From 1c0099f979a53f30a9dc0fe3b14ca6363af25fe0 Mon Sep 17 00:00:00 2001 From: Aaron Date: Tue, 8 Oct 2024 09:17:32 -0500 Subject: [PATCH 1/6] Added ScreenConnect event log information and reference. --- website/pages/tools/instant_housecall.mdx | 4 +- .../tools/itsupport247__connectwise_.mdx | 2 +- website/pages/tools/screenconnect.mdx | 6 +- website/public/api/rmm_tools.csv | 508 +- website/public/api/rmm_tools.json | 12480 ++++++++-------- website/public/rmm_tools_table.csv | 484 +- yaml/screenconnect.yaml | 15 +- 7 files changed, 6768 insertions(+), 6731 deletions(-) diff --git a/website/pages/tools/instant_housecall.mdx b/website/pages/tools/instant_housecall.mdx index b1262f56..acda126f 100644 --- a/website/pages/tools/instant_housecall.mdx +++ b/website/pages/tools/instant_housecall.mdx @@ -23,7 +23,7 @@ Instant Housecall is a remote monitoring and management (RMM) tool. More informa /> #### Installation Paths - + @@ -36,7 +36,7 @@ Instant Housecall is a remote monitoring and management (RMM) tool. More informa #### Network Artifacts - + diff --git a/website/pages/tools/itsupport247__connectwise_.mdx b/website/pages/tools/itsupport247__connectwise_.mdx index 75a7e65a..407424dd 100644 --- a/website/pages/tools/itsupport247__connectwise_.mdx +++ b/website/pages/tools/itsupport247__connectwise_.mdx @@ -36,7 +36,7 @@ ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. Mor #### Network Artifacts - + diff --git a/website/pages/tools/screenconnect.mdx b/website/pages/tools/screenconnect.mdx index a94e4455..a9d30b8b 100644 --- a/website/pages/tools/screenconnect.mdx +++ b/website/pages/tools/screenconnect.mdx @@ -16,7 +16,7 @@ ScreenConnect is a remote monitoring and management (RMM) tool. More information category={""} created={"2023-10-01"} website={"https://www.connectwise.com"} - lastModified={"2024-08-03"} + lastModified={"2024-10-08"} privileges={""} free={ "14-Days Free Trial" } verification={""} @@ -39,6 +39,9 @@ ScreenConnect is a remote monitoring and management (RMM) tool. More information +#### Event Log Artifacts + +)"], "LogFile": "Application.evtx", "ServiceName": "ScreenConnect Client ()", "Description": "Service installation event as a result of ScreenConnect installation."}, {"EventID": 20, "ProviderName": ["ScreenConnect", "ScreenConnect Client ()"], "LogFile": "Application.evtx", "ServiceName": "ScreenConnect Client ()", "Description": "Logs events such as successful or failed connections, and user logins."}] }/> #### Network Artifacts @@ -58,4 +61,5 @@ ScreenConnect is a remote monitoring and management (RMM) tool. More information ### References - [https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/](https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/) +- [https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling](https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling) diff --git a/website/public/api/rmm_tools.csv b/website/public/api/rmm_tools.csv index a0874d4d..2df91e6f 100644 --- a/website/public/api/rmm_tools.csv +++ b/website/public/api/rmm_tools.csv @@ -1,284 +1,284 @@ Name,Category,Description,Author,Created,LastModified,Website,Filename,OriginalFileName,PEDescription,Product,Privileges,Free,Verification,SupportedOS,Capabilities,Vulnerabilities,InstallationPaths,Artifacts,Detections,References,Acknowledgement -LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool""}]",,[] -Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zabbix Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zabbix Agent RMM tool""}]",https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] -Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Senso.cloud RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Senso.cloud RMM tool""}]",https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] -I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml"", ""Description"": ""Detects potential network activity of I'm InTouch RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of I'm InTouch RMM tool""}]",https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] -RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of RustDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RustDesk RMM tool""}]",https://rustdesk.com/docs/en/,[] -Electric AI (Kaseya),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,[] -ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZOC RMM tool""}]",,[] -Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml"", ""Description"": ""Detects potential network activity of Any Support RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Any Support RMM tool""}]",https://www.anysupport.net/introduce_howto.php,[] -PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of PDQ Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PDQ Connect RMM tool""}]",https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] +Rapid7,,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"ir_agent.exe, rapid7_agent_core.exe, rapid7_endpoint_broker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.analytics.insight.rapid7.com"", ""*.endpoint.ingress.rapid7.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Rapid7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rapid7 RMM tool""}]",https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,[] +SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml"", ""Description"": ""Detects potential network activity of SunLogin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SunLogin RMM tool""}]",https://sunlogin.oray.com/en/embed/software.html,[] +GoToAssist Agent Desktop Console,,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\G2RDesktopConsole-x64.msi, *\G2RDesktopConsole-x64.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Kaseya (VSA),,"Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml"", ""Description"": ""Detects potential network activity of Kaseya (VSA) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml"", ""Description"": ""Detects potential files activity of Kaseya (VSA) RMM tool""}]","https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] +PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PuTTY Tray RMM tool""}]",,[] +SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SysAid RMM tool""}]",,[] +Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Domotz RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Domotz RMM tool""}]",https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] +BeyondTrust,,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Netop Remote Control (aka Impero Connect),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com/impero-connect/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool""}]",,[] +Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] +Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Jump Desktop RMM tool""}]",https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] +IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of IntelliAdmin Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of IntelliAdmin Remote Control RMM tool""}]",intelliadmin.com/remote-control,[] +Chrome SSH Extension,,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*, *Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml"", ""Description"": ""Detects potential network activity of ZeroTier RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZeroTier RMM tool""}]",https://my.zerotier.com/,[] +Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom AccessNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom AccessNow RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] +RealVNC,,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] Pcnow,,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mwcliun.exe, pcnmgr.exe, webexpcnow.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""au.pcmag.com/utilities/21470/webex-pcnow""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcnow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcnow RMM tool""}]",http://pcnow.webex.com/ - DOA as of 2024,[] -Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Seetrol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Seetrol RMM tool""}]",http://www.seetrol.com/en/features/features3.php,[] -CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CarotDAV RMM tool""}]",,[] -Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml"", ""Description"": ""Detects potential network activity of Goverlan RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Goverlan RMM tool""}]",https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] -OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml"", ""Description"": ""Detects potential network activity of OptiTune RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OptiTune RMM tool""}]",https://www.bravurasoftware.com/optitune/support/faq.aspx,[] -EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml"", ""Description"": ""Detects potential network activity of EMCO Remote Console RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of EMCO Remote Console RMM tool""}]",,[] -N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] -Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tailscale RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tailscale RMM tool""}]",https://tailscale.com/kb/1023/troubleshooting,[] -Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pilixo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pilixo RMM tool""}]",https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] -Remote Desktop Manager (Devolutions),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] -Alpemix,,"Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml"", ""Description"": ""Detects potential network activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml"", ""Description"": ""Detects potential files activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Alpemix RMM tool""}]",https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml"", ""Description"": ""Detects potential network activity of Auvik RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Auvik RMM tool""}]",https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] -Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tactical RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tactical RMM RMM tool""}]",docs.tacticalrmm.com,[] -MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool""}]",https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] -Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Comodo RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Comodo RMM RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller RMM tool""}]",,[] -NordLocker,,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml"", ""Description"": ""Detects potential network activity of OCS inventory RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OCS inventory RMM tool""}]",https://ocsinventory-ng.org/?page_id=878&lang=en,[] -GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml"", ""Description"": ""Detects potential network activity of GotoHTTP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GotoHTTP RMM tool""}]",https://gotohttp.com/goto/help.12x,[] -Terminals,,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml"", ""Description"": ""Detects potential network activity of RPort RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RPort RMM tool""}]",https://kb.rport.io/using-the-remote-access,[] +DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of DesktopNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DesktopNow RMM tool""}]",https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] +Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool""}]",https://pulse.soti.net/support/soti-xsight/help/,[] +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] CentraStage (Now Datto),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"CagService.exe, AEMAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rmm.datto.com"", ""*cc.centrastage.net"", ""datto.com/au/products/rmm/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml"", ""Description"": ""Detects potential network activity of CentraStage (Now Datto) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CentraStage (Now Datto) RMM tool""}]",https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] -CruzControl,,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://resources.doradosoftware.com/cruz-rmm,[] -Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Mikogo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Mikogo RMM tool""}]",https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] -mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml"", ""Description"": ""Detects potential network activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml"", ""Description"": ""Detects potential files activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mRemoteNG RMM tool""}]",https://github.com/mRemoteNG/mRemoteNG,[] -LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml"", ""Description"": ""Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}]",,[] -ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenMeet RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenMeet RMM tool""}]",https://docs.screenmeet.com/docs/firewall-white-list,[] -RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of RES Automation Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RES Automation Manager RMM tool""}]",https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] -Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Anyplace Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Anyplace Control RMM tool""}]",http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] -TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TightVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TightVNC RMM tool""}]",https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] -LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml"", ""Description"": ""Detects potential network activity of LiteManager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LiteManager RMM tool""}]",https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] -Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sophos-Remote Management System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sophos-Remote Management System RMM tool""}]",community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] -ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ManageEngine RMM tool""}]",,[] -Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop Remote RMM tool""}]",https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] -rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdp2tcp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdp2tcp RMM tool""}]",github.com/V-E-O/rdp2tcp,[] -Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Cloud RMM tool""}]",https://jumpcloud.com/support/understand-remote-assist-agent,[] -RuDesktop,,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rd.exe, rudesktop*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rudesktop.ru"", ""rudesktop.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of RuDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RuDesktop RMM tool""}]",https://rudesktop.ru,[] -LogMeIn,,"LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn RMM tool""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -SmartFTP,,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\SmartFTP Client\en-US\, *\SmartFTP Client\*, *\SfShellTools.dll.mui","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] -Pocket Cloud (Wyse),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcloud*.exe, pocketcloudservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Cloud (Wyse) RMM tool""}]",https://wyse-pocketcloud.informer.com/2.1/,[] -Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml"", ""Description"": ""Detects potential network activity of Guacamole RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Guacamole RMM tool""}]",guacamole.apache.org,[] -LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of LANDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LANDesk RMM tool""}]",https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] -pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of pcAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pcAnywhere RMM tool""}]",https://en.wikipedia.org/wiki/PcAnywhere,[] +Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Insync RMM tool""}]",,[] +LogMeIn rescue,,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.logmeinrescue.com"", ""*.logmeinrescue.eu"", ""logmeinrescue.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn rescue RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LogMeIn rescue RMM tool""}]",https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,[] +Electric AI (Kaseya),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,[] +Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Adobe Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Adobe Connect RMM tool""}]",https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] +CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of CloudFlare Tunnel RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudFlare Tunnel RMM tool""}]",cloudflare.com/products/tunnel/,[] mstsc,,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Windows\System32\mstsc.exe, *Windows\System32\mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mstsc RMM tool""}]",,[] -FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeNX RMM tool""}]",,[] -PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC (Clone) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC (Clone) RMM tool""}]",https://www.poweradmin.com/paexec/,[] -SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of SpyAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SpyAnywhere RMM tool""}]",https://www.spyanywhere.com/support.shtml,[] -MultCloud,,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"requires sign up, requires sign up","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of Visual Studio Dev Tunnel RMM tool""}]",https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] -Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xpra RMM tool""}]",,[] -Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Apps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal Apps RMM tool""}]",https://www.royalapps.com/ts/win/download,[] -eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml"", ""Description"": ""Detects potential network activity of eHorus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of eHorus RMM tool""}]",,[] -SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperPuTTY RMM tool""}]",,[] -ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml"", ""Description"": ""Detects potential network activity of ZeroTier RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZeroTier RMM tool""}]",https://my.zerotier.com/,[] +Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml"", ""Description"": ""Detects potential network activity of Parallels Access RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Parallels Access RMM tool""}]",https://kb.parallels.com/en/129097,[] +ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] Devolutions Remote Desktop Manager,,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeAnyWhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeAnyWhere RMM tool""}]",https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] -WebEx (Remote Access),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,[] +TigerVNC,,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"tigervnc*.exe, winvnc4.exe, C:\Program Files\TightVNC\*, *\TightVNC\*, *\tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TigerVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TigerVNC RMM tool""}]",https://github.com/TigerVNC/tigervnc/releases,[] +Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rocket Remote Desktop RMM tool""}]",,[] +NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoteOn-desktop sharing RMM tool""}]",,[] +HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpU RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpU RMM tool""}]",https://helpu.co.kr/,[] +Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop Remote RMM tool""}]",https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] +X2Go,,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://wiki.x2go.org/doku.php,[] +Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller RMM tool""}]",,[] +Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xshell RMM tool""}]",,[] +Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Client RMM tool""}]",,[] +Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Server RMM tool""}]",https://royalapps.com/server/main/features,[] +Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Manipulator System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Manipulator System RMM tool""}]",https://rmansys.ru/files/,[] +Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of Desktop Central RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Desktop Central RMM tool""}]",,[] +Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml"", ""Description"": ""Detects potential network activity of Auvik RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Auvik RMM tool""}]",https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] +Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml"", ""Description"": ""Detects potential network activity of Basecamp RMM tool""}]",basecamp.com - No specific RMM tool listed,[] +Free Tools Launcher,,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\*, *\ManageEngine\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] AnyDesk,RMM,"AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams. ","Ali Alwashali, Nasreddine Bencherchali",2023-09-29,2024-10-06,https://anydesk.com/en,anydesk.exe,AnyDesk.exe,AnyDesk,AnyDesk,User,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows","File Transfer, File System Access, Remote Control, GUI Support, Command line Support",https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html,"C:\Program Files (x86)\AnyDesk\*, C:\Program Files\AnyDesk\*","{""Disk"": [{""File"": ""%programdata%\\AnyDesk\\ad_svc.trace"", ""Description"": ""AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established."", ""OS"": ""Windows"", ""Example"": [""info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798""]}, {""File"": ""%programdata%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\ad.trace"", ""Description"": ""AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant."", ""OS"": ""Windows"", ""Example"": [""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30)."", ""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0.""]}, {""File"": ""%APPDATA%\\AnyDesk\\chat\\*.txt"", ""Description"": ""If the chat functionality is used, its entries will be printed in a text file in this folder."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\user.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\service.conf"", ""Description"": ""Password can be set to auto-validate the session. The password will be saved in a salted hash format."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\service.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""~/Library/Application Support/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Mac""}, {""File"": ""~/.config/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Linux""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""During setup the boot.net.anydesk.com domain is request over port 443"", ""Domains"": [""boot.net.anydesk.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""relay-[a-f0-9]{8}.net.anydesk.com:443""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.anydesk.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""User-Agent"", ""Value"": ""AnyDesk/*""}, {""Type"": ""NamedPipe"", ""Value"": ""adprinterpipe""}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml"", ""Description"": ""Anydesk Remote Access Software Service Installation""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"", ""Description"": ""Remote Access Tool - AnyDesk Silent Installation""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml"", ""Description"": ""Detects potential files activity of AnyDesk RMM tool""}]","https://support.anydesk.com/knowledge/firewall, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk, https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Ali Alwashali"", ""Handle"": ""@ali_alwashali""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -Free Ping Tool,,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"can't find this one, can't find this one","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of S3 Browser RMM tool""}]",,[] -NinjaOne (formerly NinjaRMM),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,*ProgramData\NinjaRMMAgent\*,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Adobe Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Adobe Connect RMM tool""}]",https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] -RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePC RMM tool""}]",https://www.remotedesktop.com/helpdesk/faq-firewall,[] -LogMeIn rescue,,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.logmeinrescue.com"", ""*.logmeinrescue.eu"", ""logmeinrescue.