": "ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9430,52 +9838,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "*\\ISLLight.exe", - "isllight.exe", - "ISLLightClient.exe", - "C:\\Program Files (x86)\\ISL Online\\ISL Light*", - "*\\ISL Online\\ISL Light*", - "ISLLight.exe", - "isllightservice.exe", - "islalwaysonmonitor.exe" + "C:\\Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", + "*Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", + "*\\ExtraPuTTY-0.30-2016-01-28-installer.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.islonline.com", - "*.islonline.net" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", - "Description": "Detects potential network activity of ISL Online RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml", + "Description": "Detects potential processes activity of ExtraPuTTY RMM tool" } ], - "References": [ - "https://help.islonline.com/19818/165940" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "RES Automation Manager", - "Description": "RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FleetDeck", + "Description": "FleetDeck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9490,10 +9878,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "wisshell*.exe", - "wmc.exe", - "wmc_deployer.exe", - "wmcsvc.exe" + "fleetdeck_agent_svc.exe" ] }, "Artifacts": { @@ -9504,8 +9889,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ivanti.com/" + "fleetdeck.io" ], "Ports": [] } @@ -9513,25 +9897,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml", - "Description": "Detects potential network activity of RES Automation Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_network_sigma.yml", + "Description": "Detects potential network activity of FleetDeck RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of RES Automation Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck_processes_sigma.yml", + "Description": "Detects potential processes activity of FleetDeck RMM tool" } ], - "References": [ - "https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "rclone", - "Description": "rclone is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "HelpU", + "Description": "HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -9546,381 +9928,329 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "portable tool. No install path", - "portable tool. No install path", - "rclone*.zip", - "*\\rclone.exe" + "helpu_install.exe", + "HelpuUpdater.exe", + "HelpuManager.exe" ] }, "Artifacts": { "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rclone_processes_sigma.yml", - "Description": "Detects potential processes activity of rclone RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Atera", - "Description": "Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement.\n", - "Created": "2024/08/03", - "LastModified": "", - "Details": { - "Website": "https://www.atera.com/", - "PEMetadata": [ - { - "Filename": "AteraAgent.exe", - "OriginalFileName": "AteraAgent.exe", - "Description": "AteraAgent" - } - ], - "Privileges": "SYSTEM", - "Free": "30 day trial", - "Verification": "None", - "SupportedOS": [ - "Windows", - "MacOS", - "Linux" - ], - "Capabilities": [ - "Integrated remote access with Splashtop and AnyDesk", - "Remote monitoring and management", - "Patch management", - "Network discovery", - "Backup and disaster recovery", - "Helpdesk and ticketing", - "Reporting and analytics", - "Billing and invoicing", - "Customer portal", - "Mobile app" - ], - "Vulnerabilities": [ - "CVE-2023-26078", - "CVE-2023-26077" - ], - "InstallationPaths": [ - "*\\AgentPackageNetworkDiscovery.exe", - "*\\AgentPackageTaskScheduler.exe", - "*\\ATERA Networks\\AteraAgent\\*", - "*\\AteraAgent.exe", - "atera_agent.exe", - "atera_agent.exe", - "ateraagent.exe", - "C:\\Program Files\\ATERA Networks\\AteraAgent\\*", - "C:\\Program Files\\Atera Networks", - "C:\\Program Files (x86)\\Atera Networks", - "syncrosetup.exe" - ] - }, - "Artifacts": { - "Disk": [ - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe", - "Description": "Atera service binary", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\Atera Networks\\AlphaAgent.exe", - "Description": "Atera service binary", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "AteraAgent", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"", - "Description": "Service installation event as result of AteraAgent installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "WinRing0_1_2_0", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"", - "Description": "Service installation event as result of Atera pakcage manager installation." - }, - { - "EventID": 11707, - "ProviderName": "MsiInstaller", - "LogFile": "Application.evtx", - "Data": "Product: AteraAgent -- Installation completed successfully.", - "Description": "Service installation event as result of AteraAgent installation." - }, - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]", - "Description": "Service installation event as result of AteraAgent installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent", - "Description": null - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent", - "Description": null - }, - { - "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.", - "Description": null - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", - "Description": null - }, - { - "Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent", - "Description": null - }, - { - "Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent", - "Description": null - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32", - "Description": null - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS", - "Description": null - }, - { - "Path": "HKLM\\SOFTWARE\\ATERA Networks\\*", - "Description": null - } - ], - "Network": [ - { - "Description": "N/A", - "Domains": [ - "pubsub.atera.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "pubsub.pubnub.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "agentreporting.atera.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "getalphacontrol.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "app.atera.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "agenthb.atera.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "packagesstore.blob.core.windows.net" - ], - "Ports": [ - "N/A" - ] - }, + "EventLog": [], + "Registry": [], + "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "ps.pndsn.com" + "helpu.co.kr", + "*.helpu.co.kr" ], - "Ports": [ - "N/A" - ] - }, + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml", + "Description": "Detects potential network activity of HelpU RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpU RMM tool" + } + ], + "References": [ + "https://helpu.co.kr/" + ], + "Acknowledgement": [] + }, + { + "Name": "ESET Remote Administrator", + "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "einstaller.exe", + "era.exe", + "ERAAgent.exe", + "ezhelp*.exe", + "eratool.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "agent-api.atera.com" + "user_managed", + "eset.com/me/business/remote-management/remote-administrator/" ], - "Ports": [ - "N/A" - ] - }, + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", + "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", + "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" + } + ], + "References": [ + "eset.com/me/business/remote-management/remote-administrator/" + ], + "Acknowledgement": [] + }, + { + "Name": "ToDesk", + "Description": "ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/14/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "todesk.exe", + "ToDesk_Service.exe", + "ToDesk_Setup.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "cacerts.thawte.com" + "todesk.com", + "*.todesk.com", + "*.todesk.com", + "todesktop.com" ], - "Ports": [ - "N/A" - ] - }, + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml", + "Description": "Detects potential network activity of ToDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml", + "Description": "Detects potential processes activity of ToDesk RMM tool" + } + ], + "References": [ + "https://www.todesk.com/" + ], + "Acknowledgement": [] + }, + { + "Name": "Distant Desktop", + "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/8/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "ddsystem.exe", + "dd.exe", + "distant-desktop.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "agentreportingstore.blob.core.windows.net" + "*.distantdesktop.com", + "*signalserver.xyz" ], - "Ports": [ - "N/A" - ] + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Distant Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Distant Desktop RMM tool" + } + ], + "References": [ + "https://www.distantdesktop.com/manual/first-start.htm" + ], + "Acknowledgement": [] + }, + { + "Name": "RAdmin", + "Description": "RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", + "Details": { + "Website": "https://www.radmin.com/", + "PEMetadata": [ + { + "Filename": "RServer3.exe", + "OriginalFileName": "RServer3.exe", + "InternalName": "RServer3", + "Description": "Radmin Server", + "Product": "Radmin Server", + "Comments": "Radmin - Remote Control Server" }, { - "Description": "N/A", - "Domains": [ - "atera-agent-heartbeat.servicebus.windows.net" - ], - "Ports": [ - "N/A" - ] + "Filename": "Radmin.exe", + "OriginalFileName": "Radmin.exe", + "InternalName": "Radmin", + "Description": "Radmin Viewer", + "Product": "Radmin Viewer", + "Comments": "Radmin Viewer" + } + ], + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [ + "Windows" + ], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\Radmin Viewer 3\\Radmin.exe", + "C:\\Windows\\SysWOW64\\rserver30\\rserver3.exe", + "C:\\Windows\\SysWOW64\\rserver30\\FamItrfc", + "C:\\Windows\\SysWOW64\\rserver30\\FamItrf2" + ] + }, + "Artifacts": { + "Disk": [ + { + "File": "C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm", + "Description": "RAdmin log file (32-bit)", + "OS": "Windows" }, { - "Description": "N/A", - "Domains": [ - "ps.atera.com" - ], - "Ports": [ - "N/A" - ] + "File": "C:\\Windows\\System32\\rserver30\\Radm_log.htm", + "Description": "RAdmin log file (64-bit)", + "OS": "Windows" }, { - "Description": "N/A", - "Domains": [ - "atera.pubnubapi.com" - ], - "Ports": [ - "N/A" - ] + "File": "C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm", + "Description": "RAdmin chat logs", + "OS": "Windows" }, + { + "File": "C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm", + "Description": "RAdmin user chat logs", + "OS": "Windows" + } + ], + "EventLog": [], + "Registry": [ + { + "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security", + "Description": "N/A" + } + ], + "Network": [ { "Description": "N/A", "Domains": [ - "appcdn.atera.com" + "radmin.com" ], "Ports": [ - "N/A" + 443 ] } ] }, "Detections": [ { - "Sigma": "https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml", - "Name": "AteraAgent malicious installations", - "Description": "Detects AteraAgent installations with suspicious command line arguments." + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml", + "Description": "PUA - Radmin Viewer Utility Execution" }, { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml", - "Name": "Atera Agent Installation", - "Description": "Detects Atera Agent installation." + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml", + "Description": "Enumeration for 3rd Party Creds From CLI" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml", - "Description": "Detects potential registry activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml", + "Description": "Detects potential registry activity of RAdmin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml", - "Description": "Detects potential network activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml", + "Description": "Detects potential network activity of RAdmin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml", - "Description": "Detects potential files activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml", + "Description": "Detects potential files activity of RAdmin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml", - "Description": "Detects potential processes activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml", + "Description": "Detects potential processes activity of RAdmin RMM tool" } ], "References": [ - "https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations", - "https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent", - "https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018", - "https://thedfirreport.com/?s=ateraagent" + "https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/", + "https://helpdesk.radmin.com/radmin3help/", + "https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm", + "https://helpdesk.radmin.com/radmin3help/files/cmd.htm" ], "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - }, { "Person": "Nasreddine Bencherchali", "Handle": "@nas_bench" - }, - { - "Person": "Kostas", - "Handle": "@kostastsale" } ] }, @@ -9980,11 +10310,11 @@ "Acknowledgement": [] }, { - "Name": "Level.io", - "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Centurion", + "Description": "Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9999,9 +10329,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "level-windows-amd64.exe", - "level.exe", - "level-remote-control-ffmpeg.exe" + "ctiserv.exe" ] }, "Artifacts": { @@ -10012,8 +10340,7 @@ { "Description": "Known remote domains", "Domains": [ - "level.io", - "*.level.io" + "centuriontech.com" ], "Ports": [] } @@ -10021,25 +10348,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", - "Description": "Detects potential network activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml", + "Description": "Detects potential network activity of Centurion RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", - "Description": "Detects potential processes activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml", + "Description": "Detects potential processes activity of Centurion RMM tool" } ], "References": [ - "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" + "https://data443.atlassian.net/servicedesk/customer/portal/20" ], "Acknowledgement": [] }, { - "Name": "Tactical RMM", - "Description": "Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KickIdler", + "Description": "KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10054,8 +10381,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tacticalrmm.exe", - "tacticalrmm.exe" + "grabberEM.*msi", + "grabberTT*.msi" ] }, "Artifacts": { @@ -10066,9 +10393,8 @@ { "Description": "Known remote domains", "Domains": [ - "login.tailscale.com", - "login.tailscale.com", - "docs.tacticalrmm.com" + "kickidler.com", + "my.kickidler.com" ], "Ports": [] } @@ -10076,25 +10402,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml", - "Description": "Detects potential network activity of Tactical RMM RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml", - "Description": "Detects potential processes activity of Tactical RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml", + "Description": "Detects potential network activity of KickIdler RMM tool" } ], "References": [ - "docs.tacticalrmm.com" + "https://www.kickidler.com/for-it/faq/" ], "Acknowledgement": [] }, { - "Name": "Fortra", - "Description": "Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syncro", + "Description": "Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -10108,7 +10430,18 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "Syncro.Installer.exe", + "Kabuto.App.Runner.exe", + "Syncro.Overmind.Service.exe", + "Kabuto.Installer.exe", + "KabutoSetup.exe", + "Syncro.Service.exe", + "Kabuto.Service.Runner.exe", + "Syncro.App.Runner.exe", + "SyncroLive.Service.exe", + "SyncroLive.Agent.exe" + ] }, "Artifacts": { "Disk": [], @@ -10118,7 +10451,17 @@ { "Description": "Known remote domains", "Domains": [ - "fortra.com" + "kabuto.io", + "*.syncromsp.com", + "*.syncroapi.com", + "syncromsp.com", + "servably.com", + "ld.aurelius.host", + "app.kabuto.io ", + "*.kabutoservices.com", + "repairshopr.com", + "kabutoservices.com", + "attachments.servably.com" ], "Ports": [] } @@ -10126,21 +10469,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml", - "Description": "Detects potential network activity of Fortra RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml", + "Description": "Detects potential network activity of Syncro RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncro RMM tool" } ], "References": [ - "https://www.fortra.com - No free/cloud RMM softwars listed" + "https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004" ], "Acknowledgement": [] }, { - "Name": "Sorillus", - "Description": "Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AweRay", + "Description": "AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -10155,8 +10502,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Sorillus-Launcher*.exe", - "Sorillus Launcher.exe" + "aweray_remote*.exe", + "AweSun.exe" ] }, "Artifacts": { @@ -10167,8 +10514,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.sorillus.com", - "sorillus.com" + "asapi*.aweray.net", + "client-api.aweray.com" ], "Ports": [] } @@ -10176,25 +10523,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml", - "Description": "Detects potential network activity of Sorillus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml", + "Description": "Detects potential network activity of AweRay RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml", - "Description": "Detects potential processes activity of Sorillus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml", + "Description": "Detects potential processes activity of AweRay RMM tool" } ], "References": [ - "https://sorillus.com/" + "https://sun.aweray.com/help" ], "Acknowledgement": [] }, { - "Name": "RemoteCall", - "Description": "RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SunLogin", + "Description": "SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -10209,13 +10556,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rcengmgru.exe", - "rcmgrsvc.exe", - "rxstartsupport.exe", - "rcstartsupport.exe", - "raautoup.exe", - "agentu.exe", - "remotesupportplayeru.exe" + "OrayRemoteShell.exe", + "OrayRemoteService.exe", + "sunlogin*.exe" ] }, "Artifacts": { @@ -10226,9 +10569,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.remotecall.com", - "*.startsupport.com", - "remotecall.com" + "sunlogin.oray.com", + "client.oray.net" ], "Ports": [] } @@ -10236,25 +10578,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml", - "Description": "Detects potential network activity of RemoteCall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml", + "Description": "Detects potential network activity of SunLogin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteCall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml", + "Description": "Detects potential processes activity of SunLogin RMM tool" } ], "References": [ - "https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall" + "https://sunlogin.oray.com/en/embed/software.html" ], "Acknowledgement": [] }, { - "Name": "Laplink Everywhere", - "Description": "Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Koofr", + "Description": "Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10268,49 +10610,21 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "laplink.exe", - "laplink-everywhere-setup*.exe", - "laplinkeverywhere.exe", - "llrcservice.exe", - "serverproxyservice.exe", - "OOSysAgent.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "everywhere.laplink.com", - "le.laplink.com", - "atled.syspectr.com" - ], - "Ports": [] - } - ] + "EventLog": [], + "Registry": [], + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml", - "Description": "Detects potential network activity of Laplink Everywhere RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of Laplink Everywhere RMM tool" - } - ], - "References": [ - "https://everywhere.laplink.com/docs" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "MEGAsync", - "Description": "MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SysAid", + "Description": "SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10328,12 +10642,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Local\\MEGAsync\\*", - "*Users\\*\\AppData\\Local\\MEGAsync\\*", - "*Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", - "*ProgramData\\MEGAsync\\*", - "*\\MEGAsyncSetup64.exe", - "*\\MEGAupdater.exe" + "C:\\Program Files\\SysAidServer\\*", + "*\\SysAidServer\\*", + "*\\SysAid\\*", + "*\\IliAS.exe" ] }, "Artifacts": { @@ -10344,8 +10656,8 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml", - "Description": "Detects potential processes activity of MEGAsync RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml", + "Description": "Detects potential processes activity of SysAid RMM tool" } ], "References": [], @@ -10406,11 +10718,11 @@ "Acknowledgement": [] }, { - "Name": "Distant Desktop", - "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SmarTTY", + "Description": "SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10425,44 +10737,29 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "distant-desktop.exe", - "dd.exe", - "ddsystem.exe" + "c:\\Program Files (x86)\\Sysprogs\\SmarTTY\\*", + "*\\Sysprogs\\SmarTTY\\*", + "*\\SmarTTY.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.distantdesktop.com", - "*signalserver.xyz" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Distant Desktop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Distant Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml", + "Description": "Detects potential processes activity of SmarTTY RMM tool" } ], - "References": [ - "https://www.distantdesktop.com/manual/first-start.htm" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "rsync", - "Description": "rsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Impero Connect", + "Description": "Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10479,24 +10776,43 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "ImperoClientSVC.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "imperosoftware.com" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml", + "Description": "Detects potential network activity of Impero Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Impero Connect RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Anyplace Control", - "Description": "Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "247ithelp.com (ConnectWise)", + "Description": "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10511,7 +10827,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "apc_host.exe" + "Remote Workforce Client.exe" ] }, "Artifacts": { @@ -10522,7 +10838,7 @@ { "Description": "Known remote domains", "Domains": [ - "anyplace-control.com" + "*.247ithelp.com" ], "Ports": [] } @@ -10530,25 +10846,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml", - "Description": "Detects potential network activity of Anyplace Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml", - "Description": "Detects potential processes activity of Anyplace Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool" } ], "References": [ - "http://www.anyplace-control.com/anyplace-control/help/faq.htm" + "Similar / replaced by ScreenConnect" ], "Acknowledgement": [] }, { - "Name": "JollysFastVNC", - "Description": "JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remobo", + "Description": "Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -10562,21 +10878,45 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "remobo.exe", + "remobo_client.exe", + "remobo_tracker.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "remobo.en.softonic.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml", + "Description": "Detects potential network activity of Remobo RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml", + "Description": "Detects potential processes activity of Remobo RMM tool" + } + ], + "References": [ + "https://www.remobo.com - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "ExtraPuTTY", - "Description": "ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudFuze", + "Description": "CloudFuze is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10593,11 +10933,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", - "*Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", - "*\\ExtraPuTTY-0.30-2016-01-28-installer.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -10605,21 +10941,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml", - "Description": "Detects potential processes activity of ExtraPuTTY RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "rdpwrap", - "Description": "rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Free Tools Launcher", + "Description": "Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10634,47 +10965,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "RDPWInst.exe", - "RDPCheck.exe", - "RDPConf.exe" + "C:\\Program Files\\ManageEngine\\ManageEngine Free Tools\\Launcher\\*", + "*\\ManageEngine\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "github.com/stascorp/rdpwrap" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml", - "Description": "Detects potential network activity of rdpwrap RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml", - "Description": "Detects potential processes activity of rdpwrap RMM tool" - } - ], - "References": [ - "github.com/stascorp/rdpwrap" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "N-ABLE Remote Access Software", - "Description": "N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Echoware", + "Description": "Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -10688,37 +10998,32 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "echoserver*.exe", + "echoware.dll" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "n-able.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml", - "Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml", + "Description": "Detects potential processes activity of Echoware RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Google Drive", - "Description": "Google Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Zoho Assist", + "Description": "Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -10733,31 +11038,62 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Google\\Drive File Stream\\*", - "*\\Google\\Drive File Stream\\*", - "*Users\\*\\AppData\\*\\Google\\DriveFS*", - "G:\\My Drive*", - "*\\GoogleDriveFS.exe" + "zaservice.exe", + "ZMAgent.exe", + "C:\\*\\ZA_Access.exe", + "ZohoMeeting.exe", + "Zohours.exe", + "zohotray.exe", + "ZohoURSService.exe", + "*\\ZA_Access.exe", + "Zaservice.exe", + "za_connect.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.zoho.com.au", + "*.zohoassist.jp", + "assist.zoho.com", + "zoho.com/assist/", + "*.zoho.in", + "downloads.zohodl.com.cn", + "*.zohoassist.com", + "downloads.zohocdn.com", + "gateway.zohoassist.com", + "*.zohoassist.com.cn", + "*.zoho.com.cn", + "*.zoho.com", + "*.zoho.eu" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/google_drive_processes_sigma.yml", - "Description": "Detects potential processes activity of Google Drive RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml", + "Description": "Detects potential network activity of Zoho Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Zoho Assist RMM tool" } ], - "References": [], + "References": [ + "https://www.zoho.com/assist/kb/firewall-configuration.html" + ], "Acknowledgement": [] }, { - "Name": "Solar-PuTTY", - "Description": "Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KiTTY", + "Description": "KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10775,9 +11111,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Solar-Putty-v4\\*", - "*\\Solar-Putty-v4\\*", - "*\\Solar-PuTTY.exe" + "C:\\*\\kitty.exe", + "*\\kitty.exe" ] }, "Artifacts": { @@ -10788,306 +11123,107 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml", - "Description": "Detects potential processes activity of Solar-PuTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml", + "Description": "Detects potential processes activity of KiTTY RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "TeamViewer", - "Description": "TeamViewer is a remote monitoring and management (RMM) tool.\n", - "Author": "Nasreddine Bencherchali, Michael Haag", - "Created": "2024-08-02", - "LastModified": "2024-08-02", - "Details": { - "Website": "https://www.teamviewer.com/en", - "PEMetadata": [ - { - "Filename": "TeamViewer.exe", - "OriginalFileName": "", - "Description": "", - "Product": "TeamViewer" - } - ], - "Privileges": "user", - "Free": true, - "Verification": false, - "SupportedOS": [ - "Android", - "ChromeOS", - "IOS", - "Linux", - "Mac", - "Windows" - ], - "Capabilities": [], - "Vulnerabilities": [ - "https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html" - ], - "InstallationPaths": [ - "C:\\Program Files\\TeamViewer\\", - "teamviewer_desktop.exe", - "teamviewer_service.exe", - "teamviewerhost" - ] - }, - "Artifacts": { - "Disk": [ - { - "File": "C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "TeamViewer\\d\\d_Logfile\\.log", - "Description": "N/A", - "OS": "Windows", - "Type": "Regex" - }, - { - "File": "C:\\Program Files\\TeamViewer\\Connections_incoming.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\TeamViewer\\TVNetwork.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log", - "Description": "N/A", - "OS": "Windows", - "Type": "Regex" - }, - { - "File": "teamviewerqs.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_w32.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_w64.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_x64.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "teamviewer.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "teamviewer_service.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db", - "Description": "SQlite 3 database storing cache about TeamViewer chat", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db", - "Description": "SQlite 3 database storing TeamViewer print jobs", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\TeamViewer\\connections*.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "TeamViewer", - "ImagePath": "\"C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"", - "Description": "Service installation event as result of TeamViewer installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKU\\\\SOFTWARE\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions", - "Description": "N/A" - } - ], + "Name": "Proton Drive", + "Description": "Proton Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "SimpleHelp", + "Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "simplehelpcustomer.exe", + "simpleservice.exe", + "simplegatewayservice.exe", + "remote access.exe", + "windowslauncher.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.teamviewer.com" + "user_managed", + "simple-help.com" ], "Ports": [] - }, - { - "Description": "N/A", - "Domains": [ - "router15.teamviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "client.teamviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "taf.teamviewer.com" - ], - "Ports": [ - 443 - ] - } - ], - "Other": [ - { - "Type": "Mutex", - "Value": "TeamViewer_LogMutex" - }, - { - "Type": "Mutex", - "Value": "TeamViewerHooks_DynamicMemMutex" - }, - { - "Type": "Mutex", - "Value": "TeamViewer3_Win32_Instance_Mutex" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml", - "Description": "Detects potential registry activity of TeamViewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml", - "Description": "Detects potential network activity of TeamViewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml", - "Description": "Detects potential files activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml", + "Description": "Detects potential network activity of SimpleHelp RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml", + "Description": "Detects potential processes activity of SimpleHelp RMM tool" } ], "References": [ - "https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer", - "https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#", - "https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/", - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", - "https://github.com/Purp1eW0lf/Blue-Team-Notes" + "https://simple-help.com/remote-support" ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - } - ] + "Acknowledgement": [] }, { - "Name": "Itarian", - "Description": "Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudFlare Tunnel", + "Description": "CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -11102,16 +11238,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ITSMAgent.exe", - "RViewer.exe", - "ItsmRsp.exe", - "RAccess.exe", - "RmmService.exe", - "ITarianRemoteAccessSetup.exe", - "RDesktop.exe", - "ComodoRemoteControl.exe", - "ITSMService.exe", - "RHost.exe" + "cloudflared.exe" ] }, "Artifacts": { @@ -11122,11 +11249,7 @@ { "Description": "Known remote domains", "Domains": [ - "mdmsupport.comodo.com", - "*.itsm-us1.comodo.com", - "*.cmdm.comodo.com", - "remoteaccess.itarian.com", - "servicedesk.itarian.com" + "cloudflare.com/products/tunnel/" ], "Ports": [] } @@ -11134,25 +11257,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml", - "Description": "Detects potential network activity of Itarian RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of CloudFlare Tunnel RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml", - "Description": "Detects potential processes activity of Itarian RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool" } ], "References": [ - "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" + "cloudflare.com/products/tunnel/" ], "Acknowledgement": [] }, { - "Name": "Visual Studio Dev Tunnel", - "Description": "Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoTo Opener", + "Description": "GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11166,7 +11289,46 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\GoTo Opener", + "*\\GoTo Opener" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Pcvisit", + "Description": "Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "pcvisit.exe", + "pcvisit_client.exe", + "pcvisit-easysupport.exe", + "pcvisit_service_client.exe" + ] }, "Artifacts": { "Disk": [], @@ -11176,9 +11338,8 @@ { "Description": "Known remote domains", "Domains": [ - "global.rel.tunnels.api.visualstudio.com", - "*.rel.tunnels.api.visualstudio.com", - "*.devtunnels.ms" + "*.pcvisit.de", + "pcvisit.de" ], "Ports": [] } @@ -11186,18 +11347,57 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml", - "Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml", + "Description": "Detects potential network activity of Pcvisit RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcvisit RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security" + "https://www.pcvisit.de/" ], "Acknowledgement": [] }, { - "Name": "ITSupport247 (ConnectWise)", - "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Mocha VNC Lite", + "Description": "Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "This installs a modified VNC and cannot be blocked by path separate from VNC", + "This installs a modified VNC and cannot be blocked by path separate from VNC", + "*\\RealVNC\\VNC4\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Laplink Gold", + "Description": "Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -11215,7 +11415,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "saazapsc.exe" + "tsircusr.exe", + "laplink.exe" ] }, "Artifacts": { @@ -11226,7 +11427,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.itsupport247.net" + "user_managed", + "wen.laplink.com/product/laplink-gold" ], "Ports": [] } @@ -11234,129 +11436,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Gold RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Gold RMM tool" } ], "References": [ - "https://control.itsupport247.net/" + "wen.laplink.com/product/laplink-gold" ], "Acknowledgement": [] }, - { - "Name": "LogMeIn", - "Description": "LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", - "Details": { - "Website": "https://www.logmein.com/", - "PEMetadata": [ - { - "Filename": "lmiguardiansvc.exe" - }, - { - "Filename": "lmiignition.exe" - }, - { - "Filename": "logmeinsystray.exe" - }, - { - "Filename": "logmein.exe", - "OriginalFileName": "", - "Company": "LogMeIn, Inc.", - "Description": "LMIGuardianSvc", - "Product": "LMIGuardianSvc" - } - ], - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": null - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "N/A", - "Domains": [ - "logmein-gateway.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.logmein.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.logmein.eu" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "logmeinrescue.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.logmeininc.com" - ], - "Ports": [ - 443 - ] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml", - "Description": "DNS Query To Remote Access Software Domain From Non-Browser App" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml", - "Description": "Remote Access Tool - LogMeIn Execution" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml", - "Description": "Detects potential network activity of LogMeIn RMM tool" - } - ], - "References": [ - "https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration" - ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] - }, { "Name": "Cyberduck", "Description": "Cyberduck is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", @@ -11398,11 +11490,11 @@ "Acknowledgement": [] }, { - "Name": "Electric", - "Description": "Electric is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Iperius Remote", + "Description": "Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -11416,7 +11508,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "iperius.exe", + "iperiusremote.exe" + ] }, "Artifacts": { "Disk": [], @@ -11426,7 +11521,10 @@ { "Description": "Known remote domains", "Domains": [ - "electric.ai" + "*.iperiusremote.com", + "*.iperius.com", + "*.iperius-rs.com", + "iperiusremote.com" ], "Ports": [] } @@ -11434,19 +11532,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml", - "Description": "Detects potential network activity of Electric RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml", + "Description": "Detects potential network activity of Iperius Remote RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Iperius Remote RMM tool" } ], - "References": [], + "References": [ + "https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx" + ], "Acknowledgement": [] }, { - "Name": "PuTTY", - "Description": "PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeamYourScreen", + "Description": "BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -11460,24 +11564,47 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "beamyourscreen.exe", + "beamyourscreen-host.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "beamyourscreen.com", + "*.beamyourscreen.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml", + "Description": "Detects potential network activity of BeamYourScreen RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of BeamYourScreen RMM tool" + } + ], + "References": [ + "beamyourscreen redirects to https://www.mikogo.com/" + ], "Acknowledgement": [] }, { - "Name": "TeraCLOUD", - "Description": "TeraCLOUD is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TeleDesktop", + "Description": "TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -11492,29 +11619,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "c:\\*\\TeraCloud.Client*", - "*\\TeraCloud.Client*", - "*\\Livedrive-Setup.exe" + "pstlaunch.exe", + "ptdskclient.exe", + "ptdskhost.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "tele-desk.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teracloud_processes_sigma.yml", - "Description": "Detects potential processes activity of TeraCLOUD RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml", + "Description": "Detects potential network activity of TeleDesktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of TeleDesktop RMM tool" } ], - "References": [], + "References": [ + "http://potomacsoft.com/ - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "Netreo", - "Description": "Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Parallels Access", + "Description": "Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -11531,7 +11673,13 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "parallelsaccess-*.exe", + "TSClient.exe", + "prl_deskctl_agent.exe", + "prl_deskctl_wizard.exe", + "prl_pm_service.exe" + ] }, "Artifacts": { "Disk": [], @@ -11541,10 +11689,8 @@ { "Description": "Known remote domains", "Domains": [ - "charon.netreo.net", - "activation.netreo.net", - "*.api.netreo.com", - "netreo.com" + "*.parallels.com", + "parallels.com/products/ras/try" ], "Ports": [] } @@ -11552,21 +11698,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml", - "Description": "Detects potential network activity of Netreo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml", + "Description": "Detects potential network activity of Parallels Access RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml", + "Description": "Detects potential processes activity of Parallels Access RMM tool" } ], "References": [ - "https://solutions.netreo.com/docs/firewall-requirements" + "https://kb.parallels.com/en/129097" ], "Acknowledgement": [] }, { - "Name": "Netop Remote Control (Impero Connect)", - "Description": "Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Basecamp", + "Description": "Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -11580,17 +11730,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "nhostsvc.exe", - "nhstw32.exe", - "ngstw32.exe", - "Netop Ondemand.exe", - "nldrw32.exe", - "rmserverconsolemediator.exe", - "ImperoInit.exe", - "Connect.Backdrop.cloud*.exe", - "ImperoClientSVC.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -11600,8 +11740,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.connect.backdrop.cloud", - "*.netop.com" + "basecamp.com" ], "Ports": [] } @@ -11609,25 +11748,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml", - "Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml", - "Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml", + "Description": "Detects potential network activity of Basecamp RMM tool" } ], "References": [ - "https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html" + "basecamp.com - No specific RMM tool listed" ], "Acknowledgement": [] }, { - "Name": "Splashtop (Beta)", - "Description": "Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Weezo", + "Description": "Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -11642,10 +11777,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SRServer.exe", - "SplashtopSOS.exe", - "Splashtop_Streamer_Windows*.exe", - "SRManager.exe" + "weezohttpd.exe", + "weezo.exe", + "weezo setup*.exe" ] }, "Artifacts": { @@ -11656,7 +11790,10 @@ { "Description": "Known remote domains", "Domains": [ - "splashtop.com" + "*.weezo.me", + "weezo.net", + "*.weezo.net", + "weezo.en.softonic.com" ], "Ports": [] } @@ -11664,23 +11801,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml", - "Description": "Detects potential network activity of Splashtop (Beta) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml", + "Description": "Detects potential network activity of Weezo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop (Beta) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml", + "Description": "Detects potential processes activity of Weezo RMM tool" } ], - "References": [], + "References": [ + "weezo.en.softonic.com" + ], "Acknowledgement": [] }, { - "Name": "FastViewer", - "Description": "FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "X2Go", + "Description": "X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11694,48 +11833,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "fastclient.exe", - "fastmaster.exe", - "FastViewer.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.fastviewer.com", - "fastviewer.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml", - "Description": "Detects potential network activity of FastViewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of FastViewer RMM tool" - } - ], - "References": [ - "https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "RustDesk", - "Description": "RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DriveMaker", + "Description": "DriveMaker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11750,44 +11865,28 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rustdesk*.exe", - "rustdesk.exe" + "C:\\*\\DriveMaker.exe", + "*\\DriveMaker.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "rustdesk.com", - "user_managed", - "web.rustdesk.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml", - "Description": "Detects potential network activity of RustDesk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml", - "Description": "Detects potential processes activity of RustDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/drivemaker_processes_sigma.yml", + "Description": "Detects potential processes activity of DriveMaker RMM tool" } ], - "References": [ - "https://rustdesk.com/docs/en/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "MobaXterm", - "Description": "MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Dev Tunnels (aka Visual Studio Dev Tunnel)", + "Description": "Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -11804,28 +11903,37 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\*\\MobaXterm_installer_12.1.msi", - "*\\MobaXterm_installer_*.msi", - "*\\Mobatek\\MobaXterm\\*" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml", + "Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "GoToAssist", - "Description": "GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Connectwise Automate (LabTech)", + "Description": "Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -11840,9 +11948,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "gotoassist.exe", - "g2a*.exe", - "GoTo Assist Opener.exe" + "ltsvc.exe", + "ltsvcmon.exe", + "lttray.exe" ] }, "Artifacts": { @@ -11853,14 +11961,7 @@ { "Description": "Known remote domains", "Domains": [ - "goto.com", - "*.getgo.com", - "*.fastsupport.com", - "*.gotoassist.com", - "helpme.net", - "*.gotoassist.me", - "*.gotoassist.at", - "*.desktopstreaming.com" + "*.hostedrmm.com" ], "Ports": [] } @@ -11868,22 +11969,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml", - "Description": "Detects potential network activity of GoToAssist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml", + "Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml", - "Description": "Detects potential processes activity of GoToAssist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml", + "Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool" } ], "References": [ - "https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5" + "https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate" ], "Acknowledgement": [] }, { - "Name": "Free Ping Tool", - "Description": "Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Splashtop (Beta)", + "Description": "Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -11901,26 +12002,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "can't find this one", - "can't find this one" + "SRServer.exe", + "SplashtopSOS.exe", + "Splashtop_Streamer_Windows*.exe", + "SRManager.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "splashtop.com" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml", + "Description": "Detects potential network activity of Splashtop (Beta) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop (Beta) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "HelpBeam", - "Description": "HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Google Drive", + "Description": "Google Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11935,44 +12055,34 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "helpbeam*.exe" + "C:\\Program Files\\Google\\Drive File Stream\\*", + "*\\Google\\Drive File Stream\\*", + "*Users\\*\\AppData\\*\\Google\\DriveFS*", + "G:\\My Drive*", + "*\\GoogleDriveFS.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "helpbeam.software.informer.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml", - "Description": "Detects potential network activity of HelpBeam RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml", - "Description": "Detects potential processes activity of HelpBeam RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/google_drive_processes_sigma.yml", + "Description": "Detects potential processes activity of Google Drive RMM tool" } ], - "References": [ - "https://www.helpbeam.com domain for sale in 2024" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "NTR Remote", - "Description": "NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop", + "Description": "Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11987,51 +12097,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "NTRsupportPro_EN.exe" + "C:\\Program Files\\Danware Data\\NetOp Packn Deploy\\*", + "*\\Danware Data\\NetOp Packn Deploy\\*", + "*\\Netop Remote Control\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.ntrsupport.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml", - "Description": "Detects potential network activity of NTR Remote RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of NTR Remote RMM tool" - } - ], - "References": [ - "DOA as of 2024" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "ServerEye", - "Description": "ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", + "Name": "Kaseya (VSA)", + "Description": "Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "PEMetadata": [ + { + "Filename": "agentmon.exe" + }, + { + "Filename": "KaUpdHlp.exe" + }, + { + "Filename": "KaUsrTsk.exe", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", "Free": "", "Verification": "", @@ -12039,19 +12140,102 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "servereye*.exe", - "ServiceProxyLocalSys.exe" + "C:\\Program Files (x86)\\Kaseya\\", + "C:\\ProgramData\\Kaseya\\" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*", + "Description": "Kaseya Live Connect logs", + "OS": "Windows" + }, + { + "File": "~/Library/Logs/com.kaseya/KaseyaLiveConnect/*", + "Description": "Kaseya Live Connect logs", + "OS": "MacOS" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*", + "Description": "Kaseya Endpoint logs", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\Kaseya\\*\\agentmon.log", + "Description": "Kaseya Agent Monitor log" + }, + { + "File": "/var/log/system.log", + "Description": "Kaseya Agent Monitor log", + "OS": "MacOS 32bit" + }, + { + "File": " ~/opt/kaseya/*/logs*", + "Description": "Kaseya Agent Monitor log", + "OS": "MacOS 64bit" + }, + { + "File": "C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log", + "Description": "Kaseya Setup log in user temp directory", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Temp\\KASetup.log", + "Description": "Kaseya Setup log in Windows temp directory", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*", + "Description": "Kaseya Edge Services logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.0\\logs\\", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.5\\endpoint\\logs", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.5\\endpoints\\logs", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\", + "Description": "Certificate creation", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\WebPages\\install\\makecert.txt", + "Description": "Certificate creation", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*", + "Description": "Endpoint service logs", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*", + "Description": "Session logs", + "OS": "Windows" + } + ], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.server-eye.de" + "deploy01.kaseya.com", + "*managedsupport.kaseya.net", + "*.kaseya.net", + "kaseya.com" ], "Ports": [] } @@ -12059,25 +12243,28 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml", - "Description": "Detects potential network activity of ServerEye RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml", + "Description": "Detects potential network activity of Kaseya (VSA) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml", - "Description": "Detects potential processes activity of ServerEye RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml", + "Description": "Detects potential files activity of Kaseya (VSA) RMM tool" } ], "References": [ - "https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf" + "https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements", + "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations", + "https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/", + "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations" ], "Acknowledgement": [] }, { - "Name": "WebRDP", - "Description": "WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "HelpBeam", + "Description": "HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -12092,7 +12279,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "webrdp.exe" + "helpbeam*.exe" ] }, "Artifacts": { @@ -12103,8 +12290,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/Mikej81/WebRDP" + "helpbeam.software.informer.com" ], "Ports": [] } @@ -12112,25 +12298,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml", - "Description": "Detects potential network activity of WebRDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml", + "Description": "Detects potential network activity of HelpBeam RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml", - "Description": "Detects potential processes activity of WebRDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpBeam RMM tool" } ], "References": [ - "github.com/Mikej81/WebRDP" + "https://www.helpbeam.com domain for sale in 2024" ], "Acknowledgement": [] }, { - "Name": "GoTo Opener", - "Description": "GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Quest KACE Agent (formerly Dell KACE)", + "Description": "Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12145,66 +12331,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\GoTo Opener", - "*\\GoTo Opener" + "konea.