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn rescue RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LogMeIn rescue RMM tool""}]",https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,[] -UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraViewer RMM tool""}]",https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] -Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pandora RC (eHorus) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pandora RC (eHorus) RMM tool""}]",https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] -IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of IntelliAdmin Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of IntelliAdmin Remote Control RMM tool""}]",intelliadmin.com/remote-control,[] -MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MEGAsync RMM tool""}]",,[] -Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Encapto RMM tool""}]",https://www.encapto.com - used to manage Cisco services,[] -ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of ShowMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ShowMyPC RMM tool""}]",https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] -Lite Manager,,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\LiteManager Pro – Viewer\*, *\LiteManager Pro – Viewer\*, *\LMNoIpServer.exe.","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Netop Remote Control (aka Impero Connect),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com/impero-connect/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool""}]",,[] -GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToAssist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoToAssist RMM tool""}]",https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] -Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom Connect RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] -TeamViewer,,"TeamViewer is a remote monitoring and management (RMM) tool. -","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml"", ""Description"": ""Detects potential files activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeamViewer RMM tool""}]","https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" -Access Remote PC,,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"rpcgrab.exe, rpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Access Remote PC RMM tool""}]",,[] -SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SecureCRT RMM tool""}]",,[] -Acronic Cyber Protect (Remotix),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml"", ""Description"": ""Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool""}]",https://kb.acronis.com/content/47189,[] -Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sorillus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sorillus RMM tool""}]",https://sorillus.com/,[] -Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml"", ""Description"": ""Detects potential network activity of Barracuda RMM tool""}]",https://help.islonline.com/19799/166125,[] -DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskDay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskDay RMM tool""}]",https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] -RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteCall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteCall RMM tool""}]",https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] -Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml"", ""Description"": ""Detects potential files activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop RMM tool""}]",https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" -ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of ManageEngine RMM Central RMM tool""}]",,[] -AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of AeroAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AeroAdmin RMM tool""}]",https://support.aeroadmin.com/kb/faq.php?id=58,[] -NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml"", ""Description"": ""Detects potential network activity of NoMachine RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoMachine RMM tool""}]",https://kb.nomachine.com/AR04S01122,[] -UltraVNC,,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,UltraVNC*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ultravnc.com"", ""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraVNC RMM tool""}]",https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +AnyViewer,,"AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyViewer RMM tool""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level RMM tool""}]",,[] +Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] +ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-10-08,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": [""ScreenConnect"", ""ScreenConnect Client ()""], ""LogFile"": ""Application.evtx"", ""ServiceName"": ""ScreenConnect Client ()"", ""Description"": ""Service installation event as a result of ScreenConnect installation.""}, {""EventID"": 20, ""ProviderName"": [""ScreenConnect"", ""ScreenConnect Client ()""], ""LogFile"": ""Application.evtx"", ""ServiceName"": ""ScreenConnect Client ()"", ""Description"": ""Logs events such as successful or failed connections, and user logins.""}], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]","https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/, https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling",[] +SmartFTP,,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\SmartFTP Client\en-US\, *\SmartFTP Client\*, *\SfShellTools.dll.mui","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of SpyAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SpyAnywhere RMM tool""}]",https://www.spyanywhere.com/support.shtml,[] NinjaRMM,,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ninjarmmagent.exe, NinjaRMMAgent.exe, NinjaRMMAgenPatcher.exe, ninjarmm-cli.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ninjarmm.com"", ""*.ninjaone.com"", ""resources.ninjarmm.com"", ""ninjaone.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of NinjaRMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NinjaRMM RMM tool""}]",https://www.ninjaone.com/faq/,[] +CruzControl,,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://resources.doradosoftware.com/cruz-rmm,[] +SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of SimpleHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SimpleHelp RMM tool""}]",https://simple-help.com/remote-support,[] +EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml"", ""Description"": ""Detects potential network activity of EMCO Remote Console RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of EMCO Remote Console RMM tool""}]",,[] ngrok,,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ngrok.exe, C:\*\ngrok.zip, *\ngrok*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ngrok.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml"", ""Description"": ""Detects potential network activity of ngrok RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ngrok RMM tool""}]",https://ngrok.com/docs/guides/running-behind-firewalls/,[] -Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Client RMM tool""}]",,[] +Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Apple Remote Desktop RMM tool""}]",https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] +Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer (GoToMeet) RMM tool""}]",Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] +NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml"", ""Description"": ""Detects potential network activity of NoMachine RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoMachine RMM tool""}]",https://kb.nomachine.com/AR04S01122,[] +MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool""}]",https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] +Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml"", ""Description"": ""Detects potential files activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop RMM tool""}]",https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +RAdmin,,"RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml"", ""Description"": ""Detects potential files activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RAdmin RMM tool""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of LANDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LANDesk RMM tool""}]",https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] +SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml"", ""Description"": ""Detects potential network activity of SuperOps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperOps RMM tool""}]",https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] +Lite Manager,,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\LiteManager Pro – Viewer\*, *\LiteManager Pro – Viewer\*, *\LMNoIpServer.exe.","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Supremo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Supremo RMM tool""}]",https://www.supremocontrol.com/frequently-asked-questions/,[] Chicken (of the VNC),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://github.com/flit/cotvnc,[] -SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml"", ""Description"": ""Detects potential network activity of SkyFex RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SkyFex RMM tool""}]",https://skyfex.com/,[] -Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom AccessNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom AccessNow RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] -Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] -Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Server RMM tool""}]",https://royalapps.com/server/main/features,[] -Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Solar-PuTTY RMM tool""}]",,[] -Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Duplicati RMM tool""}]",,[] -Remote Desktop Plus,,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""donkz.nl""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Desktop Plus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Desktop Plus RMM tool""}]",https://www.donkz.nl/,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] -DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of DesktopNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DesktopNow RMM tool""}]",https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] -Remmina,,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ddsystem.exe, dd.exe, distant-desktop.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] +KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of KHelpDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KHelpDesk RMM tool""}]",https://www.khelpdesk.com.br/en-us,[] +TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml"", ""Description"": ""Detects potential network activity of TurboMeeting RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TurboMeeting RMM tool""}]",http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] +RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml"", ""Description"": ""Detects potential network activity of RPort RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RPort RMM tool""}]",https://kb.rport.io/using-the-remote-access,[] +MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool""}]",,[] +OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml"", ""Description"": ""Detects potential network activity of OCS inventory RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OCS inventory RMM tool""}]",https://ocsinventory-ng.org/?page_id=878&lang=en,[] +RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePass RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePass RMM tool""}]",https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] +GoToAssist (GoTo Resolve),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramFiles*\GoTo Machine Installer\*, *\GoTo Machine Installer\*, *\GoTo\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Comodo RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Comodo RMM RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of ShowMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ShowMyPC RMM tool""}]",https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] +ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of ToDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ToDesk RMM tool""}]",https://www.todesk.com/,[] +RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml"", ""Description"": ""Detects potential network activity of RunSmart RMM tool""}]",,[] +VNC Connect,,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\RealVNC\VNC Server\*, *\RealVNC\VNC Server\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Echoware RMM tool""}]",,[] +Alpemix,,"Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml"", ""Description"": ""Detects potential network activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml"", ""Description"": ""Detects potential files activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Alpemix RMM tool""}]",https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal TS RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal TS RMM tool""}]",,[] +DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DragonDisk RMM tool""}]",,[] +Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcvisit RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcvisit RMM tool""}]",https://www.pcvisit.de/,[] +Connectwise Automate (LabTech),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.hostedrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml"", ""Description"": ""Detects potential network activity of Connectwise Automate (LabTech) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Connectwise Automate (LabTech) RMM tool""}]",https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,[] DameWare,,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"SolarWinds-Dameware-DRS*.exe, DameWare Mini Remote Control*.exe, C:\Windows\dwrcs\* c:\Program File\SolarWinds\Dameware Mini Remote Control\*, dntus*.exe, dwrcs.exe, *\dwrcs\*, *\dwrcst.exe, DameWare Remote Support.exe, SolarWinds-Dameware-MRC*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""dameware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Dameware-mini remote control Protocol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DameWare RMM tool""}]",https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,[] -Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level RMM tool""}]",,[] -Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Insync RMM tool""}]",,[] -ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] -Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote.it RMM tool""}]",https://docs.remote.it/introduction/get-started,[] -Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netreo RMM tool""}]",https://solutions.netreo.com/docs/firewall-requirements,[] -NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoteOn-desktop sharing RMM tool""}]",,[] -Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal TS RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal TS RMM tool""}]",,[] +Onionshare,,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\OnionShare\*, *\OnionShare\*, *\onionshare*.exe, OnionShare-win*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Onionshare RMM tool""}]",,[] +Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tailscale RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tailscale RMM tool""}]",https://tailscale.com/kb/1023/troubleshooting,[] +Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Senso.cloud RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Senso.cloud RMM tool""}]",https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] +UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraViewer RMM tool""}]",https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] +KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml"", ""Description"": ""Detects potential network activity of KickIdler RMM tool""}]",https://www.kickidler.com/for-it/faq/,[] +Remmina,,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml"", ""Description"": ""Detects potential network activity of eHorus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of eHorus RMM tool""}]",,[] +Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] +N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KiTTY RMM tool""}]",,[] +FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDesk.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDesk.io RMM tool""}]",https://fleetdeck.io/faq/,[] +TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeleDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeleDesktop RMM tool""}]",http://potomacsoft.com/ - DOA as of 2024,[] +Remote Utilities,,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rutview.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Utilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Utilities RMM tool""}]",https://www.remoteutilities.com/download/,[] +NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml"", ""Description"": ""Detects potential network activity of GotoHTTP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GotoHTTP RMM tool""}]",https://gotohttp.com/goto/help.12x,[] +RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteUtilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteUtilities RMM tool""}]",,[] +GoToMyPC,,"GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml"", ""Description"": ""Detects potential files activity of GoToMyPC RMM tool""}]","https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" +SmartCode Web VNC,,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\TightVNC\*, *\TightVNC\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Seetrol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Seetrol RMM tool""}]",http://www.seetrol.com/en/features/features3.php,[] +RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RDPView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RDPView RMM tool""}]",systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] +Zoho Assist,,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zaservice.exe, ZMAgent.exe, C:\*\ZA_Access.exe, ZohoMeeting.exe, Zohours.exe, zohotray.exe, ZohoURSService.exe, *\ZA_Access.exe, Zaservice.exe, za_connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.zoho.com.au"", ""*.zohoassist.jp"", ""assist.zoho.com"", ""zoho.com/assist/"", ""*.zoho.in"", ""downloads.zohodl.com.cn"", ""*.zohoassist.com"", ""downloads.zohocdn.com"", ""gateway.zohoassist.com"", ""*.zohoassist.com.cn"", ""*.zoho.com.cn"", ""*.zoho.com"", ""*.zoho.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zoho Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zoho Assist RMM tool""}]",https://www.zoho.com/assist/kb/firewall-configuration.html,[] +Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xpra RMM tool""}]",,[] DeskNets,,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://www.desknets.com/en/download.html,[] -QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml"", ""Description"": ""Detects potential network activity of QQ IM-remote assistance RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of QQ IM-remote assistance RMM tool""}]",https://en.wikipedia.org/wiki/Tencent_QQ,[] -PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PuTTY Tray RMM tool""}]",,[] XRDP,,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of FastViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FastViewer RMM tool""}]",https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] -Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Jump Desktop RMM tool""}]",https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] -Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ivanti Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ivanti Remote Control RMM tool""}]",https://rc1.ivanticloud.com/,[] -BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeInSync RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeInSync RMM tool""}]",https://en.wikipedia.org/wiki/Phoenix_Technologies,[] -NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of NateOn-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NateOn-desktop sharing RMM tool""}]",http://rsupport.nate.com/rview/r8/main/index.aspx,[] -Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml"", ""Description"": ""Detects potential network activity of Xeox RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xeox RMM tool""}]",https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] -WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WinSCP RMM tool""}]",,[] -DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] -NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of NTR Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NTR Remote RMM tool""}]",DOA as of 2024,[] -TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml"", ""Description"": ""Detects potential network activity of TurboMeeting RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TurboMeeting RMM tool""}]",http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] -RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteUtilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteUtilities RMM tool""}]",,[] -Pulseway,,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"PCMonitorManager.exe, pcmonitorsrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pulseway.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pulseway RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pulseway RMM tool""}]",https://intercom.help/pulseway/en/,[] +ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ManageEngine RMM tool""}]",,[] +Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Impero Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Impero Connect RMM tool""}]",,[] +Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remcos RMM tool""}]",,[] +PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of PDQ Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PDQ Connect RMM tool""}]",https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] +Terminals,,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syncro RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncro RMM tool""}]",https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] +247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool""}]",Similar / replaced by ScreenConnect,[] +Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netviewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer RMM tool""}]",,[] +Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syspectr RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syspectr RMM tool""}]",https://www.syspectr.com/en/installation-in-a-network,[] +I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml"", ""Description"": ""Detects potential network activity of I'm InTouch RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of I'm InTouch RMM tool""}]",https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] +ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Light RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Light RMM tool""}]",,[] +Mocha VNC Lite,,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"This installs a modified VNC and cannot be blocked by path separate from VNC, This installs a modified VNC and cannot be blocked by path separate from VNC, *\RealVNC\VNC4\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom Connect RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] +Yandex.Disk,,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Yandex\*, *\Yandex\*, *\YandexDisk2.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Yandex.Disk RMM tool""}]",,[] +LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml"", ""Description"": ""Detects potential network activity of LiteManager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LiteManager RMM tool""}]",https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] +BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeAnyWhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeAnyWhere RMM tool""}]",https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] +Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Cloud RMM tool""}]",https://jumpcloud.com/support/understand-remote-assist-agent,[] +Remote Desktop Manager (Devolutions),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay RMM tool""}]",https://sun.aweray.com/help,[] +Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remobo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remobo RMM tool""}]",https://www.remobo.com - DOA as of 2024,[] +ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"era.exe, einstaller.exe, ezhelp*.exe, eratool.exe, ERAAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] +Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ultra VNC RMM tool""}]",,[] +pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of pcAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pcAnywhere RMM tool""}]",https://en.wikipedia.org/wiki/PcAnywhere,[] +Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote.it RMM tool""}]",https://docs.remote.it/introduction/get-started,[] +Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml"", ""Description"": ""Detects potential network activity of Guacamole RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Guacamole RMM tool""}]",guacamole.apache.org,[] +Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Addigy RMM tool""}]",https://addigy.com/,[] +AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of AeroAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AeroAdmin RMM tool""}]",https://support.aeroadmin.com/kb/faq.php?id=58,[] +Access Remote PC,,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"rpcgrab.exe, rpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Access Remote PC RMM tool""}]",,[] +Acronic Cyber Protect (Remotix),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml"", ""Description"": ""Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool""}]",https://kb.acronis.com/content/47189,[] +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml"", ""Description"": ""Detects potential network activity of SkyFex RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SkyFex RMM tool""}]",https://skyfex.com/,[] +PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC RMM tool""}]",https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] +MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] +SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SecureCRT RMM tool""}]",,[] +VNC,,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"winvnc*.exe, vncserver.exe, winwvc.exe, winvncsc.exe, vncserverui.exe, vncviewer.exe, winvnc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""realvnc.com/en/connect/download/vnc""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of VNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of VNC RMM tool""}]",https://realvnc.com/en/connect/download/vnc,[] Panorama9,,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,p9agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""trusted.panorama9.com"", ""changes.panorama9.com"", ""panorama9.