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "S3 Browser", - "Description": "S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\S3 Browser\\*", - "*\\S3 Browser\\*", - "*\\s3browser*.exe" + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.kace.com", + "www.quest.com/kace/" + ], + "Ports": [] + } ] }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml", - "Description": "Detects potential processes activity of S3 Browser RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml", + "Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml", + "Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool" } ], - "References": [], + "References": [ + "https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function" + ], "Acknowledgement": [] }, { - "Name": "Any Support", - "Description": "Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DeskShare", + "Description": "DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/27/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -12219,7 +12384,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ManualLauncher.exe" + "TeamTaskManager.exe", + "DSGuest.exe" ] }, "Artifacts": { @@ -12230,7 +12396,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.anysupport.net" + "user_managed" ], "Ports": [] } @@ -12238,25 +12404,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml", - "Description": "Detects potential network activity of Any Support RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml", + "Description": "Detects potential network activity of DeskShare RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml", - "Description": "Detects potential processes activity of Any Support RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskShare RMM tool" } ], "References": [ - "https://www.anysupport.net/introduce_howto.php" + "https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx" ], "Acknowledgement": [] }, { - "Name": "BeamYourScreen", - "Description": "BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "rdpwrap", + "Description": "rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12271,8 +12437,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "beamyourscreen.exe", - "beamyourscreen-host.exe" + "RDPWInst.exe", + "RDPCheck.exe", + "RDPConf.exe" ] }, "Artifacts": { @@ -12283,8 +12450,8 @@ { "Description": "Known remote domains", "Domains": [ - "beamyourscreen.com", - "*.beamyourscreen.com" + "user_managed", + "github.com/stascorp/rdpwrap" ], "Ports": [] } @@ -12292,25 +12459,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml", - "Description": "Detects potential network activity of BeamYourScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml", + "Description": "Detects potential network activity of rdpwrap RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml", - "Description": "Detects potential processes activity of BeamYourScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml", + "Description": "Detects potential processes activity of rdpwrap RMM tool" } ], "References": [ - "beamyourscreen redirects to https://www.mikogo.com/" + "github.com/stascorp/rdpwrap" ], "Acknowledgement": [] }, { - "Name": "Sophos-Remote Management System", - "Description": "Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Total Software Deployment", + "Description": "Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12325,46 +12492,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "clientmrinit.exe", - "mgntsvc.exe", - "routernt.exe" + "C:\\ProgramData\\Total Software Deployment\\*", + "*\\Total Software Deployment\\*", + "*\\tniwinagent.exe", + "*\\Tsdservice.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.sophos.com", - "*.sophosupd.com", - "*.sophosupd.net", - "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml", - "Description": "Detects potential network activity of Sophos-Remote Management System RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml", - "Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml", + "Description": "Detects potential processes activity of Total Software Deployment RMM tool" } ], - "References": [ - "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Amazon (Cloud) Drive", - "Description": "Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PuTTY", + "Description": "PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -12381,11 +12532,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Local\\Amazon\\Cloud Drive\\*", - "*\\AppData\\Local\\Amazon\\Cloud Drive\\*", - "*\\AmazonCloudDrive.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -12393,21 +12540,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/amazon__cloud__drive_processes_sigma.yml", - "Description": "Detects potential processes activity of Amazon (Cloud) Drive RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Desktop Central", - "Description": "Desktop Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FixMe.it", + "Description": "FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -12422,7 +12564,18 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dcagentservice.exe" + "FixMeit Unattended Access Setup.exe", + "TiExpertStandalone.exe", + "FixMeitClient*.exe", + "FixMeit Client.exe", + "FixMeit Expert Setup.exe", + "TiExpertCore.exe", + "fixmeitclient.exe", + "TiClientCore.exe", + "TiClientHelper*.exe", + "no installation required | recommend blocking fixme[.]it SaaS portal", + "no installation required | recommend blocking fixme[.]it SaaS portal", + "9380CC75B872221A7425D7503565B67580407F60" ] }, "Artifacts": { @@ -12433,7 +12586,11 @@ { "Description": "Known remote domains", "Domains": [ - "desktopcentral.manageengine.com" + "*.fixme.it", + "*.techinline.net", + "fixme.it", + "*set.me", + "*setme.net" ], "Ports": [] } @@ -12441,20 +12598,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml", - "Description": "Detects potential network activity of Desktop Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml", + "Description": "Detects potential network activity of FixMe.it RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml", - "Description": "Detects potential processes activity of Desktop Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml", + "Description": "Detects potential processes activity of FixMe.it RMM tool" } ], - "References": [], + "References": [ + "https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use" + ], "Acknowledgement": [] }, { - "Name": "PSEXEC (Clone)", - "Description": "PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RDPView", + "Description": "RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -12472,13 +12631,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "paexec.exe", - "PAExec-*.exe", - "csexec.exe ", - "remcom.exe", - "remcomsvc.exe", - "xcmd.exe", - "xcmdsvc.exe" + "dwrcs.exe" ] }, "Artifacts": { @@ -12489,7 +12642,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "user_managed", + "systemmanager.ru/dntu.en/rdp_view.htm" ], "Ports": [] } @@ -12497,22 +12651,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml", - "Description": "Detects potential network activity of PSEXEC (Clone) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml", + "Description": "Detects potential network activity of RDPView RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml", - "Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml", + "Description": "Detects potential processes activity of RDPView RMM tool" } ], "References": [ - "https://www.poweradmin.com/paexec/" + "systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware" ], "Acknowledgement": [] }, { - "Name": "GetScreen", - "Description": "GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Fortra", + "Description": "Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -12529,10 +12683,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "GetScreen.exe", - "getscreen.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -12542,9 +12693,7 @@ { "Description": "Known remote domains", "Domains": [ - "getscreen.me", - "GetScreen.me", - "*.getscreen.me" + "fortra.com" ], "Ports": [] } @@ -12552,25 +12701,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml", - "Description": "Detects potential network activity of GetScreen RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml", - "Description": "Detects potential processes activity of GetScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml", + "Description": "Detects potential network activity of Fortra RMM tool" } ], "References": [ - "https://docs.getscreen.me/self-hosted/system-requirements/" + "https://www.fortra.com - No free/cloud RMM softwars listed" ], "Acknowledgement": [] }, { - "Name": "RemotePC", - "Description": "RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Light", + "Description": "ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12585,16 +12730,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\RemotePC\\*", - "Idrive.File-Transfer", - "*\\RemotePC\\*", - "remotepcservice.exe", - "RemotePC.exe", - "remotepchost.exe", - "idrive.RemotePCAgent", - "rpcsuite.exe", - "*\\RemotePCService.exe", - "RemotePCService.exe" + "islalwaysonmonitor.exe", + "isllight.exe", + "isllightservice.exe" ] }, "Artifacts": { @@ -12605,10 +12743,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.remotedesktop.com", - "*.remotepc.com", - "www.remotepc.com", - "remotepc.com" + "islonline.com" ], "Ports": [] } @@ -12616,25 +12751,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml", - "Description": "Detects potential network activity of RemotePC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml", + "Description": "Detects potential network activity of ISL Light RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml", - "Description": "Detects potential processes activity of RemotePC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Light RMM tool" } ], - "References": [ - "https://www.remotedesktop.com/helpdesk/faq-firewall" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Tanium", - "Description": "Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Controller (Soti Xsight)", + "Description": "Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12649,11 +12782,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "TaniumClient.exe", - "TaniumCX.exe", - "TaniumExecWrapper.exe", - "TaniumFileInfo.exe", - "TPowerShell.exe" + "pocketcontroller.exe", + "wysebrowser.exe", + "XSightService.exe" ] }, "Artifacts": { @@ -12664,8 +12795,7 @@ { "Description": "Known remote domains", "Domains": [ - "cloud.tanium.com", - "*.cloud.tanium.com" + "*soti.net" ], "Ports": [] } @@ -12673,25 +12803,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml", - "Description": "Detects potential network activity of Tanium RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml", - "Description": "Detects potential processes activity of Tanium RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool" } ], "References": [ - "https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html" + "https://pulse.soti.net/support/soti-xsight/help/" ], "Acknowledgement": [] }, { - "Name": "GoodSync", - "Description": "GoodSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GatherPlace-desktop sharing", + "Description": "GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -12706,30 +12836,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "installation requires paid version of GoodSync Server", - "installation requires paid version of GoodSync Server", - "GoodSync-vsub-Setup.exe", - "A40B81B36CDC2D24910FC58816E50DCDE21BD1A9" + "gp3.exe", + "gp4.exe", + "gp5.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.gatherplace.com", + "*.gatherplace.net", + "gatherplace.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goodsync_processes_sigma.yml", - "Description": "Detects potential processes activity of GoodSync RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool" } ], - "References": [], + "References": [ + "https://www.gatherplace.com/kb?id=136377" + ], "Acknowledgement": [] }, { - "Name": "LabTeach (Connectwise Automate)", - "Description": "LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Electric", + "Description": "Electric is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -12746,31 +12891,37 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ltsvc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "electric.ai" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml", - "Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml", + "Description": "Detects potential network activity of Electric RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "RemoteView", - "Description": "RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Site24x7", + "Description": "Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -12785,10 +12936,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remoteview.exe", - "rv.exe", - "rvagent.exe", - "rvagtray.exe" + "MEAgentHelper.exe", + "MonitoringAgent.exe", + "Site24x7WindowsAgentTrayIcon.exe", + "Site24x7PluginAgent.exe" ] }, "Artifacts": { @@ -12799,9 +12950,12 @@ { "Description": "Known remote domains", "Domains": [ - "*content.rview.com", - "*.rview.com", - "content.rview.com" + "plus*.site24x7.com", + "plus*.site24x7.eu", + "plus*.site24x7.in", + "plus*.site24x7.cn", + "plus*.site24x7.net.au", + "site24x7.com/msp" ], "Ports": [] } @@ -12809,25 +12963,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml", - "Description": "Detects potential network activity of RemoteView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml", + "Description": "Detects potential network activity of Site24x7 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml", + "Description": "Detects potential processes activity of Site24x7 RMM tool" } ], "References": [ - "https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall" + "https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent" ], "Acknowledgement": [] }, { - "Name": "UltraVNC", - "Description": "UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MeshCentral", + "Description": "MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -12842,7 +12996,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "UltraVNC*.exe" + "meshcentral*.exe", + "mesh*.exe" ] }, "Artifacts": { @@ -12853,8 +13008,8 @@ { "Description": "Known remote domains", "Domains": [ - "ultravnc.com", - "user_managed" + "user_managed", + "meshcentral.com" ], "Ports": [] } @@ -12862,25 +13017,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml", - "Description": "Detects potential network activity of UltraVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml", + "Description": "Detects potential network activity of MeshCentral RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml", - "Description": "Detects potential processes activity of UltraVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", + "Description": "Detects potential processes activity of MeshCentral RMM tool" } ], "References": [ - "https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html" + "https://ylianst.github.io/MeshCentral/meshcentral/" ], "Acknowledgement": [] }, { - "Name": "SmarTTY", - "Description": "SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MSP360", + "Description": "MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12895,63 +13050,132 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "c:\\Program Files (x86)\\Sysprogs\\SmarTTY\\*", - "*\\Sysprogs\\SmarTTY\\*", - "*\\SmarTTY.exe" + "Online Backup.exe", + "CBBackupPlan.exe", + "Cloud.Backup.Scheduler.exe", + "Cloud.Backup.RM.Service.exe", + "cbb.exe", + "CloudRaService.exe", + "CloudRaSd.exe", + "CloudRaCmd.exe", + "CloudRaUtilities.exe", + "Remote Desktop.exe", + "Connect.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.cloudberrylab.com", + "*.msp360.com", + "*.mspbackups.com", + "msp360.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml", - "Description": "Detects potential processes activity of SmarTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml", + "Description": "Detects potential network activity of MSP360 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml", + "Description": "Detects potential processes activity of MSP360 RMM tool" } ], - "References": [], + "References": [ + "https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#" + ], "Acknowledgement": [] }, { - "Name": "Absolute (Computrace)", - "Description": "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "6/18/2024", + "Name": "ScreenConnect", + "Description": "ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "Ali Alwashali, Nasreddine Bencherchali", + "Created": "2023-10-01", + "LastModified": "2024-08-03", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Website": "https://www.connectwise.com", + "PEMetadata": [ + { + "Filename": "", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", - "Free": "", + "Free": "14-Days Free Trial", "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "SupportedOS": [ + "Android", + "IOS", + "Linux", + "Mac", + "Windows" + ], + "Capabilities": [ + "Command Line Support", + "File Transfer", + "Install Windows updates", + "Receive notification when user performs a predefined event", + "Remote Command Line", + "Remote Control", + "Sound Capture", + "Start / Stop services", + "View event logs" + ], "Vulnerabilities": [], "InstallationPaths": [ - "rpcnet.exe", - "ctes.exe", - "ctespersitence.exe", - "cteshostsvc.exe", - "rpcld.exe" + "C:\\Program Files (x86)\\ScreenConnect Client (Random)\\ScreenConnect.ClientService.exe", + "Remote Workforce Client.exe", + "*\\*\\ScreenConnect.ClientService.exe", + "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", + "*\\ScreenConnect Client*\\*", + "*\\*\\ScreenConnect.WindowsClient.exe", + "screenconnect*.exe", + "screenconnect.windowsclient.exe", + "Remote Workforce Client.exe", + "screenconnect*.exe", + "ConnectWiseControl*.exe", + "connectwise*.exe", + "screenconnect.windowsclient.exe", + "screenconnect.clientservice.exe" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db", + "Description": "ScreenConnect session database", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml", + "Description": "ScreenConnect user configuration", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\ScreenConnect Client*\\user.config", + "Description": "ScreenConnect client user configuration", + "OS": "Windows" + } + ], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*search.namequery.com", - "*server.absolute.com" + "control.connectwise.com", + "*.connectwise.com", + "*.screenconnect.com" ], "Ports": [] } @@ -12959,25 +13183,29 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml", - "Description": "Detects potential network activity of Absolute (Computrace) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml", + "Description": "Detects potential network activity of ScreenConnect RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml", - "Description": "Detects potential processes activity of Absolute (Computrace) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml", + "Description": "Detects potential files activity of ScreenConnect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenConnect RMM tool" } ], "References": [ - "https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com" + "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/" ], "Acknowledgement": [] }, { - "Name": "Quest KACE Agent (formerly Dell KACE)", - "Description": "Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft TSC", + "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -12992,45 +13220,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "konea.exe" + "termsrv.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.kace.com", - "www.quest.com/kace/" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml", - "Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml", - "Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft TSC RMM tool" } ], "References": [ - "https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function" + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" ], "Acknowledgement": [] }, { - "Name": "DeskShare", - "Description": "DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tanium", + "Description": "Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -13045,8 +13260,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "TeamTaskManager.exe", - "DSGuest.exe" + "TaniumClient.exe", + "TaniumCX.exe", + "TaniumExecWrapper.exe", + "TaniumFileInfo.exe", + "TPowerShell.exe" ] }, "Artifacts": { @@ -13057,7 +13275,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "cloud.tanium.com", + "*.cloud.tanium.com" ], "Ports": [] } @@ -13065,25 +13284,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml", - "Description": "Detects potential network activity of DeskShare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml", + "Description": "Detects potential network activity of Tanium RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml", - "Description": "Detects potential processes activity of DeskShare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml", + "Description": "Detects potential processes activity of Tanium RMM tool" } ], "References": [ - "https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx" + "https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html" ], "Acknowledgement": [] }, { - "Name": "Pocket Cloud (Wyse)", - "Description": "Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ultra VNC", + "Description": "Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13098,8 +13317,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcloud*.exe", - "pocketcloudservice.exe" + "C:\\Program Files\\uvnc bvba\\UltraVNC\\*", + "*\\uvnc bvba\\UltraVNC\\*", + "*\\UVNC_Launch.exe", + "*\\winvnc.exe", + "*\\vncviewer.exe" ] }, "Artifacts": { @@ -13110,21 +13332,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of Ultra VNC RMM tool" } ], - "References": [ - "https://wyse-pocketcloud.informer.com/2.1/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "ESET Remote Administrator", - "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Manipulator System", + "Description": "Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -13139,11 +13359,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "einstaller.exe", - "era.exe", - "ERAAgent.exe", - "ezhelp*.exe", - "eratool.exe" + "rfusclient.exe", + "rutserv.exe" ] }, "Artifacts": { @@ -13154,8 +13371,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "eset.com/me/business/remote-management/remote-administrator/" + "*.internetid.ru", + "rmansys.ru" ], "Ports": [] } @@ -13163,25 +13380,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", - "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml", + "Description": "Detects potential network activity of Remote Manipulator System RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", - "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Manipulator System RMM tool" } ], "References": [ - "eset.com/me/business/remote-management/remote-administrator/" + "https://rmansys.ru/files/" ], "Acknowledgement": [] }, { - "Name": "Pilixo", - "Description": "Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Domotz", + "Description": "Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -13196,8 +13413,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rdp.exe", - "Pilixo_Installer*.exe" + "domotz.exe", + "Domotz Pro Desktop App.exe", + "domotz_bash.exe", + "domotz*.exe", + "Domotz Pro Desktop App Setup*.exe", + "domotz-windows*.exe" ] }, "Artifacts": { @@ -13208,9 +13429,9 @@ { "Description": "Known remote domains", "Domains": [ - "pilixo.com", - "download.pilixo.com", - "*.pilixo.com" + "*.domotz.co", + "domotz.com", + "*cell-1.domotz.com" ], "Ports": [] } @@ -13218,22 +13439,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml", - "Description": "Detects potential network activity of Pilixo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml", + "Description": "Detects potential network activity of Domotz RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml", - "Description": "Detects potential processes activity of Pilixo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml", + "Description": "Detects potential processes activity of Domotz RMM tool" } ], "References": [ - "https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls" + "https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/" ], "Acknowledgement": [] }, { - "Name": "CloudMounter", - "Description": "CloudMounter is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FixMe", + "Description": "FixMe is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13251,55 +13472,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\CloudMounter\\*", - "*\\CloudMounter\\*", - "*\\CloudMounter\\*", - "*\\cloudmounter.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudmounter_processes_sigma.yml", - "Description": "Detects potential processes activity of CloudMounter RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Mikogo", - "Description": "Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "mikogo.exe", - "mikogo-starter.exe", - "mikogo-service.exe", - "mikogolauncher.exe", - "C:\\Users\\*\\AppData\\Roaming\\Mikogo\\*", - "*Users\\*\\AppData\\Roaming\\Mikogo\\*", - "*\\Mikogo-Service.exe", - "*\\Mikogo-Screen-Service.exe" + "FixMeit Client.exe", + "TiExpertStandalone.exe", + "FixMeitClient*.exe", + "TiExpertCore.exe", + "FixMeit Unattended Access Setup.exe", + "FixMeit Expert Setup.exe" ] }, "Artifacts": { @@ -13310,10 +13488,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.real-time-collaboration.com", - "*.mikogo4.com", - "*.mikogo.com", - "mikogo.com" + "fixme.it" ], "Ports": [] } @@ -13321,25 +13496,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml", - "Description": "Detects potential network activity of Mikogo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml", + "Description": "Detects potential network activity of FixMe RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml", - "Description": "Detects potential processes activity of Mikogo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml", + "Description": "Detects potential processes activity of FixMe RMM tool" } ], - "References": [ - "https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "WebEx (Remote Access)", - "Description": "WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "rclone", + "Description": "rclone is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13353,7 +13526,12 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "portable tool. No install path", + "portable tool. No install path", + "rclone*.zip", + "*\\rclone.exe" + ] }, "Artifacts": { "Disk": [], @@ -13361,15 +13539,18 @@ "Registry": [], "Network": [] }, - "Detections": [], - "References": [ - "https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access" + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rclone_processes_sigma.yml", + "Description": "Detects potential processes activity of rclone RMM tool" + } ], + "References": [], "Acknowledgement": [] }, { - "Name": "Koofr", - "Description": "Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tanium Deploy", + "Description": "Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13392,15 +13573,28 @@ "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "tanium.com/products/tanium-deploy" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml", + "Description": "Detects potential network activity of Tanium Deploy RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Duplicati", - "Description": "Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-ABLE Remote Access Software", + "Description": "N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13417,29 +13611,34 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "c:\\Program Files\\*\\Duplicati.Server.exe", - "*\\*\\Duplicati.Server.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "n-able.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml", - "Description": "Detects potential processes activity of Duplicati RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml", + "Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "ManageEngine RMM Central", - "Description": "ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Quick Assist", + "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13456,7 +13655,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "quickassist.exe" + ] }, "Artifacts": { "Disk": [], @@ -13466,7 +13667,7 @@ { "Description": "Known remote domains", "Domains": [ - "manageengine.com/remote-monitoring-management/" + "*.support.services.microsoft.com" ], "Ports": [] } @@ -13474,60 +13675,134 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml", - "Description": "Detects potential network activity of ManageEngine RMM Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Quick Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Quick Assist RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "WinSCP", - "Description": "WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", + "Name": "AnyViewer", + "Description": "AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "@kostastsale", + "Created": "2024-08-03", + "LastModified": "2024-08-03", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "Website": "https://www.anyviewer.com/", + "PEMetadata": [ + { + "Filename": "AnyViewer.exe", + "OriginalFileName": "AnyViewer", + "Description": "Splash Window" + }, + { + "Filename": "RCClient.exe", + "OriginalFileName": "RCClient.exe", + "Description": "AnyViewer Core" + }, + { + "Filename": "ScreanCap.exe", + "Description": "Screan capture" + }, + { + "Filename": "AVCore.exe" + }, + { + "Filename": "RCService.exe" + } + ], + "Privileges": "System", + "Free": "up to 10 devices", + "Verification": "None", + "SupportedOS": [ + "Windows" + ], + "Capabilities": [ + "Remote desktop", + "Remote file transfer", + "Remote monitoring and management", + "Remote shell open" + ], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\IEUser\\Downloads\\WinSCP-5.21.6-Portable\\*", - "*\\WinSCP*Portable\\*", - "*\\WinSCP.exe", - "*\\WinSCP\\*" + "C:\\Program Files (x86)\\AnyViewer\\*" ] }, "Artifacts": { "Disk": [], - "EventLog": [], + "EventLog": [ + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "\"C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\" -d", + "Description": "Taking actions on the remote machine such as opening a command prompt." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "RCService", + "ImagePath": "C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe", + "Description": "AnyViewer service installation service." + } + ], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "N/A", + "Domains": [ + "*.anyviewer.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.aomeisoftware.com" + ], + "Ports": [ + 443 + ] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml", - "Description": "Detects potential processes activity of WinSCP RMM tool" + "Name": "Arbitrary code execution and remote sessions via Action1 RMM", + "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", + "author": "@kostastsale", + "Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml", + "Description": "Detects potential network activity of AnyViewer RMM tool" } ], - "References": [], - "Acknowledgement": [] + "References": [ + "https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html", + "https://www.anyviewer.com/help/remote-technical-support.html" + ], + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "GatherPlace-desktop sharing", - "Description": "GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Naverisk", + "Description": "Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -13542,9 +13817,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "gp3.exe", - "gp4.exe", - "gp5.exe" + "AgentSetup-*.exe" ] }, "Artifacts": { @@ -13555,9 +13828,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.gatherplace.com", - "*.gatherplace.net", - "gatherplace.com" + "user_managed", + "naverisk.com" ], "Ports": [] } @@ -13565,25 +13837,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml", - "Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml", + "Description": "Detects potential network activity of Naverisk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml", + "Description": "Detects potential processes activity of Naverisk RMM tool" } ], "References": [ - "https://www.gatherplace.com/kb?id=136377" + "http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents" ], "Acknowledgement": [] }, { - "Name": "Laplink Gold", - "Description": "Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Addigy", + "Description": "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -13598,8 +13870,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tsircusr.exe", - "laplink.exe" + "addigy-*.pkg" ] }, "Artifacts": { @@ -13610,8 +13881,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "wen.laplink.com/product/laplink-gold" + "prod.addigy.com", + "grtmprod.addigy.com", + "agents.addigy.com" ], "Ports": [] } @@ -13619,77 +13891,187 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml", - "Description": "Detects potential network activity of Laplink Gold RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml", - "Description": "Detects potential processes activity of Laplink Gold RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml", + "Description": "Detects potential network activity of Addigy RMM tool" } ], "References": [ - "wen.laplink.com/product/laplink-gold" + "https://addigy.com/" ], "Acknowledgement": [] }, { - "Name": "Centurion", - "Description": "Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", + "Name": "Action1", + "Description": "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. \nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n", + "Author": "@kostastsale", + "Created": "2024-08-03", + "LastModified": "2024-08-03", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "Website": "https://www.action1.com/", + "PEMetadata": [ + { + "Filename": "action1_connector.exe" + }, + { + "Filename": "action1_remote.exe" + }, + { + "Filename": "action1_update.exe" + }, + { + "Filename": "action1_agent.exe", + "OriginalFileName": "action1_agent.exe", + "Description": "Endpoint Agent" + } + ], + "Privileges": "SYSTEM", + "Free": "Yes", + "Verification": "Corporate email required although temporary email services are accepted", + "SupportedOS": [ + "Windows" + ], + "Capabilities": [ + "Backup and disaster recovery", + "Billing and invoicing", + "Customer portal", + "HelpDesk and ticketing", + "Mobile app", + "Network discovery", + "Patch management", + "Remote monitoring and management", + "Reporting and analytics" + ], "Vulnerabilities": [], "InstallationPaths": [ - "ctiserv.exe" + "C:\\Windows\\Action1\\*" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\Windows\\Action1\\action1_agent.exe", + "Description": "Action1 service binary", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\*", + "Description": "Multiple files and binaries related to Action1 installation", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\scripts\\*", + "Description": "Multiple scripts related to Action1 installation", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\rule_data\\*", + "Description": "Files related to Action1 rules", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\action1_log_*.log", + "Description": "Contains history, errors, system notifications. Incoming and outgoing connections.", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Action1 Agent", + "ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"", + "Description": "Service installation event as result of Action1 installation." + }, + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service", + "Description": "Service installation event as result of Action1 installation." + }, + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser", + "Description": "Executing command to get logged on user." + } + ], + "Registry": [ + { + "Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent", + "Description": "Service installation event as result of Action1 installation." + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe", + "Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software." + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1", + "Description": "Storing its configuration settings and other relevant information" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "centuriontech.com" + "*.action1.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "a1-backend-packages.s3.amazonaws.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml", - "Description": "Detects potential network activity of Centurion RMM tool" + "Name": "Arbitrary code execution and remote sessions via Action1 RMM", + "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", + "author": "@kostastsale", + "Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml", - "Description": "Detects potential processes activity of Centurion RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml", + "Description": "Detects potential registry activity of Action1 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml", + "Description": "Detects potential network activity of Action1 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml", + "Description": "Detects potential files activity of Action1 RMM tool" } ], "References": [ - "https://data443.atlassian.net/servicedesk/customer/portal/20" + "https://www.action1.com/documentation/firewall-configuration/", + "https://www.action1.com/documentation/", + "https://twitter.com/Kostastsale/status/1646256901506605063?s=20", + "https://ruler-project.github.io/ruler-project/RULER/remote/Action1/" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "Ivanti Remote Control", - "Description": "Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AliWangWang-remote-control", + "Description": "AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -13704,9 +14086,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "IvantiRemoteControl.exe", - "ArcUI.exe", - "AgentlessRC.exe" + "alitask.exe" ] }, "Artifacts": { @@ -13717,7 +14097,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.ivanticloud.com" + "wangwang.taobao.com" ], "Ports": [] } @@ -13725,87 +14105,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of Ivanti Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml", + "Description": "Detects potential network activity of AliWangWang-remote-control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of Ivanti Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml", + "Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool" } ], "References": [ - "https://rc1.ivanticloud.com/" + "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" ], "Acknowledgement": [] }, { - "Name": "NordLocker", - "Description": "NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Cloud Turtle", - "Description": "Cloud Turtle is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\Genie9\\*", - "*\\Genie9\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "CloudExplorer", - "Description": "CloudExplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FreeRDP", + "Description": "FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13835,42 +14150,11 @@ "Acknowledgement": [] }, { - "Name": "CloudHQ", - "Description": "CloudHQ is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MioNet (Also known as WD Anywhere Access)", + "Description": "MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Xeox", - "Description": "Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -13885,48 +14169,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "xeox-agent_x64.exe", - "xeox_service_windows.exe", - "xeox-agent_*.exe", - "xeox-agent_x86.exe" + "mionet.exe", + "mionetmanager.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.xeox.com", - "xeox.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml", - "Description": "Detects potential network activity of Xeox RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml", - "Description": "Detects potential processes activity of Xeox RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool" } ], - "References": [ - "https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "ezHelp", - "Description": "ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SmartCode Web VNC", + "Description": "SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13941,47 +14208,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ezhelpclientmanager.exe", - "ezHelpManager.exe", - "ezhelpclient.exe" + "C:\\Program Files\\TightVNC\\*", + "*\\TightVNC\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.ezhelp.co.kr", - "ezhelp.co.kr" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml", - "Description": "Detects potential network activity of ezHelp RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml", - "Description": "Detects potential processes activity of ezHelp RMM tool" - } - ], - "References": [ - "https://www.exhelp.co.kr" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Level.io", - "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Onionshare", + "Description": "Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13996,44 +14242,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "level-windows-amd64.exe", - "level.exe", - "level-remote-control-ffmpeg.exe" + "C:\\Program Files (x86)\\OnionShare\\*", + "*\\OnionShare\\*", + "*\\onionshare*.exe", + "OnionShare-win*.msi" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "level.io", - "*.level.io" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", - "Description": "Detects potential network activity of Level.io RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", - "Description": "Detects potential processes activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml", + "Description": "Detects potential processes activity of Onionshare RMM tool" } ], - "References": [ - "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "MultCloud", - "Description": "MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Air Live Drive", + "Description": "Air Live Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14051,8 +14283,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "requires sign up", - "requires sign up" + "C:\\Program Files\\AirLiveDrive\\*", + "*\\AirLiveDrive\\*", + "*\\AirLiveDrive.exe" ] }, "Artifacts": { @@ -14061,13 +14294,18 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/air_live_drive_processes_sigma.yml", + "Description": "Detects potential processes activity of Air Live Drive RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "CloudGopher", - "Description": "CloudGopher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Rocket Remote Desktop", + "Description": "Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14084,7 +14322,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "RDConsole.exe", + "RocketRemoteDesktop_Setup.exe" + ] }, "Artifacts": { "Disk": [], @@ -14092,16 +14333,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Synergy", - "Description": "Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WebRDP", + "Description": "WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -14115,7 +14361,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "webrdp.exe" + ] }, "Artifacts": { "Disk": [], @@ -14125,7 +14373,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "user_managed", + "github.com/Mikej81/WebRDP" ], "Ports": [] } @@ -14133,18 +14382,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml", - "Description": "Detects potential network activity of Synergy RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml", + "Description": "Detects potential network activity of WebRDP RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml", + "Description": "Detects potential processes activity of WebRDP RMM tool" } ], "References": [ - "https://symless.com/synergy" + "github.com/Mikej81/WebRDP" ], "Acknowledgement": [] }, { - "Name": "ConnectWise Control", - "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeyondTrust", + "Description": "BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14161,47 +14414,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "screenconnect.clientservice.exe", - "connectwisecontrol.client.exe", - "screenconnect.windowsclient.exe", - "connectwisechat-customer.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "live.screenconnect.com", - "control.connectwise.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", - "Description": "Detects potential network activity of ConnectWise Control RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", - "Description": "Detects potential processes activity of ConnectWise Control RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "OptiTune", - "Description": "OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SuperOps", + "Description": "SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -14216,8 +14446,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "OTService.exe", - "OTPowerShell.exe" + "superopsticket.exe", + "superops.exe" ] }, "Artifacts": { @@ -14228,8 +14458,11 @@ { "Description": "Known remote domains", "Domains": [ - "*.optitune.us", - "*.opti-tune.com" + "*.superopsbeta.com", + "superops.ai", + "serv.superopsalpha.com", + "*.superops.ai", + "*.superopsalpha.com" ], "Ports": [] } @@ -14237,22 +14470,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml", - "Description": "Detects potential network activity of OptiTune RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml", + "Description": "Detects potential network activity of SuperOps RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml", - "Description": "Detects potential processes activity of OptiTune RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperOps RMM tool" } ], "References": [ - "https://www.bravurasoftware.com/optitune/support/faq.aspx" + "https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent" ], "Acknowledgement": [] }, { - "Name": "Netop", - "Description": "Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemotePass", + "Description": "RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14270,61 +14503,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Danware Data\\NetOp Packn Deploy\\*", - "*\\Danware Data\\NetOp Packn Deploy\\*", - "*\\Netop Remote Control\\*" + "remotepass-access.exe", + "rpaccess.exe", + "rpwhostscr.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "ConnectWise", - "Description": "ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", - "*\\ScreenConnect*Client*\\*" + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "remotepass.com" + ], + "Ports": [] + } ] }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml", + "Description": "Detects potential network activity of RemotePass RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePass RMM tool" + } + ], + "References": [ + "https://www.remotepass.com/rpaccess.html - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "Encapto", - "Description": "Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Itarian", + "Description": "Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14338,7 +14556,18 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "ITSMAgent.exe", + "RViewer.exe", + "ItsmRsp.exe", + "RAccess.exe", + "RmmService.exe", + "ITarianRemoteAccessSetup.exe", + "RDesktop.exe", + "ComodoRemoteControl.exe", + "ITSMService.exe", + "RHost.exe" + ] }, "Artifacts": { "Disk": [], @@ -14348,7 +14577,11 @@ { "Description": "Known remote domains", "Domains": [ - "encapto.com" + "mdmsupport.comodo.com", + "*.itsm-us1.comodo.com", + "*.cmdm.comodo.com", + "remoteaccess.itarian.com", + "servicedesk.itarian.com" ], "Ports": [] } @@ -14356,187 +14589,78 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml", - "Description": "Detects potential network activity of Encapto RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml", + "Description": "Detects potential network activity of Itarian RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml", + "Description": "Detects potential processes activity of Itarian RMM tool" } ], "References": [ - "https://www.encapto.com - used to manage Cisco services" + "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" ], "Acknowledgement": [] }, { - "Name": "Action1", - "Description": "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. \nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n", - "Author": "@kostastsale", - "Created": "2024-08-03", - "LastModified": "2024-08-03", + "Name": "PSEXEC", + "Description": "PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", "Details": { - "Website": "https://www.action1.com/", - "PEMetadata": [ - { - "Filename": "action1_connector.exe" - }, - { - "Filename": "action1_remote.exe" - }, - { - "Filename": "action1_update.exe" - }, - { - "Filename": "action1_agent.exe", - "OriginalFileName": "action1_agent.exe", - "Description": "Endpoint Agent" - } - ], - "Privileges": "SYSTEM", - "Free": "Yes", - "Verification": "Corporate email required although temporary email services are accepted", - "SupportedOS": [ - "Windows" - ], - "Capabilities": [ - "Backup and disaster recovery", - "Billing and invoicing", - "Customer portal", - "HelpDesk and ticketing", - "Mobile app", - "Network discovery", - "Patch management", - "Remote monitoring and management", - "Reporting and analytics" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Windows\\Action1\\*" + "psexec.exe", + "psexecsvc.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Windows\\Action1\\action1_agent.exe", - "Description": "Action1 service binary", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\*", - "Description": "Multiple files and binaries related to Action1 installation", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\scripts\\*", - "Description": "Multiple scripts related to Action1 installation", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\rule_data\\*", - "Description": "Files related to Action1 rules", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\action1_log_*.log", - "Description": "Contains history, errors, system notifications. Incoming and outgoing connections.", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Action1 Agent", - "ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"", - "Description": "Service installation event as result of Action1 installation." - }, - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service", - "Description": "Service installation event as result of Action1 installation." - }, - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser", - "Description": "Executing command to get logged on user." - } - ], - "Registry": [ - { - "Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent", - "Description": "Service installation event as result of Action1 installation." - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe", - "Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software." - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1", - "Description": "Storing its configuration settings and other relevant information" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { - "Description": "N/A", - "Domains": [ - "*.action1.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "a1-backend-packages.s3.amazonaws.com" + "user_managed" ], - "Ports": [ - 443 - ] + "Ports": [] } ] }, "Detections": [ { - "Name": "Arbitrary code execution and remote sessions via Action1 RMM", - "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", - "author": "@kostastsale", - "Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml", - "Description": "Detects potential registry activity of Action1 RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml", - "Description": "Detects potential network activity of Action1 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml", - "Description": "Detects potential files activity of Action1 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC RMM tool" } ], "References": [ - "https://www.action1.com/documentation/firewall-configuration/", - "https://www.action1.com/documentation/", - "https://twitter.com/Kostastsale/status/1646256901506605063?s=20", - "https://ruler-project.github.io/ruler-project/RULER/remote/Action1/" + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] + "Acknowledgement": [] }, { - "Name": "FleetDeck.io", - "Description": "FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level.io", + "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14551,11 +14675,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "fleetdeck_agent_svc.exe", - "fleetdeck_commander_svc.exe", - "fleetdeck_installer.exe", - "fleetdeck_commander_launcher.exe", - "fleetdeck_agent.exe" + "level-windows-amd64.exe", + "level.exe", + "level-remote-control-ffmpeg.exe" ] }, "Artifacts": { @@ -14566,7 +14688,8 @@ { "Description": "Known remote domains", "Domains": [ - "fleetdeck.io" + "level.io", + "*.level.io" ], "Ports": [] } @@ -14574,23 +14697,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml", - "Description": "Detects potential network activity of FleetDeck.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml", - "Description": "Detects potential processes activity of FleetDeck.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" } ], - "References": [], + "References": [ + "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" + ], "Acknowledgement": [] }, { - "Name": "SuperPuTTY", - "Description": "SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ezHelp", + "Description": "ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -14605,33 +14730,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Downloads\\SuperPuTTY\\*", - "*Downloads\\SuperPuTTY\\*", - "*\\superputty.exe", - "*\\SuperPuTTY\\*" + "ezhelpclientmanager.exe", + "ezHelpManager.exe", + "ezhelpclient.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ezhelp.co.kr", + "ezhelp.co.kr" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml", - "Description": "Detects potential processes activity of SuperPuTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml", + "Description": "Detects potential network activity of ezHelp RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml", + "Description": "Detects potential processes activity of ezHelp RMM tool" } ], - "References": [], + "References": [ + "https://www.exhelp.co.kr" + ], "Acknowledgement": [] }, { - "Name": "Royal Apps", - "Description": "Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Kabuto", + "Description": "Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14646,8 +14785,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "royalserver.exe", - "royalts.exe" + "Kabuto.App.Runner.exe" ] }, "Artifacts": { @@ -14658,7 +14796,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "*.kabuto.io", + "repairtechsolutions.com/kabuto/" ], "Ports": [] } @@ -14666,25 +14805,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml", - "Description": "Detects potential network activity of Royal Apps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml", + "Description": "Detects potential network activity of Kabuto RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml", - "Description": "Detects potential processes activity of Royal Apps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml", + "Description": "Detects potential processes activity of Kabuto RMM tool" } ], "References": [ - "https://www.royalapps.com/ts/win/download" + "https://www.repairtechsolutions.com/documentation/kabuto/" ], "Acknowledgement": [] }, { - "Name": "Tanium Deploy", - "Description": "Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Synergy", + "Description": "Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -14708,7 +14847,7 @@ { "Description": "Known remote domains", "Domains": [ - "tanium.com/products/tanium-deploy" + "user_managed" ], "Ports": [] } @@ -14716,19 +14855,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml", - "Description": "Detects potential network activity of Tanium Deploy RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml", + "Description": "Detects potential network activity of Synergy RMM tool" } ], - "References": [], + "References": [ + "https://symless.com/synergy" + ], "Acknowledgement": [] }, { - "Name": "Zabbix Agent", - "Description": "Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ConnectWise", + "Description": "ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14743,45 +14884,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zabbix_agent*.exe" + "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", + "*\\ScreenConnect*Client*\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "zabbix.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml", - "Description": "Detects potential network activity of Zabbix Agent RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of Zabbix Agent RMM tool" - } - ], - "References": [ - "https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Weezo", - "Description": "Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TigerVNC", + "Description": "TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -14796,9 +14918,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "weezohttpd.exe", - "weezo.exe", - "weezo setup*.exe" + "tigervnc*.exe", + "winvnc4.exe", + "C:\\Program Files\\TightVNC\\*", + "*\\TightVNC\\*", + "*\\tvnserver.exe" ] }, "Artifacts": { @@ -14809,10 +14933,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.weezo.me", - "weezo.net", - "*.weezo.net", - "weezo.en.softonic.com" + "user_managed" ], "Ports": [] } @@ -14820,85 +14941,148 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml", - "Description": "Detects potential network activity of Weezo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml", + "Description": "Detects potential network activity of TigerVNC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml", - "Description": "Detects potential processes activity of Weezo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TigerVNC RMM tool" } ], "References": [ - "weezo.en.softonic.com" + "https://github.com/TigerVNC/tigervnc/releases" ], "Acknowledgement": [] }, { - "Name": "BeInSync", - "Description": "BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", + "Name": "GoToMyPC", + "Description": "GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "Beinsync*.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "PEMetadata": [ + { + "Filename": "AppCore.exe" + }, + { + "Filename": "g2comm.exe" + }, + { + "Filename": "g2file*.exe" + }, + { + "Filename": "g2fileh.exe" + }, + { + "Filename": "g2host.exe" + }, + { + "Filename": "g2m_download.exe" + }, + { + "Filename": "g2mainh.exe" + }, + { + "Filename": "G2MChat.exe" + }, + { + "Filename": "G2MCodecInstExtractor.exe" + }, + { + "Filename": "G2MComm.exe" + }, + { + "Filename": "G2MCoreInstExtractor.exe" + }, + { + "Filename": "G2MFeedback.exe" + }, + { + "Filename": "G2MHost.exee" + }, + { + "Filename": "G2MInstaller.exe" + }, + { + "Filename": "G2MInstallerExtractor.exe" + }, + { + "Filename": "G2MInstHigh.exe" + }, + { + "Filename": "G2MLauncher.exe" + }, + { + "Filename": "G2MMatchMaking.exe" + }, + { + "Filename": "G2MMaterials.exe" + }, + { + "Filename": "G2MPolling.exe" + }, + { + "Filename": "G2MQandA.exe" + }, + { + "Filename": "G2MRecorder.exe" + }, + { + "Filename": "G2MScrUtil64.exe" + }, + { + "Filename": "G2MSessionControl.exe" + }, + { + "Filename": "G2MStart.exe" + }, + { + "Filename": "G2MTesting.exe" + }, + { + "Filename": "G2MTranscoder.exe" + }, + { + "Filename": "G2MUI.exe" + }, { - "Description": "Known remote domains", - "Domains": [ - "*.beinsync.net", - "*.beinsync.com" - ], - "Ports": [] + "Filename": "G2MUninstall.exe" + }, + { + "Filename": "g2mupload.exe" + }, + { + "Filename": "g2mvideoconference.exe" + }, + { + "Filename": "G2MView.exe" + }, + { + "Filename": "g2printh.exe" + }, + { + "Filename": "g2quick.exe" + }, + { + "Filename": "g2svc.exe" + }, + { + "Filename": "g2tray.exe" + }, + { + "Filename": "gopcsrv.exe" + }, + { + "Filename": "GoToScrUtils.exe" + }, + { + "Filename": "GoTo.exe", + "OriginalFileName": "", + "Description": "" } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml", - "Description": "Detects potential network activity of BeInSync RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml", - "Description": "Detects potential processes activity of BeInSync RMM tool" - } - ], - "References": [ - "https://en.wikipedia.org/wiki/Phoenix_Technologies" - ], - "Acknowledgement": [] - }, - { - "Name": "ScreenMeet", - "Description": "ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + ], "Privileges": "", "Free": "", "Verification": "", @@ -14906,46 +15090,80 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ScreenMeetSupport.exe", - "ScreenMeet.Support.exe" + "C:\\Program Files (x86)\\GoToMyPC\\*" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "%AppData%\\GoTo\\Logs\\goto.log", + "Description": "N/A", + "OS": "Windows" + } + ], "EventLog": [], - "Registry": [], + "Registry": [ + { + "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc", + "Description": "Configuration settings including registration email" + }, + { + "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite", + "Description": "Guest invites send to connect" + }, + { + "Path": "HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", + "Description": "hostname of the computer making connections and location of transferred files" + }, + { + "Path": "HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", + "Description": "hostname of the computer making connections and location of transferred files" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "*.screenmeet.com", - "*.scrn.mt" + "*.GoToMyPC.com" ], - "Ports": [] + "Ports": [ + "N/A" + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml", - "Description": "Detects potential network activity of ScreenMeet RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml", + "Description": "Detects potential registry activity of GoToMyPC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml", - "Description": "Detects potential processes activity of ScreenMeet RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml", + "Description": "Detects potential network activity of GoToMyPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml", + "Description": "Detects potential files activity of GoToMyPC RMM tool" } ], "References": [ - "https://docs.screenmeet.com/docs/firewall-white-list" + "https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#", + "https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls", + "https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Phill Moore", + "Handle": "@phillmoore" + } + ] }, { - "Name": "MyIVO", - "Description": "MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Laplink Everywhere", + "Description": "Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14960,8 +15178,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "myivomgr.exe", - "myivomanager.exe" + "laplink.exe", + "laplink-everywhere-setup*.exe", + "laplinkeverywhere.exe", + "llrcservice.exe", + "serverproxyservice.exe", + "OOSysAgent.exe" ] }, "Artifacts": { @@ -14972,7 +15194,9 @@ { "Description": "Known remote domains", "Domains": [ - "myivo-server.software.informer.com" + "everywhere.laplink.com", + "le.laplink.com", + "atled.syspectr.com" ], "Ports": [] } @@ -14980,25 +15204,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml", - "Description": "Detects potential network activity of MyIVO RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Everywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml", - "Description": "Detects potential processes activity of MyIVO RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Everywhere RMM tool" } ], "References": [ - "myivo.com - DOA as of 2024" + "https://everywhere.laplink.com/docs" ], "Acknowledgement": [] }, { - "Name": "LabTech RMM (Now ConnectWise Automate)", - "Description": "LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syspectr", + "Description": "Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -15013,9 +15237,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ltsvc.exe", - "ltsvcmon.exe", - "lttray.exe" + "oo-syspectr*.exe", + "OOSysAgent.exe" ] }, "Artifacts": { @@ -15026,7 +15249,8 @@ { "Description": "Known remote domains", "Domains": [ - "connectwise.com" + "atled.syspectr.com", + "app.syspectr.com" ], "Ports": [] } @@ -15034,23 +15258,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml", - "Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml", + "Description": "Detects potential network activity of Syspectr RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml", - "Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml", + "Description": "Detects potential processes activity of Syspectr RMM tool" } ], - "References": [], + "References": [ + "https://www.syspectr.com/en/installation-in-a-network" + ], "Acknowledgement": [] }, { - "Name": "Kabuto", - "Description": "Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Utilities", + "Description": "Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -15065,7 +15291,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Kabuto.App.Runner.exe" + "rutview.exe", + "rutserv.exe" ] }, "Artifacts": { @@ -15076,8 +15303,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.kabuto.io", - "repairtechsolutions.com/kabuto/" + "*.internetid.ru" ], "Ports": [] } @@ -15085,53 +15311,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml", - "Description": "Detects potential network activity of Kabuto RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml", + "Description": "Detects potential network activity of Remote Utilities RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml", - "Description": "Detects potential processes activity of Kabuto RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Utilities RMM tool" } ], "References": [ - "https://www.repairtechsolutions.com/documentation/kabuto/" + "https://www.remoteutilities.com/download/" ], "Acknowledgement": [] }, { - "Name": "FreeRDP", - "Description": "FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "ZOC", - "Description": "ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remcos", + "Description": "Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -15149,9 +15344,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\ZOC8\\*", - "*\\ZOC?\\*", - "*\\zoc.exe" + "remcos*.exe" ] }, "Artifacts": { @@ -15162,19 +15355,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml", - "Description": "Detects potential processes activity of ZOC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml", + "Description": "Detects potential processes activity of Remcos RMM tool" } ], "References": [], "Acknowledgement": [] }, - { - "Name": "AliWangWang-remote-control", - "Description": "AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + { + "Name": "ISL Online", + "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -15189,7 +15382,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "alitask.exe" + "islalwaysonmonitor.exe", + "isllight.exe", + "isllightservice.exe", + "ISLLightClient.exe", + "C:\\Program Files (x86)\\ISL Online\\ISL Light*", + "*\\ISL Online\\ISL Light*", + "*\\ISLLight.exe" ] }, "Artifacts": { @@ -15200,7 +15399,8 @@ { "Description": "Known remote domains", "Domains": [ - "wangwang.taobao.com" + "*.islonline.com", + "*.islonline.net" ], "Ports": [] } @@ -15208,25 +15408,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml", - "Description": "Detects potential network activity of AliWangWang-remote-control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml", - "Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" } ], "References": [ - "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" + "https://help.islonline.com/19818/165940" ], "Acknowledgement": [] }, { - "Name": "Goverlan", - "Description": "Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DragonDisk", + "Description": "DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -15241,52 +15441,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "goverrmc.exe", - "govsrv*.exe", - "GovAgentInstallHelper.exe", - "GovAgentx64.exe", - "GovReachClient.exe", - "C:\\Program Files (x86)\\PJ Technologies\\GOVsrv\\*", - "*\\PJ Technologies\\GOVsrv\\*", - "*\\GovSrv.exe" + "C:\\Program Files (x86)\\Almageste\\DragonDisk\\*", + "*\\Almageste\\DragonDisk\\*", + "*\\DragonDisk.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "goverlan.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml", - "Description": "Detects potential network activity of Goverlan RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml", - "Description": "Detects potential processes activity of Goverlan RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml", + "Description": "Detects potential processes activity of DragonDisk RMM tool" } ], - "References": [ - "https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Microsoft Quick Assist", - "Description": "Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FleetDeck.io", + "Description": "FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -15301,7 +15481,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "quickassist.exe" + "fleetdeck_agent_svc.exe", + "fleetdeck_commander_svc.exe", + "fleetdeck_installer.exe", + "fleetdeck_commander_launcher.exe", + "fleetdeck_agent.exe" ] }, "Artifacts": { @@ -15312,7 +15496,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "fleetdeck.io" ], "Ports": [] } @@ -15320,25 +15504,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml", - "Description": "Detects potential network activity of Microsoft Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_network_sigma.yml", + "Description": "Detects potential network activity of FleetDeck.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdeck.io_processes_sigma.yml", + "Description": "Detects potential processes activity of FleetDeck.io RMM tool" } ], - "References": [ - "https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "N-Able Advanced Monitoring Agent", - "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chrome Remote Desktop", + "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -15353,13 +15535,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "BASupSrvc.exe", - "winagent.exe", - "BASupApp.exe", - "BASupTSHelper.exe", - "Agent_*_RW.exe", - "BASEClient.exe", - "BASupSrvcCnfg.exe" + "remote_host.exe", + "remoting_host.exe", + "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", + "*\\Google\\Chrome Remote Desktop\\*", + "*\\remoting_host.exe" ] }, "Artifacts": { @@ -15370,25 +15550,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.beanywhere.com ", - "systemmonitor.co.uk", - "*system-monitor.com", - "cloudbackup.management", - "*systemmonitor.co.uk", - "n-able.com", - "systemmonitor.us", - "*systemmonitor.eu.com", - "*.logicnow.com", - "*.swi-tc.com", - "*remote.management", - "systemmonitor.us.cdn.cloudflare.net", - "*cloudbackup.management", - "remote.management", - "logicnow.com", - "system-monitor.com", - "*systemmonitor.us", - "systemmonitor.eu.com", - "*.n-able.com" + "*remotedesktop-pa.googleapis.com", + "*remotedesktop.google.com", + "remotedesktop.google.com" ], "Ports": [] } @@ -15396,22 +15560,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", - "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" } ], "References": [ - "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" + "https://support.google.com/chrome/a/answer/2799701?hl=en" ], "Acknowledgement": [] }, { - "Name": "Ocamlfuse", - "Description": "Ocamlfuse is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RealVNC", + "Description": "RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -15441,60 +15605,8 @@ "Acknowledgement": [] }, { - "Name": "MyGreenPC", - "Description": "MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "mygreenpc.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*mygreenpc.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml", - "Description": "Detects potential network activity of MyGreenPC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml", - "Description": "Detects potential processes activity of MyGreenPC RMM tool" - } - ], - "References": [ - "http://www.mygreenpc.com/" - ], - "Acknowledgement": [] - }, - { - "Name": "Syncthing", - "Description": "Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "rsync", + "Description": "rsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -15511,11 +15623,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", - "*Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", - "*\\Syncthing.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -15523,21 +15631,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml", - "Description": "Detects potential processes activity of Syncthing RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Chrome Remote Desktop", - "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Datto", + "Description": "Datto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -15551,13 +15654,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "remote_host.exe", - "remoting_host.exe", - "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", - "*\\Google\\Chrome Remote Desktop\\*", - "*\\remoting_host.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -15567,9 +15664,7 @@ { "Description": "Known remote domains", "Domains": [ - "*remotedesktop.google.com", - "*remotedesktop-pa.googleapis.com", - "remotedesktop.google.com" + "datto.com" ], "Ports": [] } @@ -15577,25 +15672,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/datto_network_sigma.yml", + "Description": "Detects potential network activity of Datto RMM tool" } ], - "References": [ - "https://support.google.com/chrome/a/answer/2799701?hl=en" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Microsoft RDP", - "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudExplorer", + "Description": "CloudExplorer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -15609,11 +15698,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "termsrv.exe", - "mstsc.exe", - "Microsoft Remote Desktop" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -15621,23 +15706,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft RDP RMM tool" - } - ], - "References": [ - "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Chrome Remote Desktop", - "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Supremo", + "Description": "Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -15652,11 +15730,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remote_host.exe", - "remoting_host.exe", - "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", - "*\\Google\\Chrome Remote Desktop\\*", - "*\\remoting_host.exe" + "supremo.exe", + "supremoservice.exe", + "supremosystem.exe", + "supremohelper.exe" ] }, "Artifacts": { @@ -15667,9 +15744,9 @@ { "Description": "Known remote domains", "Domains": [ - "*remotedesktop-pa.googleapis.com", - "*remotedesktop.google.com", - "remotedesktop.google.com" + "supremocontrol.com", + "*.supremocontrol.com", + "* .nanosystems.it" ], "Ports": [] } @@ -15677,25 +15754,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml", + "Description": "Detects potential network activity of Supremo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml", + "Description": "Detects potential processes activity of Supremo RMM tool" } ], "References": [ - "https://support.google.com/chrome/a/answer/2799701?hl=en" + "https://www.supremocontrol.com/frequently-asked-questions/" ], "Acknowledgement": [] }, { - "Name": "Remote Desktop Plus", - "Description": "Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist Agent Desktop Console", + "Description": "GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -15710,44 +15787,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rdp.exe" + "C:\\*\\G2RDesktopConsole-x64.msi", + "*\\G2RDesktopConsole-x64.msi" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "donkz.nl" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml", - "Description": "Detects potential network activity of Remote Desktop Plus RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Desktop Plus RMM tool" - } - ], - "References": [ - "https://www.donkz.nl/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "NateOn-desktop sharing", - "Description": "NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ConnectWise Control", + "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -15762,9 +15821,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nateon*.exe", - "nateon.exe", - "nateonmain.exe" + "screenconnect.clientservice.exe", + "connectwisecontrol.client.exe", + "screenconnect.windowsclient.exe", + "connectwisechat-customer.exe" ] }, "Artifacts": { @@ -15775,7 +15835,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.nate.com" + "live.screenconnect.com", + "control.connectwise.com" ], "Ports": [] } @@ -15783,25 +15844,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml", - "Description": "Detects potential network activity of NateOn-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", + "Description": "Detects potential network activity of ConnectWise Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of NateOn-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", + "Description": "Detects potential processes activity of ConnectWise Control RMM tool" } ], - "References": [ - "http://rsupport.nate.com/rview/r8/main/index.aspx" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Barracuda", - "Description": "Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteView", + "Description": "RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -15815,7 +15874,12 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "remoteview.exe", + "rv.exe", + "rvagent.exe", + "rvagtray.exe" + ] }, "Artifacts": { "Disk": [], @@ -15825,9 +15889,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.islonline.net", - "rmm.barracudamsp.com", - "barracudamsp.com" + "*content.rview.com", + "*.rview.com", + "content.rview.com" ], "Ports": [] } @@ -15835,18 +15899,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml", - "Description": "Detects potential network activity of Barracuda RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml", + "Description": "Detects potential network activity of RemoteView RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteView RMM tool" } ], "References": [ - "https://help.islonline.com/19799/166125" + "https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall" ], "Acknowledgement": [] }, { - "Name": "Dropbox", - "Description": "Dropbox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "VNC Connect", + "Description": "VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -15864,10 +15932,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Dropbox\\Client\\*", - "*\\Dropbox\\Client\\*", - "*\\Dropbox.exe", - "*Users\\*\\Dropbox\\bin\\" + "C:\\Program Files\\RealVNC\\VNC Server\\*", + "*\\RealVNC\\VNC Server\\*" ] }, "Artifacts": { @@ -15876,21 +15942,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dropbox_processes_sigma.yml", - "Description": "Detects potential processes activity of Dropbox RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "CrossTec Remote Control", - "Description": "CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syncthing", + "Description": "Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -15905,46 +15966,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "PCIVIDEO.EXE", - "supporttool.exe" + "C:\\Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", + "*Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", + "*\\Syncthing.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "crosstecsoftware.com/remotecontrol" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of CrossTec Remote Control RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of CrossTec Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncthing RMM tool" } ], - "References": [ - "www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "DeskDay", - "Description": "DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KHelpDesk", + "Description": "KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -15959,7 +16006,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ultimate_*.exe" + "KHelpDesk.exe" ] }, "Artifacts": { @@ -15970,8 +16017,7 @@ { "Description": "Known remote domains", "Domains": [ - "deskday.ai", - "app.deskday.ai" + "*.khelpdesk.com.br" ], "Ports": [] } @@ -15979,22 +16025,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml", - "Description": "Detects potential network activity of DeskDay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml", + "Description": "Detects potential network activity of KHelpDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml", - "Description": "Detects potential processes activity of DeskDay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of KHelpDesk RMM tool" } ], "References": [ - "https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate" + "https://www.khelpdesk.com.br/en-us" ], "Acknowledgement": [] }, { - "Name": "mRemoteNG", - "Description": "mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop Remote Control (Impero Connect)", + "Description": "Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -16012,69 +16058,50 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mRemoteNG.exe", - "C:\\Program Files (x86)\\mRemoteNG\\*", - "*\\mRemoteNG\\*", - "*\\mRemoteNG.exe", - "c:\\Program Files (x86)%\\mRemoteNG", - "*%\\mRemoteNG", - "mRemoteNG-Installer-*.msi", - "*\\mRemoteNG.exe" + "nhostsvc.exe", + "nhstw32.exe", + "ngstw32.exe", + "Netop Ondemand.exe", + "nldrw32.exe", + "rmserverconsolemediator.exe", + "ImperoInit.exe", + "Connect.Backdrop.cloud*.exe", + "ImperoClientSVC.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log", - "Description": "mRemoteNG log file", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml", - "Description": "mRemoteNG configuration file", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config", - "Description": "mRemoteNG user configuration file", - "OS": "Windows" - } - ], + "Disk": [], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "mremoteng.org" + "*.connect.backdrop.cloud", + "*.netop.com" ], "Ports": [] } ] }, "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml", - "Description": "Detects potential network activity of mRemoteNG RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml", - "Description": "Detects potential files activity of mRemoteNG RMM tool" + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml", - "Description": "Detects potential processes activity of mRemoteNG RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool" } ], "References": [ - "https://github.com/mRemoteNG/mRemoteNG" + "https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html" ], "Acknowledgement": [] }, { - "Name": "FreeNX", - "Description": "FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Bitvise SSH Server", + "Description": "Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -16092,8 +16119,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\nxplayer.exe", - "*\\nxplayer.exe" + "C:\\Program Files\\Bitvise SSH Server\\*", + "*\\Bitvise SSH Server\\*", + "*\\BvSshServer-Inst.exe" ] }, "Artifacts": { @@ -16104,19 +16132,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml", - "Description": "Detects potential processes activity of FreeNX RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Server RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "NetSupport Manager", - "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Cloud Turtle", + "Description": "Cloud Turtle is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -16131,48 +16159,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcictlui.exe", - "client32.exe", - "pcicfgui.exe" + "C:\\Program Files (x86)\\Genie9\\*", + "*\\Genie9\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "geo.netsupportsoftware.com", - "netsupportmanager.com", - "*.netsupportmanager.