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml"", ""Description"": ""Detects potential network activity of Panorama9 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Panorama9 RMM tool""}]",https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with,[] +FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe RMM tool""}]",,[] +ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] +RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of RES Automation Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RES Automation Manager RMM tool""}]",https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] Atera,,"Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement. ",,2024-08-03,2024-10-06,https://www.atera.com/,AteraAgent.exe,AteraAgent.exe,AteraAgent,,SYSTEM,30 day trial,None,"Windows, MacOS, Linux","Integrated remote access with Splashtop and AnyDesk, Remote monitoring and management, Patch management, Network discovery, Backup and disaster recovery, Helpdesk and ticketing, Reporting and analytics, Billing and invoicing, Customer portal, Mobile app","CVE-2023-26078, CVE-2023-26077","*\AgentPackageNetworkDiscovery.exe, *\AgentPackageTaskScheduler.exe, *\ATERA Networks\AteraAgent\*, *\AteraAgent.exe, atera_agent.exe, atera_agent.exe, ateraagent.exe, C:\Program Files\ATERA Networks\AteraAgent\*, C:\Program Files\Atera Networks, C:\Program Files (x86)\Atera Networks, syncrosetup.exe","{""Disk"": [{""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Atera Networks\\AlphaAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AteraAgent"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"""", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""WinRing0_1_2_0"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"""", ""Description"": ""Service installation event as result of Atera pakcage manager installation.""}, {""EventID"": 11707, ""ProviderName"": ""MsiInstaller"", ""LogFile"": ""Application.evtx"", ""Data"": ""Product: AteraAgent -- Installation completed successfully."", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]"", ""Description"": ""Service installation event as result of AteraAgent installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent"", ""Description"": null}, {""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc."", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\*"", ""Description"": null}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""pubsub.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""pubsub.pubnub.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreporting.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""getalphacontrol.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""app.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agenthb.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""packagesstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.pndsn.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agent-api.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""cacerts.thawte.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreportingstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera-agent-heartbeat.servicebus.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera.pubnubapi.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""appcdn.atera.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml"", ""Name"": ""AteraAgent malicious installations"", ""Description"": ""Detects AteraAgent installations with suspicious command line arguments.""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml"", ""Name"": ""Atera Agent Installation"", ""Description"": ""Detects Atera Agent installation.""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml"", ""Description"": ""Detects potential network activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml"", ""Description"": ""Detects potential files activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Atera RMM tool""}]","https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations, https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent, https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018, https://thedfirreport.com/?s=ateraagent","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}, {""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -JollysFastVNC,,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml"", ""Description"": ""Detects potential network activity of RunSmart RMM tool""}]",,[] -Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] -Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer (GoToMeet) RMM tool""}]",Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] -Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netviewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer RMM tool""}]",,[] -ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] -ExtraPuTTY,,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *\ExtraPuTTY-0.30-2016-01-28-installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExtraPuTTY RMM tool""}]",,[] -FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDesk.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDesk.io RMM tool""}]",https://fleetdeck.io/faq/,[] -HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpU RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpU RMM tool""}]",https://helpu.co.kr/,[] -ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of ToDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ToDesk RMM tool""}]",https://www.todesk.com/,[] -RAdmin,,"RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml"", ""Description"": ""Detects potential files activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RAdmin RMM tool""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" CrossLoop,,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"crossloopservice.exe, CrossLoopConnect.exe, WinVNCStub.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.crossloop.com"", ""crossloop.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossLoop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossLoop RMM tool""}]",www.CrossLoop.com -> redirects to avast.com,[] -Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml"", ""Description"": ""Detects potential network activity of Centurion RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Centurion RMM tool""}]",https://data443.atlassian.net/servicedesk/customer/portal/20,[] -KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml"", ""Description"": ""Detects potential network activity of KickIdler RMM tool""}]",https://www.kickidler.com/for-it/faq/,[] -Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syncro RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncro RMM tool""}]",https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] -AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay RMM tool""}]",https://sun.aweray.com/help,[] -SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml"", ""Description"": ""Detects potential network activity of SunLogin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SunLogin RMM tool""}]",https://sunlogin.oray.com/en/embed/software.html,[] -Koofr,,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SysAid RMM tool""}]",,[] +Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] +Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tactical RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tactical RMM RMM tool""}]",docs.tacticalrmm.com,[] +Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml"", ""Description"": ""Detects potential network activity of Fortra RMM tool""}]",https://www.fortra.com - No free/cloud RMM softwars listed,[] +Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sorillus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sorillus RMM tool""}]",https://sorillus.com/,[] +RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteCall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteCall RMM tool""}]",https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] +Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Everywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Everywhere RMM tool""}]",https://everywhere.laplink.com/docs,[] +MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MEGAsync RMM tool""}]",,[] Neturo,,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"neturo*.exe, ntrntservice.exe, neturo.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""neturo.uplus.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Neturo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Neturo RMM tool""}]","Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",[] -SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SmarTTY RMM tool""}]",,[] -Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Impero Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Impero Connect RMM tool""}]",,[] -247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool""}]",Similar / replaced by ScreenConnect,[] -Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remobo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remobo RMM tool""}]",https://www.remobo.com - DOA as of 2024,[] -Free Tools Launcher,,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\*, *\ManageEngine\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Echoware RMM tool""}]",,[] -Zoho Assist,,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zaservice.exe, ZMAgent.exe, C:\*\ZA_Access.exe, ZohoMeeting.exe, Zohours.exe, zohotray.exe, ZohoURSService.exe, *\ZA_Access.exe, Zaservice.exe, za_connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.zoho.com.au"", ""*.zohoassist.jp"", ""assist.zoho.com"", ""zoho.com/assist/"", ""*.zoho.in"", ""downloads.zohodl.com.cn"", ""*.zohoassist.com"", ""downloads.zohocdn.com"", ""gateway.zohoassist.com"", ""*.zohoassist.com.cn"", ""*.zoho.com.cn"", ""*.zoho.com"", ""*.zoho.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zoho Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zoho Assist RMM tool""}]",https://www.zoho.com/assist/kb/firewall-configuration.html,[] -KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KiTTY RMM tool""}]",,[] -SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of SimpleHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SimpleHelp RMM tool""}]",https://simple-help.com/remote-support,[] -CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of CloudFlare Tunnel RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudFlare Tunnel RMM tool""}]",cloudflare.com/products/tunnel/,[] -GoTo Opener,,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\GoTo Opener, *\GoTo Opener","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcvisit RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcvisit RMM tool""}]",https://www.pcvisit.de/,[] -Mocha VNC Lite,,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"This installs a modified VNC and cannot be blocked by path separate from VNC, This installs a modified VNC and cannot be blocked by path separate from VNC, *\RealVNC\VNC4\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Gold RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Gold RMM tool""}]",wen.laplink.com/product/laplink-gold,[] -Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Iperius Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Iperius Remote RMM tool""}]",https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] -BeamYourScreen,,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"beamyourscreen.exe, beamyourscreen-host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beamyourscreen.com"", ""*.beamyourscreen.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeamYourScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeamYourScreen RMM tool""}]",beamyourscreen redirects to https://www.mikogo.com/,[] -TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeleDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeleDesktop RMM tool""}]",http://potomacsoft.com/ - DOA as of 2024,[] -Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml"", ""Description"": ""Detects potential network activity of Parallels Access RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Parallels Access RMM tool""}]",https://kb.parallels.com/en/129097,[] -Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml"", ""Description"": ""Detects potential network activity of Basecamp RMM tool""}]",basecamp.com - No specific RMM tool listed,[] -Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Weezo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Weezo RMM tool""}]",weezo.en.softonic.com,[] -X2Go,,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://wiki.x2go.org/doku.php,[] -Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml"", ""Description"": ""Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool""}]",,[] -Connectwise Automate (LabTech),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.hostedrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml"", ""Description"": ""Detects potential network activity of Connectwise Automate (LabTech) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Connectwise Automate (LabTech) RMM tool""}]",https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,[] +Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ddsystem.exe, dd.exe, distant-desktop.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] +Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Anyplace Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Anyplace Control RMM tool""}]",http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] +JollysFastVNC,,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ExtraPuTTY,,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *\ExtraPuTTY-0.30-2016-01-28-installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExtraPuTTY RMM tool""}]",,[] +rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdpwrap RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdpwrap RMM tool""}]",github.com/stascorp/rdpwrap,[] +N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-ABLE Remote Access Software RMM tool""}]",,[] +Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Solar-PuTTY RMM tool""}]",,[] +TeamViewer,,"TeamViewer is a remote monitoring and management (RMM) tool. +","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml"", ""Description"": ""Detects potential files activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeamViewer RMM tool""}]","https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml"", ""Description"": ""Detects potential network activity of Itarian RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Itarian RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of Visual Studio Dev Tunnel RMM tool""}]",https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +LogMeIn,,"LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn RMM tool""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +PuTTY,,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netreo RMM tool""}]",https://solutions.netreo.com/docs/firewall-requirements,[] +Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool""}]",https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] Splashtop (Beta),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"SRServer.exe, SplashtopSOS.exe, Splashtop_Streamer_Windows*.exe, SRManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop (Beta) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop (Beta) RMM tool""}]",,[] -Netop,,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Danware Data\NetOp Packn Deploy\*, *\Danware Data\NetOp Packn Deploy\*, *\Netop Remote Control\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Kaseya (VSA),,"Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml"", ""Description"": ""Detects potential network activity of Kaseya (VSA) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml"", ""Description"": ""Detects potential files activity of Kaseya (VSA) RMM tool""}]","https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] +FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of FastViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FastViewer RMM tool""}]",https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] +RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of RustDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RustDesk RMM tool""}]",https://rustdesk.com/docs/en/,[] +MobaXterm,,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\MobaXterm_installer_12.1.msi, *\MobaXterm_installer_*.msi, *\Mobatek\MobaXterm\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToAssist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoToAssist RMM tool""}]",https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] +Free Ping Tool,,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"can't find this one, can't find this one","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] HelpBeam,,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,helpbeam*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpbeam.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpBeam RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpBeam RMM tool""}]",https://www.helpbeam.com domain for sale in 2024,[] +NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of NTR Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NTR Remote RMM tool""}]",DOA as of 2024,[] +ServerEye,,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"servereye*.exe, ServiceProxyLocalSys.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.server-eye.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml"", ""Description"": ""Detects potential network activity of ServerEye RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ServerEye RMM tool""}]",https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,[] +WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml"", ""Description"": ""Detects potential network activity of WebRDP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WebRDP RMM tool""}]",github.com/Mikej81/WebRDP,[] +GoTo Opener,,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\GoTo Opener, *\GoTo Opener","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of S3 Browser RMM tool""}]",,[] +Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml"", ""Description"": ""Detects potential network activity of Any Support RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Any Support RMM tool""}]",https://www.anysupport.net/introduce_howto.php,[] +BeamYourScreen,,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"beamyourscreen.exe, beamyourscreen-host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beamyourscreen.com"", ""*.beamyourscreen.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeamYourScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeamYourScreen RMM tool""}]",beamyourscreen redirects to https://www.mikogo.com/,[] +Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sophos-Remote Management System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sophos-Remote Management System RMM tool""}]",community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] +PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC (Clone) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC (Clone) RMM tool""}]",https://www.poweradmin.com/paexec/,[] +GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of GetScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GetScreen RMM tool""}]",https://docs.getscreen.me/self-hosted/system-requirements/,[] +RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePC RMM tool""}]",https://www.remotedesktop.com/helpdesk/faq-firewall,[] +Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tanium RMM tool""}]",https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] +LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool""}]",,[] +RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteView RMM tool""}]",https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] +UltraVNC,,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,UltraVNC*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ultravnc.com"", ""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraVNC RMM tool""}]",https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,[] +SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SmarTTY RMM tool""}]",,[] +Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Absolute (Computrace) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Absolute (Computrace) RMM tool""}]",https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] Quest KACE Agent (formerly Dell KACE),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,konea.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kace.com"", ""www.quest.com/kace/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}]",https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function,[] DeskShare,,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"TeamTaskManager.exe, DSGuest.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskShare RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskShare RMM tool""}]",https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx,[] -rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdpwrap RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdpwrap RMM tool""}]",github.com/stascorp/rdpwrap,[] -Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Total Software Deployment RMM tool""}]",,[] -PuTTY,,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RDPView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RDPView RMM tool""}]",systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] -Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml"", ""Description"": ""Detects potential network activity of Fortra RMM tool""}]",https://www.fortra.com - No free/cloud RMM softwars listed,[] -ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Light RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Light RMM tool""}]",,[] -Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool""}]",https://pulse.soti.net/support/soti-xsight/help/,[] +Pocket Cloud (Wyse),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcloud*.exe, pocketcloudservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Cloud (Wyse) RMM tool""}]",https://wyse-pocketcloud.informer.com/2.1/,[] +Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pilixo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pilixo RMM tool""}]",https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] +Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Mikogo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Mikogo RMM tool""}]",https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] +WebEx (Remote Access),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,[] +Koofr,,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Duplicati RMM tool""}]",,[] +ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of ManageEngine RMM Central RMM tool""}]",,[] +WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WinSCP RMM tool""}]",,[] GatherPlace-desktop sharing,,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gp3.exe, gp4.exe, gp5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gatherplace.com"", ""*.gatherplace.net"", ""gatherplace.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of GatherPlace-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GatherPlace-desktop sharing RMM tool""}]",https://www.gatherplace.com/kb?id=136377,[] -Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] -MeshCentral,,"MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. -",@kostastsale,2024-09-20,2024-09-20,https://meshcentral.com/,MeshAgent.exe,,MeshCentral Background Service Agent,,SYSTEM,Yes,N/A,"Windows, Linux, MacOS, FreeBSD","Remote Desktop & Terminal, Remote File Access, Text and Voice Chat, Server File Storage, Real-time User interface, Port Forwarding",CVE-2024-26135,"meshcentral*.exe, meshagent*.exe","{""Disk"": [{""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.exe"", ""Description"": ""Local MeshAgent service binary after installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.msh"", ""Description"": ""Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Mesh Agent background service"", ""ImagePath"": ""\""C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"""", ""Description"": ""Service installation event as result of MeshAgent installation.""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml"", ""Description"": ""Detects MeshAgent Command Execution via MeshCentral""}]","https://ylianst.github.io/MeshCentral/meshcentral/, https://github.com/Ylianst/MeshAgent","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] -ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-08-03,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]",https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,[] -Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] -Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tanium RMM tool""}]",https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] -Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ultra VNC RMM tool""}]",,[] -Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Manipulator System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Manipulator System RMM tool""}]",https://rmansys.ru/files/,[] -Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Domotz RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Domotz RMM tool""}]",https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] -FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe RMM tool""}]",,[] -Tanium Deploy,,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""tanium.com/products/tanium-deploy""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium Deploy RMM tool""}]",,[] -N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-ABLE Remote Access Software RMM tool""}]",,[] -Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] -AnyViewer,,"AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyViewer RMM tool""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml"", ""Description"": ""Detects potential network activity of Naverisk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Naverisk RMM tool""}]",http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] -Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Addigy RMM tool""}]",https://addigy.com/,[] +Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Gold RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Gold RMM tool""}]",wen.laplink.com/product/laplink-gold,[] +Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml"", ""Description"": ""Detects potential network activity of Centurion RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Centurion RMM tool""}]",https://data443.atlassian.net/servicedesk/customer/portal/20,[] +Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ivanti Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ivanti Remote Control RMM tool""}]",https://rc1.ivanticloud.com/,[] +NordLocker,,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml"", ""Description"": ""Detects potential network activity of Xeox RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xeox RMM tool""}]",https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] +ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of ezHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ezHelp RMM tool""}]",https://www.exhelp.co.kr,[] +Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] +MultCloud,,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"requires sign up, requires sign up","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Synergy RMM tool""}]",https://symless.com/synergy,[] +OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml"", ""Description"": ""Detects potential network activity of OptiTune RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OptiTune RMM tool""}]",https://www.bravurasoftware.com/optitune/support/faq.aspx,[] +Netop,,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Danware Data\NetOp Packn Deploy\*, *\Danware Data\NetOp Packn Deploy\*, *\Netop Remote Control\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ConnectWise,,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect*Client*\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Encapto RMM tool""}]",https://www.encapto.com - used to manage Cisco services,[] Action1,,"Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. ",@kostastsale,2024-08-03,2024-10-06,https://www.action1.com/,action1_connector.exe,,,,SYSTEM,Yes,Corporate email required although temporary email services are accepted,Windows,"Backup and disaster recovery, Billing and invoicing, Customer portal, HelpDesk and ticketing, Mobile app, Network discovery, Patch management, Remote monitoring and management, Reporting and analytics",,C:\Windows\Action1\*,"{""Disk"": [{""File"": ""C:\\Windows\\Action1\\action1_agent.exe"", ""Description"": ""Action1 service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\*"", ""Description"": ""Multiple files and binaries related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\scripts\\*"", ""Description"": ""Multiple scripts related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\rule_data\\*"", ""Description"": ""Files related to Action1 rules"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\action1_log_*.log"", ""Description"": ""Contains history, errors, system notifications. Incoming and outgoing connections."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""A1Agent"", ""ImagePath"": ""\""C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"""", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""ServiceName"": ""A1Agent"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe service"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe loggedonuser"", ""Description"": ""Executing command to get logged on user.""}], ""Registry"": [{""Path"": ""HKLM\\System\\CurrentControlSet\\Services\\A1Agent"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe"", ""Description"": ""Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Action1"", ""Description"": ""Storing its configuration settings and other relevant information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.action1.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""a1-backend-packages.s3.amazonaws.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml"", ""Description"": ""Detects potential network activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml"", ""Description"": ""Detects potential files activity of Action1 RMM tool""}]","https://www.action1.com/documentation/firewall-configuration/, https://www.action1.com/documentation/, https://twitter.com/Kostastsale/status/1646256901506605063?s=20, https://ruler-project.github.io/ruler-project/RULER/remote/Action1/","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -AliWangWang-remote-control,,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,alitask.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""wangwang.taobao.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml"", ""Description"": ""Detects potential network activity of AliWangWang-remote-control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AliWangWang-remote-control RMM tool""}]",https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,[] -FreeRDP,,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool""}]",,[] -SmartCode Web VNC,,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\TightVNC\*, *\TightVNC\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Onionshare,,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\OnionShare\*, *\OnionShare\*, *\onionshare*.exe, OnionShare-win*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Onionshare RMM tool""}]",,[] -Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rocket Remote Desktop RMM tool""}]",,[] -WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml"", ""Description"": ""Detects potential network activity of WebRDP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WebRDP RMM tool""}]",github.com/Mikej81/WebRDP,[] -BeyondTrust,,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml"", ""Description"": ""Detects potential network activity of SuperOps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperOps RMM tool""}]",https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] -RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePass RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePass RMM tool""}]",https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] -Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml"", ""Description"": ""Detects potential network activity of Itarian RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Itarian RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC RMM tool""}]",https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] -Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] -ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of ezHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ezHelp RMM tool""}]",https://www.exhelp.co.kr,[] +SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperPuTTY RMM tool""}]",,[] +Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Apps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal Apps RMM tool""}]",https://www.royalapps.com/ts/win/download,[] +Tanium Deploy,,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""tanium.com/products/tanium-deploy""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium Deploy RMM tool""}]",,[] +Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zabbix Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zabbix Agent RMM tool""}]",https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] +Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Weezo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Weezo RMM tool""}]",weezo.en.softonic.com,[] +BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeInSync RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeInSync RMM tool""}]",https://en.wikipedia.org/wiki/Phoenix_Technologies,[] +ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenMeet RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenMeet RMM tool""}]",https://docs.screenmeet.com/docs/firewall-white-list,[] +MyIVO,,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"myivomgr.exe, myivomanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""myivo-server.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyIVO RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyIVO RMM tool""}]",myivo.com - DOA as of 2024,[] +LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml"", ""Description"": ""Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}]",,[] Kabuto,,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Kabuto.App.Runner.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kabuto.io"", ""repairtechsolutions.com/kabuto/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Kabuto RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Kabuto RMM tool""}]",https://www.repairtechsolutions.com/documentation/kabuto/,[] -Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Synergy RMM tool""}]",https://symless.com/synergy,[] -ConnectWise,,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect*Client*\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -TigerVNC,,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"tigervnc*.exe, winvnc4.exe, C:\Program Files\TightVNC\*, *\TightVNC\*, *\tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TigerVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TigerVNC RMM tool""}]",https://github.com/TigerVNC/tigervnc/releases,[] -GoToMyPC,,"GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml"", ""Description"": ""Detects potential files activity of GoToMyPC RMM tool""}]","https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" -Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Everywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Everywhere RMM tool""}]",https://everywhere.laplink.com/docs,[] -Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syspectr RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syspectr RMM tool""}]",https://www.syspectr.com/en/installation-in-a-network,[] -Remote Utilities,,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rutview.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Utilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Utilities RMM tool""}]",https://www.remoteutilities.com/download/,[] -Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remcos RMM tool""}]",,[] -ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, *\ISLLight.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] -DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DragonDisk RMM tool""}]",,[] -RealVNC,,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Supremo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Supremo RMM tool""}]",https://www.supremocontrol.com/frequently-asked-questions/,[] -GoToAssist Agent Desktop Console,,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\G2RDesktopConsole-x64.msi, *\G2RDesktopConsole-x64.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteView RMM tool""}]",https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] -VNC Connect,,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\RealVNC\VNC Server\*, *\RealVNC\VNC Server\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncthing RMM tool""}]",,[] -KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of KHelpDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KHelpDesk RMM tool""}]",https://www.khelpdesk.com.br/en-us,[] -Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool""}]",https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] -Bitvise SSH Server,,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Bitvise SSH Server\*, *\Bitvise SSH Server\*, *\BvSshServer-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Server RMM tool""}]",,[] -Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Apple Remote Desktop RMM tool""}]",https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] -Chrome SSH Extension,,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*, *Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, client32.exe, pcicfgui.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""geo.netsupportsoftware.com"", ""netsupportmanager.com"", ""*.netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] -ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"era.exe, einstaller.exe, ezhelp*.exe, eratool.exe, ERAAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] -Yandex.Disk,,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Yandex\*, *\Yandex\*, *\YandexDisk2.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Yandex.Disk RMM tool""}]",,[] +FreeRDP,,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZOC RMM tool""}]",,[] +AliWangWang-remote-control,,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,alitask.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""wangwang.taobao.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml"", ""Description"": ""Detects potential network activity of AliWangWang-remote-control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AliWangWang-remote-control RMM tool""}]",https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,[] +Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml"", ""Description"": ""Detects potential network activity of Goverlan RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Goverlan RMM tool""}]",https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] +Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Microsoft Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft Quick Assist RMM tool""}]",https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"BASupSrvc.exe, winagent.exe, BASupApp.exe, BASupTSHelper.exe, Agent_*_RW.exe, BASEClient.exe, BASupSrvcCnfg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beanywhere.com "", ""systemmonitor.co.uk"", ""*system-monitor.com"", ""cloudbackup.management"", ""*systemmonitor.co.uk"", ""n-able.com"", ""systemmonitor.us"", ""*systemmonitor.eu.com"", ""*.logicnow.com"", ""*.swi-tc.com"", ""*remote.management"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""remote.management"", ""logicnow.com"", ""system-monitor.com"", ""*systemmonitor.us"", ""systemmonitor.eu.com"", ""*.n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] -MyIVO,,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"myivomgr.exe, myivomanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""myivo-server.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyIVO RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyIVO RMM tool""}]",myivo.com - DOA as of 2024,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] -VNC,,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"winvnc*.exe, vncserver.exe, winwvc.exe, winvncsc.exe, vncserverui.exe, vncviewer.exe, winvnc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""realvnc.com/en/connect/download/vnc""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of VNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of VNC RMM tool""}]",https://realvnc.com/en/connect/download/vnc,[] -ServerEye,,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"servereye*.exe, ServiceProxyLocalSys.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.server-eye.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml"", ""Description"": ""Detects potential network activity of ServerEye RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ServerEye RMM tool""}]",https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,[] -Rapid7,,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"ir_agent.exe, rapid7_agent_core.exe, rapid7_endpoint_broker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.analytics.insight.rapid7.com"", ""*.endpoint.ingress.rapid7.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Rapid7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rapid7 RMM tool""}]",https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,[] -GoToAssist (GoTo Resolve),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramFiles*\GoTo Machine Installer\*, *\GoTo Machine Installer\*, *\GoTo\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of GetScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GetScreen RMM tool""}]",https://docs.getscreen.me/self-hosted/system-requirements/,[] -MobaXterm,,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\MobaXterm_installer_12.1.msi, *\MobaXterm_installer_*.msi, *\Mobatek\MobaXterm\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossTec Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossTec Remote Control RMM tool""}]",www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] -Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Absolute (Computrace) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Absolute (Computrace) RMM tool""}]",https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] -Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xshell RMM tool""}]",,[] MyGreenPC,,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,mygreenpc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*mygreenpc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyGreenPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyGreenPC RMM tool""}]",http://www.mygreenpc.com/,[] -Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] -Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Microsoft Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft Quick Assist RMM tool""}]",https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] -Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of Desktop Central RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Desktop Central RMM tool""}]",,[] +Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncthing RMM tool""}]",,[] +Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] +Remote Desktop Plus,,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""donkz.nl""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Desktop Plus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Desktop Plus RMM tool""}]",https://www.donkz.nl/,[] +NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of NateOn-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NateOn-desktop sharing RMM tool""}]",http://rsupport.nate.com/rview/r8/main/index.aspx,[] +Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml"", ""Description"": ""Detects potential network activity of Barracuda RMM tool""}]",https://help.islonline.com/19799/166125,[] +CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossTec Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossTec Remote Control RMM tool""}]",www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] +DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskDay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskDay RMM tool""}]",https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] +mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml"", ""Description"": ""Detects potential network activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml"", ""Description"": ""Detects potential files activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mRemoteNG RMM tool""}]",https://github.com/mRemoteNG/mRemoteNG,[] +FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeNX RMM tool""}]",,[] +NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, client32.exe, pcicfgui.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""geo.netsupportsoftware.com"", ""netsupportmanager.com"", ""*.netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdp2tcp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdp2tcp RMM tool""}]",github.com/V-E-O/rdp2tcp,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +Pulseway,,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"PCMonitorManager.exe, pcmonitorsrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pulseway.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pulseway RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pulseway RMM tool""}]",https://intercom.help/pulseway/en/,[] +Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml"", ""Description"": ""Detects potential network activity of Naverisk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Naverisk RMM tool""}]",http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] +Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Total Software Deployment RMM tool""}]",,[] +ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, *\ISLLight.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] +NinjaOne (formerly NinjaRMM),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,*ProgramData\NinjaRMMAgent\*,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml"", ""Description"": ""Detects potential network activity of QQ IM-remote assistance RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of QQ IM-remote assistance RMM tool""}]",https://en.wikipedia.org/wiki/Tencent_QQ,[] +Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] +RuDesktop,,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rd.exe, rudesktop*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rudesktop.ru"", ""rudesktop.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of RuDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RuDesktop RMM tool""}]",https://rudesktop.ru,[] +BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] +TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TightVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TightVNC RMM tool""}]",https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] +MeshCentral,,"MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. +",@kostastsale,2024-09-20,2024-09-20,https://meshcentral.com/,MeshAgent.exe,,MeshCentral Background Service Agent,,SYSTEM,Yes,N/A,"Windows, Linux, MacOS, FreeBSD","Remote Desktop & Terminal, Remote File Access, Text and Voice Chat, Server File Storage, Real-time User interface, Port Forwarding",CVE-2024-26135,"meshcentral*.exe, meshagent*.exe","{""Disk"": [{""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.exe"", ""Description"": ""Local MeshAgent service binary after installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.msh"", ""Description"": ""Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Mesh Agent background service"", ""ImagePath"": ""\""C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"""", ""Description"": ""Service installation event as result of MeshAgent installation.""