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", - "Description": "Detects potential network activity of NetSupport Manager RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of NetSupport Manager RMM tool" - } - ], - "References": [ - "https://www.netsupportmanager.com/resources/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "rdp2tcp", - "Description": "rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Apple Remote Desktop", + "Description": "Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/24/2024", "Details": { "Website": "", "PEMetadata": { @@ -16187,8 +16193,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tdp2tcp.exe", - "rdp2tcp.py" + "ARDAgent.app" ] }, "Artifacts": { @@ -16199,8 +16204,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/V-E-O/rdp2tcp" + "user_managed" ], "Ports": [] } @@ -16208,25 +16212,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml", - "Description": "Detects potential network activity of rdp2tcp RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml", - "Description": "Detects potential processes activity of rdp2tcp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Apple Remote Desktop RMM tool" } ], "References": [ - "github.com/V-E-O/rdp2tcp" + "https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac" ], "Acknowledgement": [] }, { - "Name": "ITSupport247 (ConnectWise)", - "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chrome SSH Extension", + "Description": "Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -16241,42 +16241,54 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "saazapsc.exe" + "C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*", + "*Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.itsupport247.net", - "itsupport247.net" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "CloudGopher", + "Description": "CloudGopher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" - } - ], - "References": [ - "https://control.itsupport247.net/" - ], + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Pulseway", - "Description": "Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NetSupport Manager", + "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -16294,8 +16306,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "PCMonitorManager.exe", - "pcmonitorsrv.exe" + "pcictlui.exe", + "client32.exe", + "pcicfgui.exe" ] }, "Artifacts": { @@ -16306,7 +16319,9 @@ { "Description": "Known remote domains", "Domains": [ - "pulseway.com" + "geo.netsupportsoftware.com", + "netsupportmanager.com", + "*.netsupportmanager.com" ], "Ports": [] } @@ -16314,25 +16329,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml", - "Description": "Detects potential network activity of Pulseway RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", + "Description": "Detects potential network activity of NetSupport Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml", - "Description": "Detects potential processes activity of Pulseway RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of NetSupport Manager RMM tool" } ], "References": [ - "https://intercom.help/pulseway/en/" + "https://www.netsupportmanager.com/resources/" ], "Acknowledgement": [] }, { - "Name": "Naverisk", - "Description": "Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ESET Remote Administrator", + "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -16347,7 +16362,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "AgentSetup-*.exe" + "era.exe", + "einstaller.exe", + "ezhelp*.exe", + "eratool.exe", + "ERAAgent.exe" ] }, "Artifacts": { @@ -16359,7 +16378,7 @@ "Description": "Known remote domains", "Domains": [ "user_managed", - "naverisk.com" + "eset.com/me/business/remote-management/remote-administrator/" ], "Ports": [] } @@ -16367,22 +16386,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml", - "Description": "Detects potential network activity of Naverisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", + "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml", - "Description": "Detects potential processes activity of Naverisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", + "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" } ], "References": [ - "http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents" + "eset.com/me/business/remote-management/remote-administrator/" ], "Acknowledgement": [] }, { - "Name": "Total Software Deployment", - "Description": "Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Yandex.Disk", + "Description": "Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -16400,10 +16419,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\ProgramData\\Total Software Deployment\\*", - "*\\Total Software Deployment\\*", - "*\\tniwinagent.exe", - "*\\Tsdservice.exe" + "C:\\Program Files (x86)\\Yandex\\*", + "*\\Yandex\\*", + "*\\YandexDisk2.exe" ] }, "Artifacts": { @@ -16414,19 +16432,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml", - "Description": "Detects potential processes activity of Total Software Deployment RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml", + "Description": "Detects potential processes activity of Yandex.Disk RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "ISL Online", - "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-Able Advanced Monitoring Agent", + "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -16441,13 +16459,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "islalwaysonmonitor.exe", - "isllight.exe", - "isllightservice.exe", - "ISLLightClient.exe", - "C:\\Program Files (x86)\\ISL Online\\ISL Light*", - "*\\ISL Online\\ISL Light*", - "*\\ISLLight.exe" + "BASupSrvc.exe", + "winagent.exe", + "BASupApp.exe", + "BASupTSHelper.exe", + "Agent_*_RW.exe", + "BASEClient.exe", + "BASupSrvcCnfg.exe" ] }, "Artifacts": { @@ -16458,8 +16476,25 @@ { "Description": "Known remote domains", "Domains": [ - "*.islonline.com", - "*.islonline.net" + "*.beanywhere.com ", + "systemmonitor.co.uk", + "*system-monitor.com", + "cloudbackup.management", + "*systemmonitor.co.uk", + "n-able.com", + "systemmonitor.us", + "*systemmonitor.eu.com", + "*.logicnow.com", + "*.swi-tc.com", + "*remote.management", + "systemmonitor.us.cdn.cloudflare.net", + "*cloudbackup.management", + "remote.management", + "logicnow.com", + "system-monitor.com", + "*systemmonitor.us", + "systemmonitor.eu.com", + "*.n-able.com" ], "Ports": [] } @@ -16467,25 +16502,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", - "Description": "Detects potential network activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Online RMM tool" + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" } ], "References": [ - "https://help.islonline.com/19818/165940" + "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" ], "Acknowledgement": [] }, { - "Name": "NinjaOne (formerly NinjaRMM)", - "Description": "NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MyIVO", + "Description": "MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -16500,22 +16535,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "*ProgramData\\NinjaRMMAgent\\*" + "myivomgr.exe", + "myivomanager.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "myivo-server.software.informer.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml", + "Description": "Detects potential network activity of MyIVO RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml", + "Description": "Detects potential processes activity of MyIVO RMM tool" + } + ], + "References": [ + "myivo.com - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "Microsoft OneDrive", - "Description": "Microsoft OneDrive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FreeFileSync", + "Description": "FreeFileSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -16532,7 +16587,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files\\FreeFileSync\\*", + "*\\FreeFileSync\\*", + "*\\FreeFileSync.exe" + ] }, "Artifacts": { "Disk": [], @@ -16540,16 +16599,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freefilesync_processes_sigma.yml", + "Description": "Detects potential processes activity of FreeFileSync RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "QQ IM-remote assistance", - "Description": "QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ITSupport247 (ConnectWise)", + "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -16564,9 +16628,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "qq.exe", - "QQProtect.exe", - "qqpcmgr.exe" + "saazapsc.exe" ] }, "Artifacts": { @@ -16577,10 +16639,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.mdt.qq.com", - "*.desktop.qq.com", - "upload_data.qq.com", - "qq-messenger.en.softonic.com" + "*.itsupport247.net" ], "Ports": [] } @@ -16588,25 +16647,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml", - "Description": "Detects potential network activity of QQ IM-remote assistance RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml", - "Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" } ], "References": [ - "https://en.wikipedia.org/wiki/Tencent_QQ" + "https://control.itsupport247.net/" ], "Acknowledgement": [] }, { - "Name": "Distant Desktop", - "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "VNC", + "Description": "VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -16621,9 +16680,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ddsystem.exe", - "dd.exe", - "distant-desktop.exe" + "winvnc*.exe", + "vncserver.exe", + "winwvc.exe", + "winvncsc.exe", + "vncserverui.exe", + "vncviewer.exe", + "winvnc.exe" ] }, "Artifacts": { @@ -16634,8 +16697,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.distantdesktop.com", - "*signalserver.xyz" + "user_managed", + "realvnc.com/en/connect/download/vnc" ], "Ports": [] } @@ -16643,25 +16706,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Distant Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml", + "Description": "Detects potential network activity of VNC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Distant Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of VNC RMM tool" } ], "References": [ - "https://www.distantdesktop.com/manual/first-start.htm" + "https://realvnc.com/en/connect/download/vnc" ], "Acknowledgement": [] }, { - "Name": "FixMe.it", - "Description": "FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ServerEye", + "Description": "ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -16676,18 +16739,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "FixMeit Unattended Access Setup.exe", - "TiExpertStandalone.exe", - "FixMeitClient*.exe", - "FixMeit Client.exe", - "FixMeit Expert Setup.exe", - "TiExpertCore.exe", - "fixmeitclient.exe", - "TiClientCore.exe", - "TiClientHelper*.exe", - "no installation required | recommend blocking fixme[.]it SaaS portal", - "no installation required | recommend blocking fixme[.]it SaaS portal", - "9380CC75B872221A7425D7503565B67580407F60" + "servereye*.exe", + "ServiceProxyLocalSys.exe" ] }, "Artifacts": { @@ -16698,11 +16751,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.fixme.it", - "*.techinline.net", - "fixme.it", - "*set.me", - "*setme.net" + "*.server-eye.de" ], "Ports": [] } @@ -16710,25 +16759,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_network_sigma.yml", - "Description": "Detects potential network activity of FixMe.it RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml", + "Description": "Detects potential network activity of ServerEye RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme.it_processes_sigma.yml", - "Description": "Detects potential processes activity of FixMe.it RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml", + "Description": "Detects potential processes activity of ServerEye RMM tool" } ], "References": [ - "https://docs.fixme.it/general-questions/which-ports-and-servers-does-fixme-it-use" + "https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf" ], "Acknowledgement": [] }, { - "Name": "FileZilla", - "Description": "FileZilla is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Rapid7", + "Description": "Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -16743,32 +16792,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\FileZilla FTP Client\\*", - "*\\FileZilla FTP Client\\*", - "*\\FileZilla.exe" + "ir_agent.exe", + "rapid7_agent_core.exe", + "rapid7_endpoint_broker.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.analytics.insight.rapid7.com", + "*.endpoint.ingress.rapid7.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/filezilla_processes_sigma.yml", - "Description": "Detects potential processes activity of FileZilla RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml", + "Description": "Detects potential network activity of Rapid7 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml", + "Description": "Detects potential processes activity of Rapid7 RMM tool" } ], - "References": [], + "References": [ + "https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/" + ], "Acknowledgement": [] }, { - "Name": "Microsoft RDP", - "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist (GoTo Resolve)", + "Description": "GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -16783,7 +16847,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mstsc.exe" + "C:\\ProgramFiles*\\GoTo Machine Installer\\*", + "*\\GoTo Machine Installer\\*", + "*\\GoTo\\*" ] }, "Artifacts": { @@ -16792,23 +16858,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft RDP RMM tool" - } - ], - "References": [ - "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "RuDesktop", - "Description": "RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ocamlfuse", + "Description": "Ocamlfuse is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -16822,44 +16881,21 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "rd.exe", - "rudesktop*.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.rudesktop.ru", - "rudesktop.ru" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml", - "Description": "Detects potential network activity of RuDesktop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml", - "Description": "Detects potential processes activity of RuDesktop RMM tool" - } - ], - "References": [ - "https://rudesktop.ru" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "BeyondTrust (Bomgar)", - "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GetScreen", + "Description": "GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -16877,11 +16913,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "bomgar-scc-*.exe", - "bomgar-scc.exe", - "bomgar-pac-*.exe", - "bomgar-pac.exe", - "bomgar-rdp.exe" + "GetScreen.exe", + "getscreen.exe" ] }, "Artifacts": { @@ -16892,9 +16925,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.beyondtrustcloud.com", - "*.bomgarcloud.com", - "bomgarcloud.com" + "getscreen.me", + "GetScreen.me", + "*.getscreen.me" ], "Ports": [] } @@ -16902,22 +16935,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", - "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml", + "Description": "Detects potential network activity of GetScreen RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", - "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of GetScreen RMM tool" } ], "References": [ - "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" + "https://docs.getscreen.me/self-hosted/system-requirements/" ], "Acknowledgement": [] }, { - "Name": "FreeFileSync", - "Description": "FreeFileSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MobaXterm", + "Description": "MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -16935,9 +16968,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\FreeFileSync\\*", - "*\\FreeFileSync\\*", - "*\\FreeFileSync.exe" + "C:\\*\\MobaXterm_installer_12.1.msi", + "*\\MobaXterm_installer_*.msi", + "*\\Mobatek\\MobaXterm\\*" ] }, "Artifacts": { @@ -16946,21 +16979,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freefilesync_processes_sigma.yml", - "Description": "Detects potential processes activity of FreeFileSync RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "TightVNC", - "Description": "TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CrossTec Remote Control", + "Description": "CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -16975,9 +17003,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tvnviewer.exe", - "TightVNCViewerPortable*.exe", - "tvnserver.exe" + "PCIVIDEO.EXE", + "supporttool.exe" ] }, "Artifacts": { @@ -16989,7 +17016,7 @@ "Description": "Known remote domains", "Domains": [ "user_managed", - "tightvnc.com" + "crosstecsoftware.com/remotecontrol" ], "Ports": [] } @@ -16997,25 +17024,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml", - "Description": "Detects potential network activity of TightVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of CrossTec Remote Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml", - "Description": "Detects potential processes activity of TightVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of CrossTec Remote Control RMM tool" } ], "References": [ - "https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf" + "www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024" ], "Acknowledgement": [] }, { - "Name": "MeshCentral", - "Description": "MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Absolute (Computrace)", + "Description": "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "6/18/2024", "Details": { "Website": "", "PEMetadata": { @@ -17030,8 +17057,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "meshcentral*.exe", - "mesh*.exe" + "rpcnet.exe", + "ctes.exe", + "ctespersitence.exe", + "cteshostsvc.exe", + "rpcld.exe" ] }, "Artifacts": { @@ -17042,8 +17072,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "meshcentral.com" + "*search.namequery.com", + "*server.absolute.com" ], "Ports": [] } @@ -17051,22 +17081,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml", - "Description": "Detects potential network activity of MeshCentral RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml", + "Description": "Detects potential network activity of Absolute (Computrace) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", - "Description": "Detects potential processes activity of MeshCentral RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml", + "Description": "Detects potential processes activity of Absolute (Computrace) RMM tool" } ], "References": [ - "https://ylianst.github.io/MeshCentral/meshcentral/" + "https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com" ], "Acknowledgement": [] }, { - "Name": "CuteFTP", - "Description": "CuteFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xshell", + "Description": "Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -17084,9 +17114,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Globalscape\\CuteFTP\\*", - "*\\Globalscape\\CuteFTP\\*", - "*\\cuteftppro.exe" + "C:\\Program Files (x86)\\NetSarang\\xShell\\*", + "*\\NetSarang\\xShell\\*", + "*\\xShell.exe" ] }, "Artifacts": { @@ -17097,60 +17127,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cuteftp_processes_sigma.yml", - "Description": "Detects potential processes activity of CuteFTP RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Dev Tunnels (aka Visual Studio Dev Tunnel)", - "Description": "Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml", - "Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml", + "Description": "Detects potential processes activity of Xshell RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "CarotDAV", - "Description": "CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Amazon (Cloud) Drive", + "Description": "Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -17168,9 +17154,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Rei Software\\CarotDAV\\*", - "*\\Rei Software\\CarotDAV\\*", - "*\\CarotDAV.exe" + "C:\\Users\\*\\AppData\\Local\\Amazon\\Cloud Drive\\*", + "*\\AppData\\Local\\Amazon\\Cloud Drive\\*", + "*\\AmazonCloudDrive.exe" ] }, "Artifacts": { @@ -17181,19 +17167,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml", - "Description": "Detects potential processes activity of CarotDAV RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/amazon__cloud__drive_processes_sigma.yml", + "Description": "Detects potential processes activity of Amazon (Cloud) Drive RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Bitvise SSH Server", - "Description": "Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MyGreenPC", + "Description": "MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -17208,32 +17194,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Bitvise SSH Server\\*", - "*\\Bitvise SSH Server\\*", - "*\\BvSshServer-Inst.exe" + "mygreenpc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*mygreenpc.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml", - "Description": "Detects potential processes activity of Bitvise SSH Server RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml", + "Description": "Detects potential network activity of MyGreenPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml", + "Description": "Detects potential processes activity of MyGreenPC RMM tool" } ], - "References": [], + "References": [ + "http://www.mygreenpc.com/" + ], "Acknowledgement": [] }, { - "Name": "Pandora RC (eHorus)", - "Description": "Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level.io", + "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -17248,8 +17246,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ehorus standalone.exe", - "ehorus_agent.exe" + "level-windows-amd64.exe", + "level.exe", + "level-remote-control-ffmpeg.exe" ] }, "Artifacts": { @@ -17260,7 +17259,8 @@ { "Description": "Known remote domains", "Domains": [ - "portal.ehorus.com" + "level.io", + "*.level.io" ], "Ports": [] } @@ -17268,25 +17268,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml", - "Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml", - "Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" } ], "References": [ - "https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction" + "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" ], "Acknowledgement": [] }, { - "Name": "DW Service", - "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft Quick Assist", + "Description": "Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -17301,9 +17301,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dwagsvc.exe", - "dwagent.exe", - "dwagsvc.exe" + "quickassist.exe" ] }, "Artifacts": { @@ -17314,7 +17312,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.dwservice.net" + "user_managed" ], "Ports": [] } @@ -17322,22 +17320,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", - "Description": "Detects potential network activity of DW Service RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Microsoft Quick Assist RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", - "Description": "Detects potential processes activity of DW Service RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool" } ], "References": [ - "https://news.dwservice.net/dwservice-security-infrastructure/" + "https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca" ], "Acknowledgement": [] }, { - "Name": "Iperius Remote", - "Description": "Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Manage Engine (Desktop Central)", + "Description": "Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -17355,8 +17353,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iperius.exe", - "iperiusremote.exe" + "dcagentservice.exe", + "dcagentregister.exe" ] }, "Artifacts": { @@ -17367,10 +17365,12 @@ { "Description": "Known remote domains", "Domains": [ - "*.iperiusremote.com", - "*.iperius.com", - "*.iperius-rs.com", - "iperiusremote.com" + "desktopcentral.manageengine.com", + "desktopcentral.manageengine.com.eu", + "desktopcentral.manageengine.cn", + "*.dms.zoho.com", + "*.dms.zoho.com.eu", + "*.-dms.zoho.com.cn" ], "Ports": [] } @@ -17378,16 +17378,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml", - "Description": "Detects potential network activity of Iperius Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__network_sigma.yml", + "Description": "Detects potential network activity of Manage Engine (Desktop Central) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of Iperius Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manage_engine__desktop_central__processes_sigma.yml", + "Description": "Detects potential processes activity of Manage Engine (Desktop Central) RMM tool" } ], "References": [ - "https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx" + "https://www.manageengine.com/products/desktop-central/help/domains-required-for-agent-communication.html" ], "Acknowledgement": [] } diff --git a/website/public/rmm_tools_table.csv b/website/public/rmm_tools_table.csv index 9c96dddd..f2f184ae 100644 --- a/website/public/rmm_tools_table.csv +++ b/website/public/rmm_tools_table.csv @@ -1,329 +1,329 @@ Name,Category,Description,Author -[Rapid7](/rmm_tools/rapid7),,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[SunLogin](/rmm_tools/sunlogin),,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[CloudFuze](/rmm_tools/cloudfuze),,CloudFuze is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Box](/rmm_tools/box),,Box is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., -[GoToAssist Agent Desktop Console](/rmm_tools/gotoassist_agent_desktop_console),,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information ..., -[Kaseya (VSA)](/rmm_tools/kaseya__vsa_),,Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be a...,Nasreddine Bencherchali -[PuTTY Tray](/rmm_tools/putty_tray),,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Azure Storage Explorer](/rmm_tools/azure_storage_explorer),,Azure Storage Explorer is a remote monitoring and management (RMM) tool. More information will be ad..., -[SysAid](/rmm_tools/sysaid),,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Domotz](/rmm_tools/domotz),,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[BeyondTrust](/rmm_tools/beyondtrust),,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Netop Remote Control (aka Impero Connect)](/rmm_tools/netop_remote_control__aka_impero_connect_),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More inf..., -[Bomgar - Now BeyondTrust](/rmm_tools/bomgar_-_now_beyondtrust),,Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) tool. More information will be ..., -[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., -[Jump Desktop](/rmm_tools/jump_desktop),,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[IntelliAdmin Remote Control](/rmm_tools/intelliadmin_remote_control),,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will ..., -[Chrome SSH Extension](/rmm_tools/chrome_ssh_extension),,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be adde..., -[ZeroTier](/rmm_tools/zerotier),,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Ericom AccessNow](/rmm_tools/ericom_accessnow),,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as..., -[RealVNC](/rmm_tools/realvnc),,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Pcnow](/rmm_tools/pcnow),,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[DesktopNow](/rmm_tools/desktopnow),,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Pocket Controller (Soti Xsight)](/rmm_tools/pocket_controller__soti_xsight_),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information w..., -[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., -[CentraStage (Now Datto)](/rmm_tools/centrastage__now_datto_),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be a..., -[Core FTP](/rmm_tools/core_ftp),,Core FTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Insync](/rmm_tools/insync),,Insync is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., -[LogMeIn rescue](/rmm_tools/logmein_rescue),,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as i..., +[LabTeach (Connectwise Automate)](/rmm_tools/labteach__connectwise_automate_),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information w..., +[Zabbix Agent](/rmm_tools/zabbix_agent),,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Senso.cloud](/rmm_tools/senso.cloud),,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[I'm InTouch](/rmm_tools/i'm_intouch),,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[RustDesk](/rmm_tools/rustdesk),,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [Electric AI (Kaseya)](/rmm_tools/electric_ai__kaseya_),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be adde..., -[Adobe Connect](/rmm_tools/adobe_connect),,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it..., -[CloudFlare Tunnel](/rmm_tools/cloudflare_tunnel),,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added a..., -[DriveMaker](/rmm_tools/drivemaker),,DriveMaker is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[mstsc](/rmm_tools/mstsc),,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Parallels Access](/rmm_tools/parallels_access),,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as..., -[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., -[Devolutions Remote Desktop Manager](/rmm_tools/devolutions_remote_desktop_manager),,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More informatio..., -[TigerVNC](/rmm_tools/tigervnc),,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Rocket Remote Desktop](/rmm_tools/rocket_remote_desktop),,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., -[NoteOn-desktop sharing](/rmm_tools/noteon-desktop_sharing),,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., -[Bomgar](/rmm_tools/bomgar),,Bomgar is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[pCloud](/rmm_tools/pcloud),,pCloud is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[HelpU](/rmm_tools/helpu),,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Splashtop Remote](/rmm_tools/splashtop_remote),,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as..., -[X2Go](/rmm_tools/x2go),,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[Pocket Controller](/rmm_tools/pocket_controller),,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added a..., -[Xshell](/rmm_tools/xshell),,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Bitvise SSH Client](/rmm_tools/bitvise_ssh_client),,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added ..., -[Royal Server](/rmm_tools/royal_server),,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Remote Manipulator System](/rmm_tools/remote_manipulator_system),,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be..., -[Manage Engine (Desktop Central)](/rmm_tools/manage_engine__desktop_central_),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information w..., -[Auvik](/rmm_tools/auvik),,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Basecamp](/rmm_tools/basecamp),,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Free Tools Launcher](/rmm_tools/free_tools_launcher),,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added..., -[aws-cli](/rmm_tools/aws-cli),,aws-cli is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[AnyDesk](/rmm_tools/anydesk),RMM,AnyDesk is a popular remote desktop software that enables users to access and control a computer or ...,"Ali Alwashali, Nasreddine Bencherchali" -[AnyViewer](/rmm_tools/anyviewer),,AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it bec...,@kostastsale -[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Level](/rmm_tools/level),,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Cloudsfer](/rmm_tools/cloudsfer),,Cloudsfer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[ScreenConnect](/rmm_tools/screenconnect),,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it...,"Ali Alwashali, Nasreddine Bencherchali" -[SmartFTP](/rmm_tools/smartftp),,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[SpyAnywhere](/rmm_tools/spyanywhere),,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[NinjaRMM](/rmm_tools/ninjarmm),,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[CloudXplorer](/rmm_tools/cloudxplorer),,CloudXplorer is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[CruzControl](/rmm_tools/cruzcontrol),,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[SimpleHelp](/rmm_tools/simplehelp),,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[EMCO Remote Console](/rmm_tools/emco_remote_console),,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added..., -[ngrok](/rmm_tools/ngrok),,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Apple Remote Desktop](/rmm_tools/apple_remote_desktop),,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be adde..., -[Netviewer (GoToMeet)](/rmm_tools/netviewer__gotomeet_),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be adde..., -[NoMachine](/rmm_tools/nomachine),,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[MioNet (WD Anywhere Access)](/rmm_tools/mionet__wd_anywhere_access_),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will ..., -[Splashtop](/rmm_tools/splashtop),,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it bec...,Nasreddine Bencherchali -[RAdmin](/rmm_tools/radmin),,RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it become...,Nasreddine Bencherchali -[LANDesk](/rmm_tools/landesk),,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[SuperOps](/rmm_tools/superops),,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Lite Manager](/rmm_tools/lite_manager),,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Raidrive](/rmm_tools/raidrive),,Raidrive is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Datto](/rmm_tools/datto),,Datto is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Supremo](/rmm_tools/supremo),,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Chicken (of the VNC)](/rmm_tools/chicken__of_the_vnc_),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be adde..., +[ZOC](/rmm_tools/zoc),,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., +[Any Support](/rmm_tools/any_support),,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[PDQ Connect](/rmm_tools/pdq_connect),,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Pcnow](/rmm_tools/pcnow),,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., [Quick Assist](/rmm_tools/quick_assist),,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[KHelpDesk](/rmm_tools/khelpdesk),,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[TurboMeeting](/rmm_tools/turbomeeting),,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[RPort](/rmm_tools/rport),,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Seetrol](/rmm_tools/seetrol),,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[CarotDAV](/rmm_tools/carotdav),,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Goverlan](/rmm_tools/goverlan),,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[OptiTune](/rmm_tools/optitune),,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[EMCO Remote Console](/rmm_tools/emco_remote_console),,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added..., +[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., +[Tailscale](/rmm_tools/tailscale),,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Pilixo](/rmm_tools/pilixo),,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Remote Desktop Manager (Devolutions)](/rmm_tools/remote_desktop_manager__devolutions_),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More informat..., +[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., +[Alpemix](/rmm_tools/alpemix),,Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali [CloudBerry Explorer](/rmm_tools/cloudberry_explorer),,CloudBerry Explorer is a remote monitoring and management (RMM) tool. More information will be added..., +[Auvik](/rmm_tools/auvik),,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Microsoft OneDrive](/rmm_tools/microsoft_onedrive),,Microsoft OneDrive is a remote monitoring and management (RMM) tool. More information will be added ..., +[Tactical RMM](/rmm_tools/tactical_rmm),,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[MioNet (WD Anywhere Access)](/rmm_tools/mionet__wd_anywhere_access_),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will ..., +[Comodo RMM](/rmm_tools/comodo_rmm),,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Pocket Controller](/rmm_tools/pocket_controller),,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added a..., +[NordLocker](/rmm_tools/nordlocker),,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it be..., [ExpanDrive](/rmm_tools/expandrive),,ExpanDrive is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[MioNet (Also known as WD Anywhere Access)](/rmm_tools/mionet__also_known_as_wd_anywhere_access_),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More inf..., [OCS inventory](/rmm_tools/ocs_inventory),,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it..., -[RemotePass](/rmm_tools/remotepass),,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Air Explorer](/rmm_tools/air_explorer),,Air Explorer is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[GoToAssist (GoTo Resolve)](/rmm_tools/gotoassist__goto_resolve_),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be..., -[Comodo RMM](/rmm_tools/comodo_rmm),,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[ShowMyPC](/rmm_tools/showmypc),,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ToDesk](/rmm_tools/todesk),,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[RunSmart](/rmm_tools/runsmart),,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[VNC Connect](/rmm_tools/vnc_connect),,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Echoware](/rmm_tools/echoware),,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Alpemix](/rmm_tools/alpemix),,Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali -[Royal TS](/rmm_tools/royal_ts),,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[DragonDisk](/rmm_tools/dragondisk),,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Pcvisit](/rmm_tools/pcvisit),,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Connectwise Automate (LabTech)](/rmm_tools/connectwise_automate__labtech_),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information wi..., -[DameWare](/rmm_tools/dameware),,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Onionshare](/rmm_tools/onionshare),,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Tailscale](/rmm_tools/tailscale),,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Senso.cloud](/rmm_tools/senso.cloud),,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Proton Drive](/rmm_tools/proton_drive),,Proton Drive is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[UltraViewer](/rmm_tools/ultraviewer),,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[KickIdler](/rmm_tools/kickidler),,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Remmina](/rmm_tools/remmina),,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[eHorus](/rmm_tools/ehorus),,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Quick Assist](/rmm_tools/quick_assist),,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., -[KiTTY](/rmm_tools/kitty),,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[AweRay (AweSun)](/rmm_tools/aweray__awesun_),,AweRay (AweSun) is a remote monitoring and management (RMM) tool. More information will be added as ..., -[FleetDeck](/rmm_tools/fleetdeck),,FleetDeck is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[TeleDesktop](/rmm_tools/teledesktop),,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Remote Utilities](/rmm_tools/remote_utilities),,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as..., -[Cloud Explorer](/rmm_tools/cloud_explorer),,Cloud Explorer is a remote monitoring and management (RMM) tool. More information will be added as i..., -[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., [GotoHTTP](/rmm_tools/gotohttp),,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[RemoteUtilities](/rmm_tools/remoteutilities),,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as ..., -[GoToMyPC](/rmm_tools/gotomypc),,GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco...,Nasreddine Bencherchali -[SmartCode Web VNC](/rmm_tools/smartcode_web_vnc),,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added a..., -[Seetrol](/rmm_tools/seetrol),,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[RDPView](/rmm_tools/rdpview),,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Zoho Assist](/rmm_tools/zoho_assist),,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Xpra](/rmm_tools/xpra),,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[CloudBuckIt](/rmm_tools/cloudbuckit),,CloudBuckIt is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[DeskNets](/rmm_tools/desknets),,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ODrive](/rmm_tools/odrive),,ODrive is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[XRDP](/rmm_tools/xrdp),,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[ManageEngine](/rmm_tools/manageengine),,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Impero Connect](/rmm_tools/impero_connect),,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Remcos](/rmm_tools/remcos),,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[PDQ Connect](/rmm_tools/pdq_connect),,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[CloudXplorer](/rmm_tools/cloudxplorer),,CloudXplorer is a remote monitoring and management (RMM) tool. More information will be added as it ..., [Terminals](/rmm_tools/terminals),,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Air Live Drive](/rmm_tools/air_live_drive),,Air Live Drive is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Syncro](/rmm_tools/syncro),,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[247ithelp.com (ConnectWise)](/rmm_tools/247ithelp.com__connectwise_),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will ..., -[Netviewer](/rmm_tools/netviewer),,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Syspectr](/rmm_tools/syspectr),,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[I'm InTouch](/rmm_tools/i'm_intouch),,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[aria2](/rmm_tools/aria2),,aria2 is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[ISL Light](/rmm_tools/isl_light),,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Mocha VNC Lite](/rmm_tools/mocha_vnc_lite),,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Ericom Connect](/rmm_tools/ericom_connect),,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Yandex.Disk](/rmm_tools/yandex.disk),,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[RPort](/rmm_tools/rport),,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[CentraStage (Now Datto)](/rmm_tools/centrastage__now_datto_),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be a..., +[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., +[CruzControl](/rmm_tools/cruzcontrol),,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Mikogo](/rmm_tools/mikogo),,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[mRemoteNG](/rmm_tools/mremoteng),,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[LabTech RMM (Now ConnectWise Automate)](/rmm_tools/labtech_rmm__now_connectwise_automate_),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More inform..., +[ScreenMeet](/rmm_tools/screenmeet),,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[RES Automation Manager](/rmm_tools/res_automation_manager),,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be ad..., +[Anyplace Control](/rmm_tools/anyplace_control),,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as..., +[Dropbox](/rmm_tools/dropbox),,Dropbox is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[TightVNC](/rmm_tools/tightvnc),,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [LiteManager](/rmm_tools/litemanager),,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[BeAnyWhere](/rmm_tools/beanywhere),,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Box](/rmm_tools/box),,Box is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., +[Sophos-Remote Management System](/rmm_tools/sophos-remote_management_system),,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information w..., +[ManageEngine](/rmm_tools/manageengine),,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Cloud Explorer](/rmm_tools/cloud_explorer),,Cloud Explorer is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Splashtop Remote](/rmm_tools/splashtop_remote),,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as..., +[Dameware-mini remote control Protocol](/rmm_tools/dameware-mini_remote_control_protocol),,Dameware-mini remote control Protocol is a remote monitoring and management (RMM) tool. More informa..., +[rdp2tcp](/rmm_tools/rdp2tcp),,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[FleetDesk.io](/rmm_tools/fleetdesk.io),,FleetDesk.io is a remote monitoring and management (RMM) tool. More information will be added as it ..., [Jump Cloud](/rmm_tools/jump_cloud),,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Remote Desktop Manager (Devolutions)](/rmm_tools/remote_desktop_manager__devolutions_),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More informat..., -[AweRay](/rmm_tools/aweray),,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Remobo](/rmm_tools/remobo),,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[ESET Remote Administrator](/rmm_tools/eset_remote_administrator),,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be..., -[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., -[Ultra VNC](/rmm_tools/ultra_vnc),,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[pcAnywhere](/rmm_tools/pcanywhere),,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Remote.it](/rmm_tools/remote.it),,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Cruz](/rmm_tools/cruz),,Cruz is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[RuDesktop](/rmm_tools/rudesktop),,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[LogMeIn](/rmm_tools/logmein),,LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali +[SmartFTP](/rmm_tools/smartftp),,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., +[Pocket Cloud (Wyse)](/rmm_tools/pocket_cloud__wyse_),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added..., [Guacamole](/rmm_tools/guacamole),,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Addigy](/rmm_tools/addigy),,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[AeroAdmin](/rmm_tools/aeroadmin),,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[FleetDesk.io](/rmm_tools/fleetdesk.io),,FleetDesk.io is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Dameware-mini remote control Protocol](/rmm_tools/dameware-mini_remote_control_protocol),,Dameware-mini remote control Protocol is a remote monitoring and management (RMM) tool. More informa..., +[Cloudsfer](/rmm_tools/cloudsfer),,Cloudsfer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[LANDesk](/rmm_tools/landesk),,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Cruz](/rmm_tools/cruz),,Cruz is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[pcAnywhere](/rmm_tools/pcanywhere),,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[mstsc](/rmm_tools/mstsc),,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[FreeNX](/rmm_tools/freenx),,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[PSEXEC (Clone)](/rmm_tools/psexec__clone_),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as i..., +[SpyAnywhere](/rmm_tools/spyanywhere),,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[ODrive](/rmm_tools/odrive),,ODrive is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[MultCloud](/rmm_tools/multcloud),,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Visual Studio Dev Tunnel](/rmm_tools/visual_studio_dev_tunnel),,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be ..., +[Xpra](/rmm_tools/xpra),,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[Royal Apps](/rmm_tools/royal_apps),,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[eHorus](/rmm_tools/ehorus),,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Bomgar](/rmm_tools/bomgar),,Bomgar is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[SuperPuTTY](/rmm_tools/superputty),,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[ZeroTier](/rmm_tools/zerotier),,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Devolutions Remote Desktop Manager](/rmm_tools/devolutions_remote_desktop_manager),,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More informatio..., +[BeAnyWhere](/rmm_tools/beanywhere),,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[WebEx (Remote Access)](/rmm_tools/webex__remote_access_),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be add..., +[AnyDesk](/rmm_tools/anydesk),RMM,AnyDesk is a popular remote desktop software that enables users to access and control a computer or ...,"Ali Alwashali, Nasreddine Bencherchali" +[Free Ping Tool](/rmm_tools/free_ping_tool),,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as i..., +[S3 Browser](/rmm_tools/s3_browser),,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Azure Storage Explorer](/rmm_tools/azure_storage_explorer),,Azure Storage Explorer is a remote monitoring and management (RMM) tool. More information will be ad..., +[NinjaOne (formerly NinjaRMM)](/rmm_tools/ninjaone__formerly_ninjarmm_),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will..., +[Adobe Connect](/rmm_tools/adobe_connect),,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it..., +[CloudHQ](/rmm_tools/cloudhq),,CloudHQ is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Raidrive](/rmm_tools/raidrive),,Raidrive is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[RemotePC](/rmm_tools/remotepc),,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[LogMeIn rescue](/rmm_tools/logmein_rescue),,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as i..., +[UltraViewer](/rmm_tools/ultraviewer),,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[aria2](/rmm_tools/aria2),,aria2 is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Pandora RC (eHorus)](/rmm_tools/pandora_rc__ehorus_),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added..., +[IntelliAdmin Remote Control](/rmm_tools/intelliadmin_remote_control),,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will ..., +[MEGAsync](/rmm_tools/megasync),,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Encapto](/rmm_tools/encapto),,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[ShowMyPC](/rmm_tools/showmypc),,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Lite Manager](/rmm_tools/lite_manager),,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Netop Remote Control (aka Impero Connect)](/rmm_tools/netop_remote_control__aka_impero_connect_),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More inf..., +[GoToAssist](/rmm_tools/gotoassist),,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Ericom Connect](/rmm_tools/ericom_connect),,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., +[TeamViewer](/rmm_tools/teamviewer),,"TeamViewer is a remote monitoring and management (RMM) tool. +...","Nasreddine Bencherchali, Michael Haag" [Access Remote PC](/rmm_tools/access_remote_pc),,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as..., -[Acronic Cyber Protect (Remotix)](/rmm_tools/acronic_cyber_protect__remotix_),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information w..., -[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., -[SkyFex](/rmm_tools/skyfex),,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[PSEXEC](/rmm_tools/psexec),,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., [SecureCRT](/rmm_tools/securecrt),,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[VNC](/rmm_tools/vnc),,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., -[Panorama9](/rmm_tools/panorama9),,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[FixMe](/rmm_tools/fixme),,FixMe is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[RES Automation Manager](/rmm_tools/res_automation_manager),,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be ad..., -[rclone](/rmm_tools/rclone),,rclone is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Atera](/rmm_tools/atera),,Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransom..., -[CrossLoop](/rmm_tools/crossloop),,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Tactical RMM](/rmm_tools/tactical_rmm),,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Fortra](/rmm_tools/fortra),,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Acronic Cyber Protect (Remotix)](/rmm_tools/acronic_cyber_protect__remotix_),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information w..., [Sorillus](/rmm_tools/sorillus),,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Barracuda](/rmm_tools/barracuda),,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[DeskDay](/rmm_tools/deskday),,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becom..., [RemoteCall](/rmm_tools/remotecall),,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Laplink Everywhere](/rmm_tools/laplink_everywhere),,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added ..., -[MEGAsync](/rmm_tools/megasync),,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Neturo](/rmm_tools/neturo),,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Splashtop](/rmm_tools/splashtop),,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it bec...,Nasreddine Bencherchali +[ManageEngine RMM Central](/rmm_tools/manageengine_rmm_central),,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be ..., +[AeroAdmin](/rmm_tools/aeroadmin),,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., +[AweRay (AweSun)](/rmm_tools/aweray__awesun_),,AweRay (AweSun) is a remote monitoring and management (RMM) tool. More information will be added as ..., +[NoMachine](/rmm_tools/nomachine),,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[UltraVNC](/rmm_tools/ultravnc),,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[TeraCLOUD](/rmm_tools/teracloud),,TeraCLOUD is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., +[NinjaRMM](/rmm_tools/ninjarmm),,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[ngrok](/rmm_tools/ngrok),,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Air Explorer](/rmm_tools/air_explorer),,Air Explorer is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Bitvise SSH Client](/rmm_tools/bitvise_ssh_client),,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added ..., +[Chicken (of the VNC)](/rmm_tools/chicken__of_the_vnc_),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be adde..., +[SkyFex](/rmm_tools/skyfex),,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Ericom AccessNow](/rmm_tools/ericom_accessnow),,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as..., +[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Royal Server](/rmm_tools/royal_server),,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Solar-PuTTY](/rmm_tools/solar-putty),,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Duplicati](/rmm_tools/duplicati),,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Remote Desktop Plus](/rmm_tools/remote_desktop_plus),,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added..., +[ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., +[GoodSync](/rmm_tools/goodsync),,GoodSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[DesktopNow](/rmm_tools/desktopnow),,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Remmina](/rmm_tools/remmina),,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[CloudMounter](/rmm_tools/cloudmounter),,CloudMounter is a remote monitoring and management (RMM) tool. More information will be added as it ..., [Distant Desktop](/rmm_tools/distant_desktop),,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as ..., -[rsync](/rmm_tools/rsync),,rsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Anyplace Control](/rmm_tools/anyplace_control),,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as..., +[DameWare](/rmm_tools/dameware),,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Level](/rmm_tools/level),,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Insync](/rmm_tools/insync),,Insync is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Bomgar - Now BeyondTrust](/rmm_tools/bomgar_-_now_beyondtrust),,Bomgar - Now BeyondTrust is a remote monitoring and management (RMM) tool. More information will be ..., +[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Remote.it](/rmm_tools/remote.it),,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Core FTP](/rmm_tools/core_ftp),,Core FTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Netreo](/rmm_tools/netreo),,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[CuteFTP](/rmm_tools/cuteftp),,CuteFTP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[CloudBuckIt](/rmm_tools/cloudbuckit),,CloudBuckIt is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[NoteOn-desktop