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml"", ""Description"": ""Detects MeshAgent Command Execution via MeshCentral""}]","https://ylianst.github.io/MeshCentral/meshcentral/, https://github.com/Ylianst/MeshAgent","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml"", ""Description"": ""Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool""}]",,[] +CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CarotDAV RMM tool""}]",,[] +Bitvise SSH Server,,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Bitvise SSH Server\*, *\Bitvise SSH Server\*, *\BvSshServer-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Server RMM tool""}]",,[] +Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pandora RC (eHorus) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pandora RC (eHorus) RMM tool""}]",https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] +DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] +Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Iperius Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Iperius Remote RMM tool""}]",https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] diff --git a/website/public/api/rmm_tools.json b/website/public/api/rmm_tools.json index a3aa4e46..c1ad1d79 100644 --- a/website/public/api/rmm_tools.json +++ b/website/public/api/rmm_tools.json @@ -1,10 +1,10 @@ [ { - "Name": "LabTeach (Connectwise Automate)", - "Description": "LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Rapid7", + "Description": "Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -19,30 +19,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ltsvc.exe" + "ir_agent.exe", + "rapid7_agent_core.exe", + "rapid7_endpoint_broker.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.analytics.insight.rapid7.com", + "*.endpoint.ingress.rapid7.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml", - "Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml", + "Description": "Detects potential network activity of Rapid7 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml", + "Description": "Detects potential processes activity of Rapid7 RMM tool" } ], - "References": [], + "References": [ + "https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/" + ], "Acknowledgement": [] }, { - "Name": "Zabbix Agent", - "Description": "Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SunLogin", + "Description": "SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -57,7 +74,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zabbix_agent*.exe" + "OrayRemoteShell.exe", + "OrayRemoteService.exe", + "sunlogin*.exe" ] }, "Artifacts": { @@ -68,8 +87,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "zabbix.com" + "sunlogin.oray.com", + "client.oray.net" ], "Ports": [] } @@ -77,25 +96,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml", - "Description": "Detects potential network activity of Zabbix Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml", + "Description": "Detects potential network activity of SunLogin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of Zabbix Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml", + "Description": "Detects potential processes activity of SunLogin RMM tool" } ], "References": [ - "https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent" + "https://sunlogin.oray.com/en/embed/software.html" ], "Acknowledgement": [] }, { - "Name": "Senso.cloud", - "Description": "Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist Agent Desktop Console", + "Description": "GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -110,21 +129,144 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SensoClient.exe", - "SensoService.exe", - "aadg.exe" + "C:\\*\\G2RDesktopConsole-x64.msi", + "*\\G2RDesktopConsole-x64.msi" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Kaseya (VSA)", + "Description": "Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", + "Details": { + "Website": "", + "PEMetadata": [ + { + "Filename": "agentmon.exe" + }, + { + "Filename": "KaUpdHlp.exe" + }, + { + "Filename": "KaUsrTsk.exe", + "OriginalFileName": "", + "Description": "" + } + ], + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\Kaseya\\", + "C:\\ProgramData\\Kaseya\\" + ] + }, + "Artifacts": { + "Disk": [ + { + "File": "%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*", + "Description": "Kaseya Live Connect logs", + "OS": "Windows" + }, + { + "File": "~/Library/Logs/com.kaseya/KaseyaLiveConnect/*", + "Description": "Kaseya Live Connect logs", + "OS": "MacOS" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*", + "Description": "Kaseya Endpoint logs", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\Kaseya\\*\\agentmon.log", + "Description": "Kaseya Agent Monitor log" + }, + { + "File": "/var/log/system.log", + "Description": "Kaseya Agent Monitor log", + "OS": "MacOS 32bit" + }, + { + "File": " ~/opt/kaseya/*/logs*", + "Description": "Kaseya Agent Monitor log", + "OS": "MacOS 64bit" + }, + { + "File": "C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log", + "Description": "Kaseya Setup log in user temp directory", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Temp\\KASetup.log", + "Description": "Kaseya Setup log in Windows temp directory", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*", + "Description": "Kaseya Edge Services logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.0\\logs\\", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.5\\endpoint\\logs", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.5\\endpoints\\logs", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\", + "Description": "Certificate creation", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\WebPages\\install\\makecert.txt", + "Description": "Certificate creation", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*", + "Description": "Endpoint service logs", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*", + "Description": "Session logs", + "OS": "Windows" + } + ], + "EventLog": [], + "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.senso.cloud", - "senso.cloud" + "deploy01.kaseya.com", + "*managedsupport.kaseya.net", + "*.kaseya.net", + "kaseya.com" ], "Ports": [] } @@ -132,25 +274,28 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml", - "Description": "Detects potential network activity of Senso.cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml", + "Description": "Detects potential network activity of Kaseya (VSA) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml", - "Description": "Detects potential processes activity of Senso.cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml", + "Description": "Detects potential files activity of Kaseya (VSA) RMM tool" } ], "References": [ - "https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration" + "https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements", + "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations", + "https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/", + "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations" ], "Acknowledgement": [] }, { - "Name": "I'm InTouch", - "Description": "I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PuTTY Tray", + "Description": "PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -165,47 +310,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iit.exe", - "intouch.exe", - "I'm InTouch Go Installer.exe" + "C:\\*\\puttytray.exe", + "*\\puttytray.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.01com.com", - "01com.com/imintouch-remote-pc-desktop" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml", - "Description": "Detects potential network activity of I'm InTouch RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml", - "Description": "Detects potential processes activity of I'm InTouch RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml", + "Description": "Detects potential processes activity of PuTTY Tray RMM tool" } ], - "References": [ - "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "RustDesk", - "Description": "RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SysAid", + "Description": "SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -220,44 +349,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rustdesk*.exe", - "rustdesk.exe" + "C:\\Program Files\\SysAidServer\\*", + "*\\SysAidServer\\*", + "*\\SysAid\\*", + "*\\IliAS.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "rustdesk.com", - "user_managed", - "web.rustdesk.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml", - "Description": "Detects potential network activity of RustDesk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml", - "Description": "Detects potential processes activity of RustDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml", + "Description": "Detects potential processes activity of SysAid RMM tool" } ], - "References": [ - "https://rustdesk.com/docs/en/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Electric AI (Kaseya)", - "Description": "Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Domotz", + "Description": "Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -274,7 +389,14 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "domotz.exe", + "Domotz Pro Desktop App.exe", + "domotz_bash.exe", + "domotz*.exe", + "Domotz Pro Desktop App Setup*.exe", + "domotz-windows*.exe" + ] }, "Artifacts": { "Disk": [], @@ -284,7 +406,9 @@ { "Description": "Known remote domains", "Domains": [ - "electric.ai" + "*.domotz.co", + "domotz.com", + "*cell-1.domotz.com" ], "Ports": [] } @@ -292,18 +416,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml", - "Description": "Detects potential network activity of Electric RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml", + "Description": "Detects potential network activity of Domotz RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml", + "Description": "Detects potential processes activity of Domotz RMM tool" } ], "References": [ - "https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf" + "https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/" ], "Acknowledgement": [] }, { - "Name": "ZOC", - "Description": "ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeyondTrust", + "Description": "BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -320,11 +448,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\ZOC8\\*", - "*\\ZOC?\\*", - "*\\zoc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -332,21 +456,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml", - "Description": "Detects potential processes activity of ZOC RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Any Support", - "Description": "Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop Remote Control (aka Impero Connect)", + "Description": "Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/27/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -361,7 +480,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ManualLauncher.exe" + "nhostsvc.exe", + "nhstw32.exe", + "nldrw32.exe", + "rmserverconsolemediator.exe" ] }, "Artifacts": { @@ -372,7 +494,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.anysupport.net" + "imperosoftware.com/impero-connect/" ], "Ports": [] } @@ -380,25 +502,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml", - "Description": "Detects potential network activity of Any Support RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml", - "Description": "Detects potential processes activity of Any Support RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool" } ], - "References": [ - "https://www.anysupport.net/introduce_howto.php" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "PDQ Connect", - "Description": "PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft TSC", + "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -413,42 +533,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pdq-connect*.exe" + "termsrv.exe", + "mstsc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "app.pdq.com", - "cfcdn.pdq.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml", - "Description": "Detects potential network activity of PDQ Connect RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of PDQ Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft TSC RMM tool" } ], "References": [ - "https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements" + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" ], "Acknowledgement": [] }, { - "Name": "Pcnow", - "Description": "Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Jump Desktop", + "Description": "Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -466,9 +574,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mwcliun.exe", - "pcnmgr.exe", - "webexpcnow.exe" + "jumpclient.exe", + "jumpdesktop.exe", + "jumpservice.exe", + "jumpconnect.exe", + "jumpupdater.exe" ] }, "Artifacts": { @@ -479,7 +589,10 @@ { "Description": "Known remote domains", "Domains": [ - "au.pcmag.com/utilities/21470/webex-pcnow" + "*.jumpdesktop.com", + "jumpdesktop.com", + "jumpto.me", + "*.jumpto.me" ], "Ports": [] } @@ -487,25 +600,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml", - "Description": "Detects potential network activity of Pcnow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Jump Desktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml", - "Description": "Detects potential processes activity of Pcnow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Jump Desktop RMM tool" } ], "References": [ - "http://pcnow.webex.com/ - DOA as of 2024" + "https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect" ], "Acknowledgement": [] }, { - "Name": "Seetrol", - "Description": "Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "IntelliAdmin Remote Control", + "Description": "IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -520,11 +633,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "seetrolcenter.exe", - "seetrolclient.exe", - "seetrolmyservice.exe", - "seetrolremote.exe", - "seetrolsetting.exe" + "iadmin.exe", + "intelliadmin.exe", + "agent32.exe", + "agent64.exe", + "agent_setup_5.exe" ] }, "Artifacts": { @@ -535,7 +648,9 @@ { "Description": "Known remote domains", "Domains": [ - "seetrol.co.kr" + "user_managed", + "*.intelliadmin.com", + "intelliadmin.com/remote-control" ], "Ports": [] } @@ -543,22 +658,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml", - "Description": "Detects potential network activity of Seetrol RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml", - "Description": "Detects potential processes activity of Seetrol RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool" } ], "References": [ - "http://www.seetrol.com/en/features/features3.php" + "intelliadmin.com/remote-control" ], "Acknowledgement": [] }, { - "Name": "CarotDAV", - "Description": "CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chrome SSH Extension", + "Description": "Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -576,9 +691,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Rei Software\\CarotDAV\\*", - "*\\Rei Software\\CarotDAV\\*", - "*\\CarotDAV.exe" + "C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*", + "*Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*" ] }, "Artifacts": { @@ -587,21 +701,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml", - "Description": "Detects potential processes activity of CarotDAV RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Goverlan", - "Description": "Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ZeroTier", + "Description": "ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -616,14 +725,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "goverrmc.exe", - "govsrv*.exe", - "GovAgentInstallHelper.exe", - "GovAgentx64.exe", - "GovReachClient.exe", - "C:\\Program Files (x86)\\PJ Technologies\\GOVsrv\\*", - "*\\PJ Technologies\\GOVsrv\\*", - "*\\GovSrv.exe" + "zerotier*.msi", + "zerotier*.exe", + "zero-powershell.exe" ] }, "Artifacts": { @@ -634,8 +738,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "goverlan.com" + "zerotier.com", + "*.zerotier.com" ], "Ports": [] } @@ -643,25 +747,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml", - "Description": "Detects potential network activity of Goverlan RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml", + "Description": "Detects potential network activity of ZeroTier RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml", - "Description": "Detects potential processes activity of Goverlan RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml", + "Description": "Detects potential processes activity of ZeroTier RMM tool" } ], "References": [ - "https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf" + "https://my.zerotier.com/" ], "Acknowledgement": [] }, { - "Name": "OptiTune", - "Description": "OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ericom AccessNow", + "Description": "Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -676,8 +780,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "OTService.exe", - "OTPowerShell.exe" + "accessserver*.exe", + "accessserver.exe" ] }, "Artifacts": { @@ -688,8 +792,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.optitune.us", - "*.opti-tune.com" + "user_managed", + "ericom.com" ], "Ports": [] } @@ -697,25 +801,56 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml", - "Description": "Detects potential network activity of OptiTune RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml", + "Description": "Detects potential network activity of Ericom AccessNow RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml", - "Description": "Detects potential processes activity of OptiTune RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom AccessNow RMM tool" } ], "References": [ - "https://www.bravurasoftware.com/optitune/support/faq.aspx" + "https://www.ericom.com/connect-accessnow/" ], "Acknowledgement": [] }, { - "Name": "EMCO Remote Console", - "Description": "EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RealVNC", + "Description": "RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Pcnow", + "Description": "Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -730,7 +865,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remoteconsole.exe" + "mwcliun.exe", + "pcnmgr.exe", + "webexpcnow.exe" ] }, "Artifacts": { @@ -741,8 +878,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "emcosoftware.com" + "au.pcmag.com/utilities/21470/webex-pcnow" ], "Ports": [] } @@ -750,20 +886,74 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml", - "Description": "Detects potential network activity of EMCO Remote Console RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml", + "Description": "Detects potential network activity of Pcnow RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml", - "Description": "Detects potential processes activity of EMCO Remote Console RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcnow RMM tool" } ], - "References": [], + "References": [ + "http://pcnow.webex.com/ - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "N-Able Advanced Monitoring Agent", - "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DesktopNow", + "Description": "DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/26/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "desktopnow.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.nchuser.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml", + "Description": "Detects potential network activity of DesktopNow RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml", + "Description": "Detects potential processes activity of DesktopNow RMM tool" + } + ], + "References": [ + "https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US" + ], + "Acknowledgement": [] + }, + { + "Name": "Pocket Controller (Soti Xsight)", + "Description": "Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -781,12 +971,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Agent_*_RW.exe", - "BASEClient.exe", - "BASupApp.exe", - "BASupSrvc.exe", - "BASupSrvcCnfg.exe", - "BASupTSHelper.exe" + "pocketcontroller.exe", + "wysebrowser.exe", + "XSightService.exe" ] }, "Artifacts": { @@ -797,17 +984,7 @@ { "Description": "Known remote domains", "Domains": [ - "*remote.management", - "*.logicnow.com", - "*systemmonitor.us", - "*systemmonitor.eu.com", - "*system-monitor.com", - "systemmonitor.us.cdn.cloudflare.net", - "*cloudbackup.management", - "*systemmonitor.co.uk", - "*.n-able.com", - "*.beanywhere.com ", - "*.swi-tc.com" + "*soti.net" ], "Ports": [] } @@ -815,25 +992,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", - "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool" } ], "References": [ - "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" + "https://pulse.soti.net/support/soti-xsight/help/" ], "Acknowledgement": [] }, { - "Name": "Tailscale", - "Description": "Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Instant Housecall", + "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -848,9 +1025,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tailscale-*.exe", - "tailscaled.exe", - "tailscale-ipn.exe" + "hsloader.exe", + "ihcserver.exe", + "instanthousecall.exe", + "instanthousecall.exe" ] }, "Artifacts": { @@ -861,9 +1039,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.tailscale.com", - "*.tailscale.io", - "tailscale.com" + "*.instanthousecall.com", + "*.instanthousecall.net", + "instanthousecall.com", + "secure.instanthousecall.com" ], "Ports": [] } @@ -871,25 +1050,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml", - "Description": "Detects potential network activity of Tailscale RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml", - "Description": "Detects potential processes activity of Tailscale RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" } ], "References": [ - "https://tailscale.com/kb/1023/troubleshooting" + "https://instanthousecall.com/features/" ], "Acknowledgement": [] }, { - "Name": "Pilixo", - "Description": "Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CentraStage (Now Datto)", + "Description": "CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -904,8 +1083,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rdp.exe", - "Pilixo_Installer*.exe" + "CagService.exe", + "AEMAgent.exe" ] }, "Artifacts": { @@ -916,9 +1095,9 @@ { "Description": "Known remote domains", "Domains": [ - "pilixo.com", - "download.pilixo.com", - "*.pilixo.com" + "*.rmm.datto.com", + "*cc.centrastage.net", + "datto.com/au/products/rmm/" ], "Ports": [] } @@ -926,22 +1105,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml", - "Description": "Detects potential network activity of Pilixo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml", + "Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml", - "Description": "Detects potential processes activity of Pilixo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml", + "Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool" } ], "References": [ - "https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls" + "https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm" ], "Acknowledgement": [] }, { - "Name": "Remote Desktop Manager (Devolutions)", - "Description": "Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Insync", + "Description": "Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -958,7 +1137,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Users\\USERNAME\\AppData\\Roaming\\Insync\\App\\Insync.exe", + "*Users\\*\\AppData\\Roaming\\Insync\\App\\Insync.exe", + "*\\Insync.exe" + ] }, "Artifacts": { "Disk": [], @@ -966,16 +1149,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml", + "Description": "Detects potential processes activity of Insync RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "BeyondTrust (Bomgar)", - "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LogMeIn rescue", + "Description": "LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -990,11 +1178,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "bomgar-scc-*.exe", - "bomgar-scc.exe", - "bomgar-pac-*.exe", - "bomgar-pac.exe", - "bomgar-rdp.exe" + "support-logmeinrescue*.exe", + "support-logmeinrescue.exe", + "lmi_rescue.exe" ] }, "Artifacts": { @@ -1005,9 +1191,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.beyondtrustcloud.com", - "*.bomgarcloud.com", - "bomgarcloud.com" + "*.logmeinrescue.com", + "*.logmeinrescue.eu", + "logmeinrescue.com" ], "Ports": [] } @@ -1015,161 +1201,71 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", - "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn rescue RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", - "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml", + "Description": "Detects potential processes activity of LogMeIn rescue RMM tool" } ], "References": [ - "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" + "https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue" ], "Acknowledgement": [] }, { - "Name": "Alpemix", - "Description": "Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "Electric AI (Kaseya)", + "Description": "Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", "Details": { - "Website": "https://www.alpemix.com/en/Home", - "PEMetadata": [ - { - "Filename": "Alpemix.exe", - "OriginalFileName": "Alpemix", - "Description": "Alpemix", - "Product": "Alpemix", - "InternalName": "Alpemix" - } - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [ - "Windows", - "Linux", - "Android", - "Mac", - "IOS" - ], - "Capabilities": [ - "5 Different Solutions for Remote Support", - "Access to Unattended Computers", - "Access to User Account Control (UAC) Screens", - "Add Your Own Logo", - "Auto Sizing", - "Automatic Update", - "Clipboard Transfer", - "Computer Independent Licensing", - "Contact List and Groups", - "Encrypted Communication", - "External Communication Barrier", - "File Transfer", - "Instant Messaging", - "Multi-Platform Support", - "Multiple Chat", - "Multiple Connections", - "No Port Forwarding Required", - "Peer to Peer Connection (p2p)", - "Receiving Offline Message", - "Remote Restart", - "ReportingRestricting The Authority", - "Screen Sharing", - "Sending Announcement Message", - "Sharing a certain part of the screen", - "Video Recording", - "Voice Communication", - "Who is currently supporting?", - "Working in Black Screen Mode" - ], + "SupportedOS": [], + "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\AlpemixService.exe", - "C:\\AlpemixSrvc\\" - ] + "InstallationPaths": [] }, "Artifacts": { - "Disk": [ - { - "File": "%localappdata%\\Alpemix\\Alpemix.ini", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "AlpemixSrvc", - "ImagePath": "*\\Alpemix.exe servicestartxxx", - "Description": "Service installation event as result of Alpemix installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx", - "Description": "N/A" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { + "Description": "Known remote domains", "Domains": [ - "*.alpemix.com" - ], - "Ports": [ - 443 - ], - "Description": "N/A" - }, - { - "Domains": [ - "*.teknopars.com" - ], - "Ports": [ - 80 + "electric.ai" ], - "Description": "N/A" + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml", - "Description": "Detects potential registry activity of Alpemix RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml", - "Description": "Detects potential network activity of Alpemix RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml", - "Description": "Detects potential files activity of Alpemix RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml", - "Description": "Detects potential processes activity of Alpemix RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml", + "Description": "Detects potential network activity of Electric RMM tool" } ], "References": [ - "https://www.alpemix.com/en/remote-access" + "https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf" ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] + "Acknowledgement": [] }, { - "Name": "Auvik", - "Description": "Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Adobe Connect", + "Description": "Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -1184,8 +1280,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "auvik.engine.exe", - "auvik.agent.exe" + "ConnectAppSetup*.exe", + "ConnectShellSetup*.exe", + "Connect.exe", + "ConnectDetector.exe" ] }, "Artifacts": { @@ -1196,9 +1294,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.my.auvik.com", - "*.auvik.com", - "auvik.com" + "*.adobeconnect.com" ], "Ports": [] } @@ -1206,25 +1302,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml", - "Description": "Detects potential network activity of Auvik RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml", + "Description": "Detects potential network activity of Adobe Connect RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml", - "Description": "Detects potential processes activity of Auvik RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Adobe Connect RMM tool" } ], "References": [ - "https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use" + "https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html" ], "Acknowledgement": [] }, { - "Name": "Tactical RMM", - "Description": "Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudFlare Tunnel", + "Description": "CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1239,8 +1335,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tacticalrmm.exe", - "tacticalrmm.exe" + "cloudflared.exe" ] }, "Artifacts": { @@ -1251,9 +1346,7 @@ { "Description": "Known remote domains", "Domains": [ - "login.tailscale.com", - "login.tailscale.com", - "docs.tacticalrmm.com" + "cloudflare.com/products/tunnel/" ], "Ports": [] } @@ -1261,25 +1354,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml", - "Description": "Detects potential network activity of Tactical RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of CloudFlare Tunnel RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml", - "Description": "Detects potential processes activity of Tactical RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool" } ], "References": [ - "docs.tacticalrmm.com" + "cloudflare.com/products/tunnel/" ], "Acknowledgement": [] }, { - "Name": "MioNet (WD Anywhere Access)", - "Description": "MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "mstsc", + "Description": "mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1294,8 +1387,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mionet.exe", - "mionetmanager.exe" + "C:\\Windows\\System32\\mstsc.exe", + "*Windows\\System32\\mstsc.exe" ] }, "Artifacts": { @@ -1306,21 +1399,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml", - "Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml", + "Description": "Detects potential processes activity of mstsc RMM tool" } ], - "References": [ - "https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Comodo RMM", - "Description": "Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Parallels Access", + "Description": "Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1335,8 +1426,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "itsmagent.exe", - "rviewer.exe" + "parallelsaccess-*.exe", + "TSClient.exe", + "prl_deskctl_agent.exe", + "prl_deskctl_wizard.exe", + "prl_pm_service.exe" ] }, "Artifacts": { @@ -1347,9 +1441,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.itsm-us1.comodo.com", - "*mdmsupport.comodo.com", - "one.comodo.com" + "*.parallels.com", + "parallels.com/products/ras/try" ], "Ports": [] } @@ -1357,22 +1450,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml", - "Description": "Detects potential network activity of Comodo RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml", + "Description": "Detects potential network activity of Parallels Access RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml", - "Description": "Detects potential processes activity of Comodo RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml", + "Description": "Detects potential processes activity of Parallels Access RMM tool" } ], "References": [ - "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" + "https://kb.parallels.com/en/129097" ], "Acknowledgement": [] }, { - "Name": "Pocket Controller", - "Description": "Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ConnectWise Control", + "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1390,9 +1483,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcontroller.exe", - "pocketcloudservice.exe", - "wysebrowser.exe" + "connectwisechat-customer.exe", + "connectwisecontrol.client.exe", + "screenconnect.windowsclient.exe" ] }, "Artifacts": { @@ -1403,7 +1496,8 @@ { "Description": "Known remote domains", "Domains": [ - "soti.net/products/soti-pocket-controller" + "live.screenconnect.com", + "control.connectwise.com" ], "Ports": [] } @@ -1411,20 +1505,20 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml", - "Description": "Detects potential network activity of Pocket Controller RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", + "Description": "Detects potential network activity of ConnectWise Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Controller RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", + "Description": "Detects potential processes activity of ConnectWise Control RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "NordLocker", - "Description": "NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Devolutions Remote Desktop Manager", + "Description": "Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1454,11 +1548,11 @@ "Acknowledgement": [] }, { - "Name": "OCS inventory", - "Description": "OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TigerVNC", + "Description": "TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -1473,8 +1567,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ocsinventory.exe", - "ocsservice.exe" + "tigervnc*.exe", + "winvnc4.exe", + "C:\\Program Files\\TightVNC\\*", + "*\\TightVNC\\*", + "*\\tvnserver.exe" ] }, "Artifacts": { @@ -1485,8 +1582,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ocsinventory-ng.org" + "user_managed" ], "Ports": [] } @@ -1494,25 +1590,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml", - "Description": "Detects potential network activity of OCS inventory RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml", + "Description": "Detects potential network activity of TigerVNC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml", - "Description": "Detects potential processes activity of OCS inventory RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TigerVNC RMM tool" } ], "References": [ - "https://ocsinventory-ng.org/?page_id=878&lang=en" + "https://github.com/TigerVNC/tigervnc/releases" ], "Acknowledgement": [] }, { - "Name": "GotoHTTP", - "Description": "GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Rocket Remote Desktop", + "Description": "Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1527,44 +1623,28 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "GotoHTTP_x64.exe", - "gotohttp.exe", - "GotoHTTP*.exe" + "RDConsole.exe", + "RocketRemoteDesktop_Setup.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.gotohttp.com", - "gotohttp.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml", - "Description": "Detects potential network activity of GotoHTTP RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml", - "Description": "Detects potential processes activity of GotoHTTP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool" } ], - "References": [ - "https://gotohttp.com/goto/help.12x" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Terminals", - "Description": "Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NoteOn-desktop sharing", + "Description": "NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1581,7 +1661,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "nateon*.exe", + "nateon.exe", + "nateonmain.exe" + ] }, "Artifacts": { "Disk": [], @@ -1589,16 +1673,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "RPort", - "Description": "RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "HelpU", + "Description": "HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -1613,7 +1702,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rport.exe" + "helpu_install.exe", + "HelpuUpdater.exe", + "HelpuManager.exe" ] }, "Artifacts": { @@ -1624,8 +1715,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "rport.io" + "helpu.co.kr", + "*.helpu.co.kr" ], "Ports": [] } @@ -1633,25 +1724,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml", - "Description": "Detects potential network activity of RPort RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml", + "Description": "Detects potential network activity of HelpU RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml", - "Description": "Detects potential processes activity of RPort RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpU RMM tool" } ], "References": [ - "https://kb.rport.io/using-the-remote-access" + "https://helpu.co.kr/" ], "Acknowledgement": [] }, { - "Name": "CentraStage (Now Datto)", - "Description": "CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Splashtop Remote", + "Description": "Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1666,8 +1757,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "CagService.exe", - "AEMAgent.exe" + "strwinclt.exe", + "Splashtop_Streamer_Windows*.exe", + "SplashtopSOS.exe", + "sragent.exe", + "srmanager.exe", + "srserver.exe", + "srservice.exe" ] }, "Artifacts": { @@ -1678,9 +1774,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.rmm.datto.com", - "*cc.centrastage.net", - "datto.com/au/products/rmm/" + "splashtop.com", + "*.api.splashtop.com", + "*.relay.splashtop.com", + "*.api.splashtop.eu" ], "Ports": [] } @@ -1688,25 +1785,58 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml", - "Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop Remote RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml", - "Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop Remote RMM tool" } ], "References": [ - "https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm" + "https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services" ], "Acknowledgement": [] }, { - "Name": "Instant Housecall", - "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "X2Go", + "Description": "X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [ + "https://wiki.x2go.org/doku.php" + ], + "Acknowledgement": [] + }, + { + "Name": "Pocket Controller", + "Description": "Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1721,10 +1851,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "hsloader.exe", - "InstantHousecall.exe", - "ihcserver.exe", - "instanthousecall.exe" + "pocketcontroller.exe", + "pocketcloudservice.exe", + "wysebrowser.exe" ] }, "Artifacts": { @@ -1735,10 +1864,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.instanthousecall.com", - "secure.instanthousecall.com", - "*.instanthousecall.net", - "instanthousecall.com" + "soti.net/products/soti-pocket-controller" ], "Ports": [] } @@ -1746,25 +1872,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", - "Description": "Detects potential network activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", - "Description": "Detects potential processes activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller RMM tool" } ], - "References": [ - "https://instanthousecall.com/features/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "CruzControl", - "Description": "CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xshell", + "Description": "Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1778,7 +1902,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\NetSarang\\xShell\\*", + "*\\NetSarang\\xShell\\*", + "*\\xShell.exe" + ] }, "Artifacts": { "Disk": [], @@ -1786,18 +1914,21 @@ "Registry": [], "Network": [] }, - "Detections": [], - "References": [ - "https://resources.doradosoftware.com/cruz-rmm" + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml", + "Description": "Detects potential processes activity of Xshell RMM tool" + } ], + "References": [], "Acknowledgement": [] }, { - "Name": "Mikogo", - "Description": "Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Bitvise SSH Client", + "Description": "Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1812,54 +1943,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mikogo.exe", - "mikogo-starter.exe", - "mikogo-service.exe", - "mikogolauncher.exe", - "C:\\Users\\*\\AppData\\Roaming\\Mikogo\\*", - "*Users\\*\\AppData\\Roaming\\Mikogo\\*", - "*\\Mikogo-Service.exe", - "*\\Mikogo-Screen-Service.exe" + "C:\\Program Files (x86)\\Bitvise SSH Client\\*", + "*\\Bitvise SSH Client\\*", + "*\\BvSshClient-Inst.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.real-time-collaboration.com", - "*.mikogo4.com", - "*.mikogo.com", - "mikogo.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml", - "Description": "Detects potential network activity of Mikogo RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml", - "Description": "Detects potential processes activity of Mikogo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Client RMM tool" } ], - "References": [ - "https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "mRemoteNG", - "Description": "mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal Server", + "Description": "Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -1873,43 +1982,17 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "mRemoteNG.exe", - "C:\\Program Files (x86)\\mRemoteNG\\*", - "*\\mRemoteNG\\*", - "*\\mRemoteNG.exe", - "c:\\Program Files (x86)%\\mRemoteNG", - "*%\\mRemoteNG", - "mRemoteNG-Installer-*.msi", - "*\\mRemoteNG.exe" - ] + "InstallationPaths": [] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log", - "Description": "mRemoteNG log file", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml", - "Description": "mRemoteNG configuration file", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config", - "Description": "mRemoteNG user configuration file", - "OS": "Windows" - } - ], + "Disk": [], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "mremoteng.org" + "royalapps.com" ], "Ports": [] } @@ -1917,29 +2000,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml", - "Description": "Detects potential network activity of mRemoteNG RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml", - "Description": "Detects potential files activity of mRemoteNG RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml", - "Description": "Detects potential processes activity of mRemoteNG RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml", + "Description": "Detects potential network activity of Royal Server RMM tool" } ], "References": [ - "https://github.com/mRemoteNG/mRemoteNG" + "https://royalapps.com/server/main/features" ], "Acknowledgement": [] }, { - "Name": "LabTech RMM (Now ConnectWise Automate)", - "Description": "LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Manipulator System", + "Description": "Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1954,9 +2029,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ltsvc.exe", - "ltsvcmon.exe", - "lttray.exe" + "rfusclient.exe", + "rutserv.exe" ] }, "Artifacts": { @@ -1967,7 +2041,8 @@ { "Description": "Known remote domains", "Domains": [ - "connectwise.com" + "*.internetid.ru", + "rmansys.ru" ], "Ports": [] } @@ -1975,23 +2050,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml", - "Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml", + "Description": "Detects potential network activity of Remote Manipulator System RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml", - "Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Manipulator System RMM tool" } ], - "References": [], + "References": [ + "https://rmansys.ru/files/" + ], "Acknowledgement": [] }, { - "Name": "ScreenMeet", - "Description": "ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Manage Engine (Desktop Central)", + "Description": "Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -2006,8 +2083,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ScreenMeetSupport.exe", - "ScreenMeet.Support.exe" + "dcagentservice.exe", + "dcagentregister.exe" ] }, "Artifacts": { @@ -2018,8 +2095,12 @@ { "Description": "Known remote domains", "Domains": [ - "*.screenmeet.com", - "*.scrn.mt" + "desktopcentral.manageengine.com", + "desktopcentral.manageengine.com.eu", + "desktopcentral.manageengine.cn", + "*.dms.zoho.com", + "*.dms.zoho.com.eu", + "*.-dms.zoho.com.cn" ], "Ports": [] } @@ -2027,25 +2108,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml", - "Description": "Detects potential network activity of ScreenMeet RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml", + "Description": "Detects potential network activity of Desktop Central RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml", - "Description": "Detects potential processes activity of ScreenMeet RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml", + "Description": "Detects potential processes activity of Desktop Central RMM tool" } ], - "References": [ - "https://docs.screenmeet.com/docs/firewall-white-list" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "RES Automation Manager", - "Description": "RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Auvik", + "Description": "Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2060,10 +2139,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "wisshell*.exe", - "wmc.exe", - "wmc_deployer.exe", - "wmcsvc.exe" + "auvik.engine.exe", + "auvik.agent.exe" ] }, "Artifacts": { @@ -2074,8 +2151,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ivanti.com/" + "*.my.auvik.com", + "*.auvik.com", + "auvik.com" ], "Ports": [] } @@ -2083,22 +2161,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml", - "Description": "Detects potential network activity of RES Automation Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml", + "Description": "Detects potential network activity of Auvik RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of RES Automation Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml", + "Description": "Detects potential processes activity of Auvik RMM tool" } ], "References": [ - "https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1" + "https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use" ], "Acknowledgement": [] }, { - "Name": "Anyplace Control", - "Description": "Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Basecamp", + "Description": "Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -2115,9 +2193,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "apc_host.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -2127,7 +2203,7 @@ { "Description": "Known remote domains", "Domains": [ - "anyplace-control.com" + "basecamp.com" ], "Ports": [] } @@ -2135,25 +2211,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml", - "Description": "Detects potential network activity of Anyplace Control RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml", - "Description": "Detects potential processes activity of Anyplace Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml", + "Description": "Detects potential network activity of Basecamp RMM tool" } ], "References": [ - "http://www.anyplace-control.com/anyplace-control/help/faq.htm" + "basecamp.com - No specific RMM tool listed" ], "Acknowledgement": [] }, { - "Name": "TightVNC", - "Description": "TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Free Tools Launcher", + "Description": "Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -2168,205 +2240,421 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tvnviewer.exe", - "TightVNCViewerPortable*.exe", - "tvnserver.exe" + "C:\\Program Files\\ManageEngine\\ManageEngine Free Tools\\Launcher\\*", + "*\\ManageEngine\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "tightvnc.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml", - "Description": "Detects potential network activity of TightVNC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml", - "Description": "Detects potential processes activity of TightVNC RMM tool" - } - ], - "References": [ - "https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "LiteManager", - "Description": "LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", + "Name": "AnyDesk", + "Category": "RMM", + "Description": "AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams.\n", + "Author": "Ali Alwashali, Nasreddine Bencherchali", + "Created": "2023-09-29", + "LastModified": "2024-10-06", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], + "Website": "https://anydesk.com/en", + "PEMetadata": [ + { + "Filename": "anydesk.exe", + "OriginalFileName": "AnyDesk.exe", + "Description": "AnyDesk", + "Product": "AnyDesk" + } + ], + "Privileges": "User", + "Free": true, + "Verification": false, + "SupportedOS": [ + "Android", + "ChromeOS", + "IOS", + "Linux", + "Mac", + "Windows" + ], + "Capabilities": [ + "File Transfer", + "File System Access", + "Remote Control", + "GUI Support", + "Command line Support" + ], + "Vulnerabilities": [ + "https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html" + ], "InstallationPaths": [ - "lmnoipserver.exe", - "ROMFUSClient.exe", - "romfusclient.exe", - "romviewer.exe", - "romserver.exe", - "ROMServer.exe" + "C:\\Program Files (x86)\\AnyDesk\\*", + "C:\\Program Files\\AnyDesk\\*" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Disk": [ { - "Description": "Known remote domains", - "Domains": [ - "*.litemanager.ru", - "*.litemanager.com", - "litemanager.com" - ], - "Ports": [] - } - ] + "File": "%programdata%\\AnyDesk\\ad_svc.trace", + "Description": "AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.", + "OS": "Windows", + "Example": [ + "info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798" + ] + }, + { + "File": "%programdata%\\AnyDesk\\connection_trace.txt", + "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", + "OS": "Windows", + "Example": [ + "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", + "Incoming 2022-09-28, 12:39 User 442226597 442226597" + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\connection_trace.txt", + "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", + "OS": "Windows", + "Example": [ + "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", + "Incoming 2022-09-28, 12:39 User 442226597 442226597" + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\ad.trace", + "Description": "AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.", + "OS": "Windows", + "Example": [ + "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).", + "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0." + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\chat\\*.txt", + "Description": "If the chat functionality is used, its entries will be printed in a text file in this folder.", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\user.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\AnyDesk\\service.conf", + "Description": "Password can be set to auto-validate the session. The password will be saved in a salted hash format.", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\service.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\system.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\AnyDesk\\system.