sharing](/rmm_tools/noteon-desktop_sharing),,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., +[Royal TS](/rmm_tools/royal_ts),,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[DeskNets](/rmm_tools/desknets),,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[QQ IM-remote assistance](/rmm_tools/qq_im-remote_assistance),,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be a..., +[PuTTY Tray](/rmm_tools/putty_tray),,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[FileZilla](/rmm_tools/filezilla),,FileZilla is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[XRDP](/rmm_tools/xrdp),,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[FastViewer](/rmm_tools/fastviewer),,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Jump Desktop](/rmm_tools/jump_desktop),,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[pCloud](/rmm_tools/pcloud),,pCloud is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Ivanti Remote Control](/rmm_tools/ivanti_remote_control),,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be add..., +[BeInSync](/rmm_tools/beinsync),,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[NateOn-desktop sharing](/rmm_tools/nateon-desktop_sharing),,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., +[Xeox](/rmm_tools/xeox),,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[WinSCP](/rmm_tools/winscp),,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Desktop Central](/rmm_tools/desktop_central),,Desktop Central is a remote monitoring and management (RMM) tool. More information will be added as ..., +[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[NTR Remote](/rmm_tools/ntr_remote),,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[aws-cli](/rmm_tools/aws-cli),,aws-cli is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[TurboMeeting](/rmm_tools/turbomeeting),,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[RemoteUtilities](/rmm_tools/remoteutilities),,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as ..., +[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., +[Pulseway](/rmm_tools/pulseway),,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Panorama9](/rmm_tools/panorama9),,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Atera](/rmm_tools/atera),,Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransom..., [JollysFastVNC](/rmm_tools/jollysfastvnc),,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it..., +[RunSmart](/rmm_tools/runsmart),,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Chrome Remote Desktop](/rmm_tools/chrome_remote_desktop),,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., +[Netviewer (GoToMeet)](/rmm_tools/netviewer__gotomeet_),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be adde..., +[Netviewer](/rmm_tools/netviewer),,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., [ExtraPuTTY](/rmm_tools/extraputty),,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[rdpwrap](/rmm_tools/rdpwrap),,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[N-ABLE Remote Access Software](/rmm_tools/n-able_remote_access_software),,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information wil..., -[Google Drive](/rmm_tools/google_drive),,Google Drive is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Solar-PuTTY](/rmm_tools/solar-putty),,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[TeamViewer](/rmm_tools/teamviewer),,"TeamViewer is a remote monitoring and management (RMM) tool. -...","Nasreddine Bencherchali, Michael Haag" -[Itarian](/rmm_tools/itarian),,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Visual Studio Dev Tunnel](/rmm_tools/visual_studio_dev_tunnel),,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be ..., -[ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., -[LogMeIn](/rmm_tools/logmein),,LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali +[FleetDeck](/rmm_tools/fleetdeck),,FleetDeck is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[HelpU](/rmm_tools/helpu),,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[ESET Remote Administrator](/rmm_tools/eset_remote_administrator),,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be..., +[ToDesk](/rmm_tools/todesk),,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Distant Desktop](/rmm_tools/distant_desktop),,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as ..., +[RAdmin](/rmm_tools/radmin),,RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it become...,Nasreddine Bencherchali +[CrossLoop](/rmm_tools/crossloop),,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Centurion](/rmm_tools/centurion),,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[KickIdler](/rmm_tools/kickidler),,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Syncro](/rmm_tools/syncro),,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[AweRay](/rmm_tools/aweray),,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[SunLogin](/rmm_tools/sunlogin),,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Koofr](/rmm_tools/koofr),,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[SysAid](/rmm_tools/sysaid),,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Neturo](/rmm_tools/neturo),,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[SmarTTY](/rmm_tools/smartty),,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Impero Connect](/rmm_tools/impero_connect),,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., +[247ithelp.com (ConnectWise)](/rmm_tools/247ithelp.com__connectwise_),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will ..., +[Remobo](/rmm_tools/remobo),,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[CloudFuze](/rmm_tools/cloudfuze),,CloudFuze is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Free Tools Launcher](/rmm_tools/free_tools_launcher),,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added..., +[Echoware](/rmm_tools/echoware),,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Zoho Assist](/rmm_tools/zoho_assist),,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[KiTTY](/rmm_tools/kitty),,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Proton Drive](/rmm_tools/proton_drive),,Proton Drive is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[SimpleHelp](/rmm_tools/simplehelp),,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[CloudFlare Tunnel](/rmm_tools/cloudflare_tunnel),,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added a..., +[GoTo Opener](/rmm_tools/goto_opener),,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Pcvisit](/rmm_tools/pcvisit),,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Mocha VNC Lite](/rmm_tools/mocha_vnc_lite),,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Laplink Gold](/rmm_tools/laplink_gold),,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it ..., [Cyberduck](/rmm_tools/cyberduck),,Cyberduck is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Electric](/rmm_tools/electric),,Electric is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[PuTTY](/rmm_tools/putty),,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[TeraCLOUD](/rmm_tools/teracloud),,TeraCLOUD is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Netreo](/rmm_tools/netreo),,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Netop Remote Control (Impero Connect)](/rmm_tools/netop_remote_control__impero_connect_),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More informa..., +[Iperius Remote](/rmm_tools/iperius_remote),,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as i..., +[BeamYourScreen](/rmm_tools/beamyourscreen),,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as i..., +[TeleDesktop](/rmm_tools/teledesktop),,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Parallels Access](/rmm_tools/parallels_access),,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as..., +[Basecamp](/rmm_tools/basecamp),,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Weezo](/rmm_tools/weezo),,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[X2Go](/rmm_tools/x2go),,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[DriveMaker](/rmm_tools/drivemaker),,DriveMaker is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Dev Tunnels (aka Visual Studio Dev Tunnel)](/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More in..., +[Connectwise Automate (LabTech)](/rmm_tools/connectwise_automate__labtech_),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information wi..., [Splashtop (Beta)](/rmm_tools/splashtop__beta_),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as..., -[FastViewer](/rmm_tools/fastviewer),,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[RustDesk](/rmm_tools/rustdesk),,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[MobaXterm](/rmm_tools/mobaxterm),,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[GoToAssist](/rmm_tools/gotoassist),,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Free Ping Tool](/rmm_tools/free_ping_tool),,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Google Drive](/rmm_tools/google_drive),,Google Drive is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Netop](/rmm_tools/netop),,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Kaseya (VSA)](/rmm_tools/kaseya__vsa_),,Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be a...,Nasreddine Bencherchali [HelpBeam](/rmm_tools/helpbeam),,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[NTR Remote](/rmm_tools/ntr_remote),,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[ServerEye](/rmm_tools/servereye),,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[WebRDP](/rmm_tools/webrdp),,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[GoTo Opener](/rmm_tools/goto_opener),,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[S3 Browser](/rmm_tools/s3_browser),,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Any Support](/rmm_tools/any_support),,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[BeamYourScreen](/rmm_tools/beamyourscreen),,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Sophos-Remote Management System](/rmm_tools/sophos-remote_management_system),,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information w..., -[Amazon (Cloud) Drive](/rmm_tools/amazon__cloud__drive),,Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More information will be adde..., -[Desktop Central](/rmm_tools/desktop_central),,Desktop Central is a remote monitoring and management (RMM) tool. More information will be added as ..., -[PSEXEC (Clone)](/rmm_tools/psexec__clone_),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as i..., -[GetScreen](/rmm_tools/getscreen),,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[RemotePC](/rmm_tools/remotepc),,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Tanium](/rmm_tools/tanium),,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[GoodSync](/rmm_tools/goodsync),,GoodSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[LabTeach (Connectwise Automate)](/rmm_tools/labteach__connectwise_automate_),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information w..., -[RemoteView](/rmm_tools/remoteview),,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[UltraVNC](/rmm_tools/ultravnc),,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[SmarTTY](/rmm_tools/smartty),,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Absolute (Computrace)](/rmm_tools/absolute__computrace_),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be add..., [Quest KACE Agent (formerly Dell KACE)](/rmm_tools/quest_kace_agent__formerly_dell_kace_),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More informa..., [DeskShare](/rmm_tools/deskshare),,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Pocket Cloud (Wyse)](/rmm_tools/pocket_cloud__wyse_),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added..., -[ESET Remote Administrator](/rmm_tools/eset_remote_administrator),,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be..., -[Pilixo](/rmm_tools/pilixo),,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[CloudMounter](/rmm_tools/cloudmounter),,CloudMounter is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Mikogo](/rmm_tools/mikogo),,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[WebEx (Remote Access)](/rmm_tools/webex__remote_access_),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be add..., -[Koofr](/rmm_tools/koofr),,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Duplicati](/rmm_tools/duplicati),,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[ManageEngine RMM Central](/rmm_tools/manageengine_rmm_central),,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be ..., -[WinSCP](/rmm_tools/winscp),,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[rdpwrap](/rmm_tools/rdpwrap),,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Total Software Deployment](/rmm_tools/total_software_deployment),,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be..., +[PuTTY](/rmm_tools/putty),,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[FixMe.it](/rmm_tools/fixme.it),,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[RDPView](/rmm_tools/rdpview),,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Fortra](/rmm_tools/fortra),,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ISL Light](/rmm_tools/isl_light),,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Pocket Controller (Soti Xsight)](/rmm_tools/pocket_controller__soti_xsight_),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information w..., [GatherPlace-desktop sharing](/rmm_tools/gatherplace-desktop_sharing),,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will ..., -[Laplink Gold](/rmm_tools/laplink_gold),,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Centurion](/rmm_tools/centurion),,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Ivanti Remote Control](/rmm_tools/ivanti_remote_control),,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be add..., -[NordLocker](/rmm_tools/nordlocker),,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Cloud Turtle](/rmm_tools/cloud_turtle),,Cloud Turtle is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[CloudExplorer](/rmm_tools/cloudexplorer),,CloudExplorer is a remote monitoring and management (RMM) tool. More information will be added as it..., -[CloudHQ](/rmm_tools/cloudhq),,CloudHQ is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Xeox](/rmm_tools/xeox),,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[ezHelp](/rmm_tools/ezhelp),,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Electric](/rmm_tools/electric),,Electric is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ScreenConnect](/rmm_tools/screenconnect),,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it...,"Ali Alwashali, Nasreddine Bencherchali" +[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Tanium](/rmm_tools/tanium),,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Ultra VNC](/rmm_tools/ultra_vnc),,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Remote Manipulator System](/rmm_tools/remote_manipulator_system),,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be..., +[Domotz](/rmm_tools/domotz),,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[FixMe](/rmm_tools/fixme),,FixMe is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[rclone](/rmm_tools/rclone),,rclone is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Tanium Deploy](/rmm_tools/tanium_deploy),,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it..., +[N-ABLE Remote Access Software](/rmm_tools/n-able_remote_access_software),,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information wil..., +[Quick Assist](/rmm_tools/quick_assist),,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[AnyViewer](/rmm_tools/anyviewer),,AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it bec...,@kostastsale +[Naverisk](/rmm_tools/naverisk),,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Addigy](/rmm_tools/addigy),,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Action1](/rmm_tools/action1),,Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute comma...,@kostastsale +[AliWangWang-remote-control](/rmm_tools/aliwangwang-remote-control),,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will b..., +[FreeRDP](/rmm_tools/freerdp),,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[MioNet (Also known as WD Anywhere Access)](/rmm_tools/mionet__also_known_as_wd_anywhere_access_),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More inf..., +[SmartCode Web VNC](/rmm_tools/smartcode_web_vnc),,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added a..., +[Onionshare](/rmm_tools/onionshare),,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Air Live Drive](/rmm_tools/air_live_drive),,Air Live Drive is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Rocket Remote Desktop](/rmm_tools/rocket_remote_desktop),,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., +[WebRDP](/rmm_tools/webrdp),,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[BeyondTrust](/rmm_tools/beyondtrust),,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[SuperOps](/rmm_tools/superops),,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[RemotePass](/rmm_tools/remotepass),,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Itarian](/rmm_tools/itarian),,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[PSEXEC](/rmm_tools/psexec),,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it become..., [Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[MultCloud](/rmm_tools/multcloud),,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[CloudGopher](/rmm_tools/cloudgopher),,CloudGopher is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[ezHelp](/rmm_tools/ezhelp),,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Kabuto](/rmm_tools/kabuto),,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it become..., [Synergy](/rmm_tools/synergy),,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., -[OptiTune](/rmm_tools/optitune),,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Netop](/rmm_tools/netop),,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., [ConnectWise](/rmm_tools/connectwise),,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Encapto](/rmm_tools/encapto),,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Action1](/rmm_tools/action1),,Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute comma...,@kostastsale +[TigerVNC](/rmm_tools/tigervnc),,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[GoToMyPC](/rmm_tools/gotomypc),,GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco...,Nasreddine Bencherchali +[Laplink Everywhere](/rmm_tools/laplink_everywhere),,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added ..., +[Syspectr](/rmm_tools/syspectr),,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Remote Utilities](/rmm_tools/remote_utilities),,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as..., +[Remcos](/rmm_tools/remcos),,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[DragonDisk](/rmm_tools/dragondisk),,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it be..., [FleetDeck.io](/rmm_tools/fleetdeck.io),,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[SuperPuTTY](/rmm_tools/superputty),,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Royal Apps](/rmm_tools/royal_apps),,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Tanium Deploy](/rmm_tools/tanium_deploy),,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it..., -[Zabbix Agent](/rmm_tools/zabbix_agent),,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Weezo](/rmm_tools/weezo),,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[BeInSync](/rmm_tools/beinsync),,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ScreenMeet](/rmm_tools/screenmeet),,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[MyIVO](/rmm_tools/myivo),,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[LabTech RMM (Now ConnectWise Automate)](/rmm_tools/labtech_rmm__now_connectwise_automate_),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More inform..., -[Kabuto](/rmm_tools/kabuto),,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[FreeRDP](/rmm_tools/freerdp),,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[ZOC](/rmm_tools/zoc),,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., -[AliWangWang-remote-control](/rmm_tools/aliwangwang-remote-control),,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will b..., -[Goverlan](/rmm_tools/goverlan),,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Microsoft Quick Assist](/rmm_tools/microsoft_quick_assist),,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be ad..., -[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., -[Ocamlfuse](/rmm_tools/ocamlfuse),,Ocamlfuse is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[MyGreenPC](/rmm_tools/mygreenpc),,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Syncthing](/rmm_tools/syncthing),,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Chrome Remote Desktop](/rmm_tools/chrome_remote_desktop),,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., -[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., [Chrome Remote Desktop](/rmm_tools/chrome_remote_desktop),,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., -[Remote Desktop Plus](/rmm_tools/remote_desktop_plus),,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added..., -[NateOn-desktop sharing](/rmm_tools/nateon-desktop_sharing),,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., -[Barracuda](/rmm_tools/barracuda),,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Dropbox](/rmm_tools/dropbox),,Dropbox is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[CrossTec Remote Control](/rmm_tools/crosstec_remote_control),,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be a..., -[DeskDay](/rmm_tools/deskday),,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[mRemoteNG](/rmm_tools/mremoteng),,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[FreeNX](/rmm_tools/freenx),,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[RealVNC](/rmm_tools/realvnc),,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[rsync](/rmm_tools/rsync),,rsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Datto](/rmm_tools/datto),,Datto is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[CloudExplorer](/rmm_tools/cloudexplorer),,CloudExplorer is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Supremo](/rmm_tools/supremo),,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[GoToAssist Agent Desktop Console](/rmm_tools/gotoassist_agent_desktop_console),,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information ..., +[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., +[RemoteView](/rmm_tools/remoteview),,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[VNC Connect](/rmm_tools/vnc_connect),,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Syncthing](/rmm_tools/syncthing),,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[KHelpDesk](/rmm_tools/khelpdesk),,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Netop Remote Control (Impero Connect)](/rmm_tools/netop_remote_control__impero_connect_),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More informa..., +[Bitvise SSH Server](/rmm_tools/bitvise_ssh_server),,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added ..., +[Cloud Turtle](/rmm_tools/cloud_turtle),,Cloud Turtle is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Apple Remote Desktop](/rmm_tools/apple_remote_desktop),,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be adde..., +[Chrome SSH Extension](/rmm_tools/chrome_ssh_extension),,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be adde..., +[CloudGopher](/rmm_tools/cloudgopher),,CloudGopher is a remote monitoring and management (RMM) tool. More information will be added as it b..., [NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., -[rdp2tcp](/rmm_tools/rdp2tcp),,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., -[Pulseway](/rmm_tools/pulseway),,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Naverisk](/rmm_tools/naverisk),,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Total Software Deployment](/rmm_tools/total_software_deployment),,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be..., -[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[NinjaOne (formerly NinjaRMM)](/rmm_tools/ninjaone__formerly_ninjarmm_),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will..., -[Microsoft OneDrive](/rmm_tools/microsoft_onedrive),,Microsoft OneDrive is a remote monitoring and management (RMM) tool. More information will be added ..., -[QQ IM-remote assistance](/rmm_tools/qq_im-remote_assistance),,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be a..., -[Distant Desktop](/rmm_tools/distant_desktop),,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as ..., -[FixMe.it](/rmm_tools/fixme.it),,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[FileZilla](/rmm_tools/filezilla),,FileZilla is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., -[RuDesktop](/rmm_tools/rudesktop),,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., +[ESET Remote Administrator](/rmm_tools/eset_remote_administrator),,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be..., +[Yandex.Disk](/rmm_tools/yandex.disk),,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., +[MyIVO](/rmm_tools/myivo),,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., [FreeFileSync](/rmm_tools/freefilesync),,FreeFileSync is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[TightVNC](/rmm_tools/tightvnc),,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[CuteFTP](/rmm_tools/cuteftp),,CuteFTP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Dev Tunnels (aka Visual Studio Dev Tunnel)](/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More in..., -[CarotDAV](/rmm_tools/carotdav),,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Bitvise SSH Server](/rmm_tools/bitvise_ssh_server),,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added ..., -[Pandora RC (eHorus)](/rmm_tools/pandora_rc__ehorus_),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added..., -[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Iperius Remote](/rmm_tools/iperius_remote),,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as i..., +[ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., +[VNC](/rmm_tools/vnc),,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., +[ServerEye](/rmm_tools/servereye),,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Rapid7](/rmm_tools/rapid7),,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[GoToAssist (GoTo Resolve)](/rmm_tools/gotoassist__goto_resolve_),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be..., +[Ocamlfuse](/rmm_tools/ocamlfuse),,Ocamlfuse is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[GetScreen](/rmm_tools/getscreen),,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[MobaXterm](/rmm_tools/mobaxterm),,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[CrossTec Remote Control](/rmm_tools/crosstec_remote_control),,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be a..., +[Absolute (Computrace)](/rmm_tools/absolute__computrace_),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be add..., +[Xshell](/rmm_tools/xshell),,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Amazon (Cloud) Drive](/rmm_tools/amazon__cloud__drive),,Amazon (Cloud) Drive is a remote monitoring and management (RMM) tool. More information will be adde..., +[MyGreenPC](/rmm_tools/mygreenpc),,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Microsoft Quick Assist](/rmm_tools/microsoft_quick_assist),,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be ad..., +[Manage Engine (Desktop Central)](/rmm_tools/manage_engine__desktop_central_),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information w...,