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "~/Library/Application Support/AnyDesk/Logs/", + "Description": "N/A", + "OS": "Mac" + }, + { + "File": "~/.config/AnyDesk/Logs/", + "Description": "N/A", + "OS": "Linux" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "AnyDesk Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", + "Description": "Service installation event as result of AnyDesk installation." + }, + { + "EventID": 4697, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "ServiceName": "AnyDesk Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", + "Description": "Service installation event as result of AnyDesk installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk", + "Description": "N/A" + } + ], + "Network": [ + { + "Description": "During setup the boot.net.anydesk.com domain is request over port 443", + "Domains": [ + "boot.net.anydesk.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "relay-[a-f0-9]{8}.net.anydesk.com:443" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.anydesk.com" + ], + "Ports": [ + 443 + ] + } + ], + "Other": [ + { + "Type": "User-Agent", + "Value": "AnyDesk/*" + }, + { + "Type": "NamedPipe", + "Value": "adprinterpipe" + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml", - "Description": "Detects potential network activity of LiteManager RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml", + "Description": "Anydesk Remote Access Software Service Installation" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml", - "Description": "Detects potential processes activity of LiteManager RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml", + "Description": "N/A" + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml", + "Description": "N/A" + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml", + "Description": "Remote Access Tool - AnyDesk Silent Installation" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml", + "Description": "Detects potential registry activity of AnyDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml", + "Description": "Detects potential network activity of AnyDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml", + "Description": "Detects potential files activity of AnyDesk RMM tool" } ], "References": [ - "https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/" + "https://support.anydesk.com/knowledge/firewall", + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", + "https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk", + "https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + }, + { + "Person": "Ali Alwashali", + "Handle": "@ali_alwashali" + }, + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, { - "Name": "Sophos-Remote Management System", - "Description": "Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", + "Name": "AnyViewer", + "Description": "AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "@kostastsale", + "Created": "2024-08-03", + "LastModified": "2024-08-03", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], + "Website": "https://www.anyviewer.com/", + "PEMetadata": [ + { + "Filename": "AnyViewer.exe", + "OriginalFileName": "AnyViewer", + "Description": "Splash Window" + }, + { + "Filename": "RCClient.exe", + "OriginalFileName": "RCClient.exe", + "Description": "AnyViewer Core" + }, + { + "Filename": "ScreanCap.exe", + "Description": "Screan capture" + }, + { + "Filename": "AVCore.exe" + }, + { + "Filename": "RCService.exe" + } + ], + "Privileges": "System", + "Free": "up to 10 devices", + "Verification": "None", + "SupportedOS": [ + "Windows" + ], + "Capabilities": [ + "Remote desktop", + "Remote file transfer", + "Remote monitoring and management", + "Remote shell open" + ], + "Vulnerabilities": [], "InstallationPaths": [ - "clientmrinit.exe", - "mgntsvc.exe", - "routernt.exe" + "C:\\Program Files (x86)\\AnyViewer\\*" ] }, "Artifacts": { "Disk": [], - "EventLog": [], + "EventLog": [ + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "\"C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\" -d", + "Description": "Taking actions on the remote machine such as opening a command prompt." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "RCService", + "ImagePath": "C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe", + "Description": "AnyViewer service installation service." + } + ], "Registry": [], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "*.sophos.com", - "*.sophosupd.com", - "*.sophosupd.net", - "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" + "*.anyviewer.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.aomeisoftware.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml", - "Description": "Detects potential network activity of Sophos-Remote Management System RMM tool" + "Name": "Arbitrary code execution and remote sessions via Action1 RMM", + "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", + "author": "@kostastsale", + "Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml", - "Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml", + "Description": "Detects potential network activity of AnyViewer RMM tool" } ], "References": [ - "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" + "https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html", + "https://www.anyviewer.com/help/remote-technical-support.html" ], - "Acknowledgement": [] - }, - { - "Name": "ManageEngine", - "Description": "ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "InstallShield Setup.exe", - "ManageEngine_Remote_Access_Plus.exe", - "*\\dcagentservice.exe", - "C:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\*", - "*\\DesktopCentral_Agent\\bin\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ + "Acknowledgement": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml", - "Description": "Detects potential processes activity of ManageEngine RMM tool" + "Person": "Kostas", + "Handle": "@kostastsale" } - ], - "References": [], - "Acknowledgement": [] + ] }, { - "Name": "Splashtop Remote", - "Description": "Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level", + "Description": "Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -2380,15 +2668,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "strwinclt.exe", - "Splashtop_Streamer_Windows*.exe", - "SplashtopSOS.exe", - "sragent.exe", - "srmanager.exe", - "srserver.exe", - "srservice.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -2398,10 +2678,7 @@ { "Description": "Known remote domains", "Domains": [ - "splashtop.com", - "*.api.splashtop.com", - "*.relay.splashtop.com", - "*.api.splashtop.eu" + "level.io" ], "Ports": [] } @@ -2409,25 +2686,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml", - "Description": "Detects potential network activity of Splashtop Remote RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml", + "Description": "Detects potential network activity of Level RMM tool" } ], - "References": [ - "https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "rdp2tcp", - "Description": "rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Site24x7", + "Description": "Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -2442,8 +2713,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tdp2tcp.exe", - "rdp2tcp.py" + "MEAgentHelper.exe", + "MonitoringAgent.exe", + "Site24x7WindowsAgentTrayIcon.exe", + "Site24x7PluginAgent.exe" ] }, "Artifacts": { @@ -2454,8 +2727,12 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/V-E-O/rdp2tcp" + "plus*.site24x7.com", + "plus*.site24x7.eu", + "plus*.site24x7.in", + "plus*.site24x7.cn", + "plus*.site24x7.net.au", + "site24x7.com/msp" ], "Ports": [] } @@ -2463,231 +2740,145 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml", - "Description": "Detects potential network activity of rdp2tcp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml", + "Description": "Detects potential network activity of Site24x7 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml", - "Description": "Detects potential processes activity of rdp2tcp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml", + "Description": "Detects potential processes activity of Site24x7 RMM tool" } ], "References": [ - "github.com/V-E-O/rdp2tcp" + "https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent" ], "Acknowledgement": [] }, { - "Name": "Jump Cloud", - "Description": "Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", + "Name": "ScreenConnect", + "Description": "ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "Ali Alwashali, Nasreddine Bencherchali", + "Created": "2023-10-01", + "LastModified": "2024-10-08", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Website": "https://www.connectwise.com", + "PEMetadata": [ + { + "Filename": "", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", - "Free": "", + "Free": "14-Days Free Trial", "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "SupportedOS": [ + "Android", + "IOS", + "Linux", + "Mac", + "Windows" + ], + "Capabilities": [ + "Command Line Support", + "File Transfer", + "Install Windows updates", + "Receive notification when user performs a predefined event", + "Remote Command Line", + "Remote Control", + "Sound Capture", + "Start / Stop services", + "View event logs" + ], "Vulnerabilities": [], "InstallationPaths": [ - "JumpCloud*.exe " - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.api.jumpcloud.com", - "*.assist.jumpcloud.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml", - "Description": "Detects potential network activity of Jump Cloud RMM tool" - } - ], - "References": [ - "https://jumpcloud.com/support/understand-remote-assist-agent" - ], - "Acknowledgement": [] - }, - { - "Name": "RuDesktop", - "Description": "RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "rd.exe", - "rudesktop*.exe" + "C:\\Program Files (x86)\\ScreenConnect Client (Random)\\ScreenConnect.ClientService.exe", + "Remote Workforce Client.exe", + "*\\*\\ScreenConnect.ClientService.exe", + "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", + "*\\ScreenConnect Client*\\*", + "*\\*\\ScreenConnect.WindowsClient.exe", + "screenconnect*.exe", + "screenconnect.windowsclient.exe", + "Remote Workforce Client.exe", + "screenconnect*.exe", + "ConnectWiseControl*.exe", + "connectwise*.exe", + "screenconnect.windowsclient.exe", + "screenconnect.clientservice.exe" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.rudesktop.ru", - "rudesktop.ru" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml", - "Description": "Detects potential network activity of RuDesktop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml", - "Description": "Detects potential processes activity of RuDesktop RMM tool" - } - ], - "References": [ - "https://rudesktop.ru" - ], - "Acknowledgement": [] - }, - { - "Name": "LogMeIn", - "Description": "LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", - "Details": { - "Website": "https://www.logmein.com/", - "PEMetadata": [ - { - "Filename": "lmiguardiansvc.exe" - }, + "Disk": [ { - "Filename": "lmiignition.exe" + "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db", + "Description": "ScreenConnect session database", + "OS": "Windows" }, { - "Filename": "logmeinsystray.exe" + "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml", + "Description": "ScreenConnect user configuration", + "OS": "Windows" }, { - "Filename": "logmein.exe", - "OriginalFileName": "", - "Company": "LogMeIn, Inc.", - "Description": "LMIGuardianSvc", - "Product": "LMIGuardianSvc" + "File": "C:\\ProgramData\\ScreenConnect Client*\\user.config", + "Description": "ScreenConnect client user configuration", + "OS": "Windows" } ], - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": null - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "N/A", - "Domains": [ - "logmein-gateway.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.logmein.com" - ], - "Ports": [ - 443 - ] - }, + "EventLog": [ { - "Description": "N/A", - "Domains": [ - "*.logmein.eu" + "EventID": 7045, + "ProviderName": [ + "ScreenConnect", + "ScreenConnect Client ()" ], - "Ports": [ - 443 - ] + "LogFile": "Application.evtx", + "ServiceName": "ScreenConnect Client ()", + "Description": "Service installation event as a result of ScreenConnect installation." }, { - "Description": "N/A", - "Domains": [ - "logmeinrescue.com" + "EventID": 20, + "ProviderName": [ + "ScreenConnect", + "ScreenConnect Client ()" ], - "Ports": [ - 443 - ] - }, + "LogFile": "Application.evtx", + "ServiceName": "ScreenConnect Client ()", + "Description": "Logs events such as successful or failed connections, and user logins." + } + ], + "Registry": [], + "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.logmeininc.com" + "control.connectwise.com", + "*.connectwise.com", + "*.screenconnect.com" ], - "Ports": [ - 443 - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml", - "Description": "DNS Query To Remote Access Software Domain From Non-Browser App" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml", + "Description": "Detects potential network activity of ScreenConnect RMM tool" }, { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml", - "Description": "Remote Access Tool - LogMeIn Execution" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml", + "Description": "Detects potential files activity of ScreenConnect RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml", - "Description": "Detects potential network activity of LogMeIn RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenConnect RMM tool" } ], "References": [ - "https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration" + "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/", + "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling" ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] + "Acknowledgement": [] }, { "Name": "SmartFTP", @@ -2725,8 +2916,8 @@ "Acknowledgement": [] }, { - "Name": "NetSupport Manager", - "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SpyAnywhere", + "Description": "SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -2744,9 +2935,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcictlui.exe", - "pcicfgui.exe", - "client32.exe" + "sysdiag.exe" ] }, "Artifacts": { @@ -2757,8 +2946,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.netsupportmanager.com", - "netsupportmanager.com" + "*.spytech-web.com", + "spyanywhere.com" ], "Ports": [] } @@ -2766,22 +2955,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", - "Description": "Detects potential network activity of NetSupport Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml", + "Description": "Detects potential network activity of SpyAnywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of NetSupport Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of SpyAnywhere RMM tool" } ], "References": [ - "https://www.netsupportmanager.com/resources/" + "https://www.spyanywhere.com/support.shtml" ], "Acknowledgement": [] }, { - "Name": "Pocket Cloud (Wyse)", - "Description": "Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NinjaRMM", + "Description": "NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -2799,33 +2988,50 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcloud*.exe", - "pocketcloudservice.exe" + "ninjarmmagent.exe", + "NinjaRMMAgent.exe", + "NinjaRMMAgenPatcher.exe", + "ninjarmm-cli.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ninjarmm.com", + "*.ninjaone.com", + "resources.ninjarmm.com", + "ninjaone.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml", + "Description": "Detects potential network activity of NinjaRMM RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml", + "Description": "Detects potential processes activity of NinjaRMM RMM tool" } ], "References": [ - "https://wyse-pocketcloud.informer.com/2.1/" + "https://www.ninjaone.com/faq/" ], "Acknowledgement": [] }, { - "Name": "Guacamole", - "Description": "Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CruzControl", + "Description": "CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2839,46 +3045,26 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "guacd.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "guacamole.apache.org" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml", - "Description": "Detects potential network activity of Guacamole RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml", - "Description": "Detects potential processes activity of Guacamole RMM tool" - } - ], + "Detections": [], "References": [ - "guacamole.apache.org" + "https://resources.doradosoftware.com/cruz-rmm" ], "Acknowledgement": [] }, { - "Name": "LANDesk", - "Description": "LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SimpleHelp", + "Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -2893,16 +3079,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "issuser.exe", - "landeskagentbootstrap.exe", - "LANDeskPortalManager.exe", - "ldinv32.exe", - "ldsensors.exe", - "C:\\Program Files (x86)\\LANDesk\\*", - "*\\LANDesk\\*", - "*\\issuser.exe", - "*\\softmon.exe", - "*\\tmcsvc.exe" + "simplehelpcustomer.exe", + "simpleservice.exe", + "simplegatewayservice.exe", + "remote access.exe", + "windowslauncher.exe" ] }, "Artifacts": { @@ -2913,9 +3094,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.ivanticloud.com", - "*.ivanti.com", - "ivanti.com" + "user_managed", + "simple-help.com" ], "Ports": [] } @@ -2923,25 +3103,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml", - "Description": "Detects potential network activity of LANDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml", + "Description": "Detects potential network activity of SimpleHelp RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml", - "Description": "Detects potential processes activity of LANDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml", + "Description": "Detects potential processes activity of SimpleHelp RMM tool" } ], "References": [ - "https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US" + "https://simple-help.com/remote-support" ], "Acknowledgement": [] }, { - "Name": "pcAnywhere", - "Description": "pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "EMCO Remote Console", + "Description": "EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2956,10 +3136,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "awhost32.exe", - "awrem32.exe", - "pcaquickconnect.exe", - "winaw32.exe" + "remoteconsole.exe" ] }, "Artifacts": { @@ -2970,7 +3147,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "user_managed", + "emcosoftware.com" ], "Ports": [] } @@ -2978,25 +3156,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml", - "Description": "Detects potential network activity of pcAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml", + "Description": "Detects potential network activity of EMCO Remote Console RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of pcAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml", + "Description": "Detects potential processes activity of EMCO Remote Console RMM tool" } ], - "References": [ - "https://en.wikipedia.org/wiki/PcAnywhere" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "mstsc", - "Description": "mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ngrok", + "Description": "ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3011,31 +3187,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Windows\\System32\\mstsc.exe", - "*Windows\\System32\\mstsc.exe" + "ngrok.exe", + "C:\\*\\ngrok.zip", + "*\\ngrok*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "ngrok.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml", - "Description": "Detects potential processes activity of mstsc RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml", + "Description": "Detects potential network activity of ngrok RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml", + "Description": "Detects potential processes activity of ngrok RMM tool" } ], - "References": [], + "References": [ + "https://ngrok.com/docs/guides/running-behind-firewalls/" + ], "Acknowledgement": [] }, { - "Name": "FreeNX", - "Description": "FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Apple Remote Desktop", + "Description": "Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/24/2024", "Details": { "Website": "", "PEMetadata": { @@ -3050,28 +3242,37 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\nxplayer.exe", - "*\\nxplayer.exe" + "ARDAgent.app" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml", - "Description": "Detects potential processes activity of FreeNX RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Apple Remote Desktop RMM tool" } ], - "References": [], + "References": [ + "https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac" + ], "Acknowledgement": [] }, { - "Name": "PSEXEC (Clone)", - "Description": "PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netviewer (GoToMeet)", + "Description": "Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3089,47 +3290,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "paexec.exe", - "PAExec-*.exe", - "csexec.exe ", - "remcom.exe", - "remcomsvc.exe", - "xcmd.exe", - "xcmdsvc.exe" + "nvClient.exe", + "netviewer.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml", - "Description": "Detects potential network activity of PSEXEC (Clone) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml", - "Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool" } ], "References": [ - "https://www.poweradmin.com/paexec/" + "Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html" ], "Acknowledgement": [] }, { - "Name": "SpyAnywhere", - "Description": "SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NoMachine", + "Description": "NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3147,7 +3331,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "sysdiag.exe" + "nomachine*.exe", + "nxservice*.ese", + "nxd.exe" ] }, "Artifacts": { @@ -3158,8 +3344,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.spytech-web.com", - "spyanywhere.com" + "user_managed", + "nomachine.com" ], "Ports": [] } @@ -3167,25 +3353,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml", - "Description": "Detects potential network activity of SpyAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml", + "Description": "Detects potential network activity of NoMachine RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of SpyAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml", + "Description": "Detects potential processes activity of NoMachine RMM tool" } ], "References": [ - "https://www.spyanywhere.com/support.shtml" + "https://kb.nomachine.com/AR04S01122" ], "Acknowledgement": [] }, { - "Name": "MultCloud", - "Description": "MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MioNet (WD Anywhere Access)", + "Description": "MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3200,8 +3386,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "requires sign up", - "requires sign up" + "mionet.exe", + "mionetmanager.exe" ] }, "Artifacts": { @@ -3210,16 +3396,23 @@ "Registry": [], "Network": [] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool" + } + ], + "References": [ + "https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016" + ], "Acknowledgement": [] }, { - "Name": "Visual Studio Dev Tunnel", - "Description": "Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", + "Name": "Splashtop", + "Description": "Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "Nasreddine Bencherchali", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -3233,185 +3426,320 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\Splashtop\\*", + "*\\Splashtop\\Splashtop Remote\\Client for RMM\\*", + "strwinclt.exe" + ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Disk": [ { - "Description": "Known remote domains", - "Domains": [ - "global.rel.tunnels.api.visualstudio.com", - "*.rel.tunnels.api.visualstudio.com", - "*.devtunnels.ms" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml", - "Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool" - } - ], - "References": [ - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security" - ], - "Acknowledgement": [] - }, - { - "Name": "Xpra", - "Description": "Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\Xpra\\*", - "*\\Xpra\\*", - "*\\Xpra-Launcher.exe", - "*\\Xpra-x86_64_Setup.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml", - "Description": "Detects potential processes activity of Xpra RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Royal Apps", - "Description": "Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "royalserver.exe", - "royalts.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe", + "Description": "Splashtop Remote Service", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe", + "Description": "SplashTop Remote Agent", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe", + "Description": "Splashtop Updater", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Splashtop Software Updater Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"", + "Description": "Service installation event as result of Splashtop Software Updater Service installation." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Splashtop® Remote Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", + "Description": "Service installation event as result of Splashtop Remote Service installation." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "SplashtopRemoteService", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", + "Description": "Service installation event as result of Splashtop Remote Service installation." + } + ], + "Registry": [ + { + "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*", + "Description": "Splashtop Inc. registry key" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", + "Description": "Splashtop Software Updater uninstall key" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService", + "Description": "Splashtop Remote Service registry key" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational", + "Description": "Splashtop Streamer Remote Session event log channel" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational", + "Description": "Splashtop Streamer Status event log channel" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount", + "Description": "Splashtop Software Updater install reference count" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService", + "Description": "Splashtop Remote Service safe boot configuration" + }, + { + "Path": "HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*", + "Description": "Default user Splashtop Inc. registry key" + }, + { + "Path": "HKU\\SID\\Software\\Splashtop Inc.\\*", + "Description": "User-specific Splashtop Inc. registry key" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer", + "Description": "Splashtop PDF Remote Printer configuration" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*", + "Description": "Splashtop Remote Server client information" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "user_managed" + "*.splashtop.com" ], - "Ports": [] + "Ports": [ + "N/A" + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml", - "Description": "Detects potential network activity of Royal Apps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml", + "Description": "Detects potential registry activity of Splashtop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml", - "Description": "Detects potential processes activity of Royal Apps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml", + "Description": "Detects potential files activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop RMM tool" } ], "References": [ - "https://www.royalapps.com/ts/win/download" + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + } + ] }, { - "Name": "eHorus", - "Description": "eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Name": "RAdmin", + "Description": "RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", + "Details": { + "Website": "https://www.radmin.com/", + "PEMetadata": [ + { + "Filename": "RServer3.exe", + "OriginalFileName": "RServer3.exe", + "InternalName": "RServer3", + "Description": "Radmin Server", + "Product": "Radmin Server", + "Comments": "Radmin - Remote Control Server" + }, + { + "Filename": "Radmin.exe", + "OriginalFileName": "Radmin.exe", + "InternalName": "Radmin", + "Description": "Radmin Viewer", + "Product": "Radmin Viewer", + "Comments": "Radmin Viewer" + } + ], "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [], + "SupportedOS": [ + "Windows" + ], "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ehorus standalone.exe" + "C:\\Program Files (x86)\\Radmin Viewer 3\\Radmin.exe", + "C:\\Windows\\SysWOW64\\rserver30\\rserver3.exe", + "C:\\Windows\\SysWOW64\\rserver30\\FamItrfc", + "C:\\Windows\\SysWOW64\\rserver30\\FamItrf2" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm", + "Description": "RAdmin log file (32-bit)", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\System32\\rserver30\\Radm_log.htm", + "Description": "RAdmin log file (64-bit)", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm", + "Description": "RAdmin chat logs", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm", + "Description": "RAdmin user chat logs", + "OS": "Windows" + } + ], "EventLog": [], - "Registry": [], + "Registry": [ + { + "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security", + "Description": "N/A" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "ehorus.com" + "radmin.com" ], - "Ports": [] + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml", - "Description": "Detects potential network activity of eHorus RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml", + "Description": "PUA - Radmin Viewer Utility Execution" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml", - "Description": "Detects potential processes activity of eHorus RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml", + "Description": "Enumeration for 3rd Party Creds From CLI" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml", + "Description": "Detects potential registry activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml", + "Description": "Detects potential network activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml", + "Description": "Detects potential files activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml", + "Description": "Detects potential processes activity of RAdmin RMM tool" } ], - "References": [], - "Acknowledgement": [] + "References": [ + "https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/", + "https://helpdesk.radmin.com/radmin3help/", + "https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm", + "https://helpdesk.radmin.com/radmin3help/files/cmd.htm" + ], + "Acknowledgement": [ + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, { - "Name": "SuperPuTTY", - "Description": "SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LANDesk", + "Description": "LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -3426,33 +3754,55 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Downloads\\SuperPuTTY\\*", - "*Downloads\\SuperPuTTY\\*", - "*\\superputty.exe", - "*\\SuperPuTTY\\*" + "issuser.exe", + "landeskagentbootstrap.exe", + "LANDeskPortalManager.exe", + "ldinv32.exe", + "ldsensors.exe", + "C:\\Program Files (x86)\\LANDesk\\*", + "*\\LANDesk\\*", + "*\\issuser.exe", + "*\\softmon.exe", + "*\\tmcsvc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ivanticloud.com", + "*.ivanti.com", + "ivanti.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml", - "Description": "Detects potential processes activity of SuperPuTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml", + "Description": "Detects potential network activity of LANDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml", + "Description": "Detects potential processes activity of LANDesk RMM tool" } ], - "References": [], + "References": [ + "https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US" + ], "Acknowledgement": [] }, { - "Name": "ZeroTier", - "Description": "ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SuperOps", + "Description": "SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -3467,9 +3817,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zerotier*.msi", - "zerotier*.exe", - "zero-powershell.exe" + "superopsticket.exe", + "superops.exe" ] }, "Artifacts": { @@ -3480,8 +3829,11 @@ { "Description": "Known remote domains", "Domains": [ - "zerotier.com", - "*.zerotier.com" + "*.superopsbeta.com", + "superops.ai", + "serv.superopsalpha.com", + "*.superops.ai", + "*.superopsalpha.com" ], "Ports": [] } @@ -3489,22 +3841,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml", - "Description": "Detects potential network activity of ZeroTier RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml", + "Description": "Detects potential network activity of SuperOps RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml", - "Description": "Detects potential processes activity of ZeroTier RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperOps RMM tool" } ], "References": [ - "https://my.zerotier.com/" + "https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent" ], "Acknowledgement": [] }, { - "Name": "Devolutions Remote Desktop Manager", - "Description": "Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Lite Manager", + "Description": "Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -3521,7 +3873,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files\\LiteManager Pro – Viewer\\*", + "*\\LiteManager Pro – Viewer\\*", + "*\\LMNoIpServer.exe." + ] }, "Artifacts": { "Disk": [], @@ -3534,11 +3890,11 @@ "Acknowledgement": [] }, { - "Name": "BeAnyWhere", - "Description": "BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Supremo", + "Description": "Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -3553,14 +3909,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "basuptshelper.exe", - "basupsrvcupdate.exe", - "BASupApp.exe", - "BASupSysInf.exe", - "BASupAppSrvc.exe", - "TakeControl.exe", - "BASupAppElev.exe", - "basupsrvc.exe" + "supremo.exe", + "supremoservice.exe", + "supremosystem.exe", + "supremohelper.exe" ] }, "Artifacts": { @@ -3571,8 +3923,9 @@ { "Description": "Known remote domains", "Domains": [ - "beanywhere.en.uptodown.com/windows", - "beanywhere.com" + "supremocontrol.com", + "*.supremocontrol.com", + "* .nanosystems.it" ], "Ports": [] } @@ -3580,25 +3933,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml", - "Description": "Detects potential network activity of BeAnyWhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml", + "Description": "Detects potential network activity of Supremo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of BeAnyWhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml", + "Description": "Detects potential processes activity of Supremo RMM tool" } ], "References": [ - "https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx" + "https://www.supremocontrol.com/frequently-asked-questions/" ], "Acknowledgement": [] }, { - "Name": "WebEx (Remote Access)", - "Description": "WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chicken (of the VNC)", + "Description": "Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -3622,300 +3975,68 @@ }, "Detections": [], "References": [ - "https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access" + "https://github.com/flit/cotvnc" ], "Acknowledgement": [] }, { - "Name": "AnyDesk", - "Category": "RMM", - "Description": "AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams.\n", - "Author": "Ali Alwashali, Nasreddine Bencherchali", - "Created": "2023-09-29", - "LastModified": "2024-10-06", + "Name": "KHelpDesk", + "Description": "KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/26/2024", "Details": { - "Website": "https://anydesk.com/en", - "PEMetadata": [ - { - "Filename": "anydesk.exe", - "OriginalFileName": "AnyDesk.exe", - "Description": "AnyDesk", - "Product": "AnyDesk" - } - ], - "Privileges": "User", - "Free": true, - "Verification": false, - "SupportedOS": [ - "Android", - "ChromeOS", - "IOS", - "Linux", - "Mac", - "Windows" - ], - "Capabilities": [ - "File Transfer", - "File System Access", - "Remote Control", - "GUI Support", - "Command line Support" - ], - "Vulnerabilities": [ - "https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\AnyDesk\\*", - "C:\\Program Files\\AnyDesk\\*" + "KHelpDesk.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "%programdata%\\AnyDesk\\ad_svc.trace", - "Description": "AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.", - "OS": "Windows", - "Example": [ - "info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798" - ] - }, - { - "File": "%programdata%\\AnyDesk\\connection_trace.txt", - "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", - "OS": "Windows", - "Example": [ - "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", - "Incoming 2022-09-28, 12:39 User 442226597 442226597" - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\connection_trace.txt", - "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", - "OS": "Windows", - "Example": [ - "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", - "Incoming 2022-09-28, 12:39 User 442226597 442226597" - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\ad.trace", - "Description": "AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.", - "OS": "Windows", - "Example": [ - "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).", - "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0." - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\chat\\*.txt", - "Description": "If the chat functionality is used, its entries will be printed in a text file in this folder.", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\AnyDesk\\user.conf", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\AnyDesk\\service.conf", - "Description": "Password can be set to auto-validate the session. The password will be saved in a salted hash format.", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\AnyDesk\\service.conf", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\AnyDesk\\system.conf", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\AnyDesk\\system.conf", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "~/Library/Application Support/AnyDesk/Logs/", - "Description": "N/A", - "OS": "Mac" - }, - { - "File": "~/.config/AnyDesk/Logs/", - "Description": "N/A", - "OS": "Linux" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "AnyDesk Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", - "Description": "Service installation event as result of AnyDesk installation." - }, - { - "EventID": 4697, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "ServiceName": "AnyDesk Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", - "Description": "Service installation event as result of AnyDesk installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk", - "Description": "N/A" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { - "Description": "During setup the boot.net.anydesk.com domain is request over port 443", - "Domains": [ - "boot.net.anydesk.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "relay-[a-f0-9]{8}.net.anydesk.com:443" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.anydesk.com" + "*.khelpdesk.com.br" ], - "Ports": [ - 443 - ] - } - ], - "Other": [ - { - "Type": "User-Agent", - "Value": "AnyDesk/*" - }, - { - "Type": "NamedPipe", - "Value": "adprinterpipe" + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml", - "Description": "Anydesk Remote Access Software Service Installation" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml", - "Description": "N/A" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml", - "Description": "N/A" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml", - "Description": "Remote Access Tool - AnyDesk Silent Installation" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml", - "Description": "Detects potential registry activity of AnyDesk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml", - "Description": "Detects potential network activity of AnyDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml", + "Description": "Detects potential network activity of KHelpDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml", - "Description": "Detects potential files activity of AnyDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of KHelpDesk RMM tool" } ], "References": [ - "https://support.anydesk.com/knowledge/firewall", - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", - "https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk", - "https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/" + "https://www.khelpdesk.com.br/en-us" ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - }, - { - "Person": "Ali Alwashali", - "Handle": "@ali_alwashali" - }, - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] + "Acknowledgement": [] }, { - "Name": "Free Ping Tool", - "Description": "Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TurboMeeting", + "Description": "TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -3930,26 +4051,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "can't find this one", - "can't find this one" + "pcstarter.exe", + "turbomeeting.exe", + "turbomeetingstarter.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "acceo.com/turbomeeting/" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml", + "Description": "Detects potential network activity of TurboMeeting RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml", + "Description": "Detects potential processes activity of TurboMeeting RMM tool" + } + ], + "References": [ + "http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv" + ], "Acknowledgement": [] }, { - "Name": "S3 Browser", - "Description": "S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RPort", + "Description": "RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3964,29 +4106,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\S3 Browser\\*", - "*\\S3 Browser\\*", - "*\\s3browser*.exe" + "rport.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "rport.io" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml", - "Description": "Detects potential processes activity of S3 Browser RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml", + "Description": "Detects potential network activity of RPort RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml", + "Description": "Detects potential processes activity of RPort RMM tool" } ], - "References": [], + "References": [ + "https://kb.rport.io/using-the-remote-access" + ], "Acknowledgement": [] }, { - "Name": "NinjaOne (formerly NinjaRMM)", - "Description": "NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MioNet (Also known as WD Anywhere Access)", + "Description": "MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4004,7 +4159,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "*ProgramData\\NinjaRMMAgent\\*" + "mionet.exe", + "mionetmanager.exe" ] }, "Artifacts": { @@ -4013,16 +4169,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Adobe Connect", - "Description": "Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "OCS inventory", + "Description": "OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/27/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -4037,10 +4198,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ConnectAppSetup*.exe", - "ConnectShellSetup*.exe", - "Connect.exe", - "ConnectDetector.exe" + "ocsinventory.exe", + "ocsservice.exe" ] }, "Artifacts": { @@ -4051,7 +4210,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.adobeconnect.com" + "user_managed", + "ocsinventory-ng.org" ], "Ports": [] } @@ -4059,25 +4219,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml", - "Description": "Detects potential network activity of Adobe Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml", + "Description": "Detects potential network activity of OCS inventory RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Adobe Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml", + "Description": "Detects potential processes activity of OCS inventory RMM tool" } ], "References": [ - "https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html" + "https://ocsinventory-ng.org/?page_id=878&lang=en" ], "Acknowledgement": [] }, { - "Name": "RemotePC", - "Description": "RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemotePass", + "Description": "RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4092,16 +4252,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\RemotePC\\*", - "Idrive.File-Transfer", - "*\\RemotePC\\*", - "remotepcservice.exe", - "RemotePC.exe", - "remotepchost.exe", - "idrive.RemotePCAgent", - "rpcsuite.exe", - "*\\RemotePCService.exe", - "RemotePCService.exe" + "remotepass-access.exe", + "rpaccess.exe", + "rpwhostscr.exe" ] }, "Artifacts": { @@ -4112,10 +4265,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.remotedesktop.com", - "*.remotepc.com", - "www.remotepc.com", - "remotepc.com" + "remotepass.com" ], "Ports": [] } @@ -4123,25 +4273,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml", - "Description": "Detects potential network activity of RemotePC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml", + "Description": "Detects potential network activity of RemotePass RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml", - "Description": "Detects potential processes activity of RemotePC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePass RMM tool" } ], "References": [ - "https://www.remotedesktop.com/helpdesk/faq-firewall" + "https://www.remotepass.com/rpaccess.html - DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "LogMeIn rescue", - "Description": "LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist (GoTo Resolve)", + "Description": "GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4156,48 +4306,27 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "support-logmeinrescue*.exe", - "support-logmeinrescue.exe", - "lmi_rescue.exe" + "C:\\ProgramFiles*\\GoTo Machine Installer\\*", + "*\\GoTo Machine Installer\\*", + "*\\GoTo\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.logmeinrescue.com", - "*.logmeinrescue.eu", - "logmeinrescue.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml", - "Description": "Detects potential network activity of LogMeIn rescue RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml", - "Description": "Detects potential processes activity of LogMeIn rescue RMM tool" - } - ], - "References": [ - "https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "UltraViewer", - "Description": "UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Comodo RMM", + "Description": "Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4212,18 +4341,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "UltraViewer_Service.exe", - "UltraViewer_setup*", - "UltraViewer_Desktop.exe", - "ultraviewer.exe", - "C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe", - "*\\UltraViewer\\", - "*\\UltraViewer_Desktop.exe", - "ultraviewer_desktop.exe", - "ultraviewer_service.exe", - "UltraViewer_Desktop.exe", - "UltraViewer_setup*", - "UltraViewer_Service.exe" + "itsmagent.exe", + "rviewer.exe" ] }, "Artifacts": { @@ -4234,8 +4353,9 @@ { "Description": "Known remote domains", "Domains": [ - "* .ultraviewer.net", - "ultraviewer.net" + "*.itsm-us1.comodo.com", + "*mdmsupport.comodo.com", + "one.comodo.com" ], "Ports": [] } @@ -4243,25 +4363,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml", - "Description": "Detects potential network activity of UltraViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Comodo RMM RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of UltraViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Comodo RMM RMM tool" } ], "References": [ - "https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html" + "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" ], "Acknowledgement": [] }, { - "Name": "Pandora RC (eHorus)", - "Description": "Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ShowMyPC", + "Description": "ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -4276,8 +4396,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ehorus standalone.exe", - "ehorus_agent.exe" + "SMPCSetup.exe", + "showmypc*.exe", + "showmypc.exe", + "smpcsetup.exe" ] }, "Artifacts": { @@ -4288,7 +4410,8 @@ { "Description": "Known remote domains", "Domains": [ - "portal.ehorus.com" + "*.showmypc.com", + "showmypc.com" ], "Ports": [] } @@ -4296,25 +4419,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml", - "Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml", + "Description": "Detects potential network activity of ShowMyPC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml", - "Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool" - } + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml", + "Description": "Detects potential processes activity of ShowMyPC RMM tool" + } ], "References": [ - "https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction" + "https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf" ], "Acknowledgement": [] }, { - "Name": "IntelliAdmin Remote Control", - "Description": "IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ToDesk", + "Description": "ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -4329,11 +4452,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iadmin.exe", - "intelliadmin.exe", - "agent32.exe", - "agent64.exe", - "agent_setup_5.exe" + "todesk.exe", + "ToDesk_Service.exe", + "ToDesk_Setup.exe" ] }, "Artifacts": { @@ -4344,9 +4465,10 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "*.intelliadmin.com", - "intelliadmin.com/remote-control" + "todesk.com", + "*.todesk.com", + "*.todesk.com", + "todesktop.com" ], "Ports": [] } @@ -4354,22 +4476,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml", + "Description": "Detects potential network activity of ToDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml", + "Description": "Detects potential processes activity of ToDesk RMM tool" } ], "References": [ - "intelliadmin.com/remote-control" + "https://www.todesk.com/" ], "Acknowledgement": [] }, { - "Name": "MEGAsync", - "Description": "MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RunSmart", + "Description": "RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4386,36 +4508,37 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Local\\MEGAsync\\*", - "*Users\\*\\AppData\\Local\\MEGAsync\\*", - "*Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", - "*ProgramData\\MEGAsync\\*", - "*\\MEGAsyncSetup64.exe", - "*\\MEGAupdater.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "runsmart.io" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml", - "Description": "Detects potential processes activity of MEGAsync RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml", + "Description": "Detects potential network activity of RunSmart RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Encapto", - "Description": "Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "VNC Connect", + "Description": "VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4429,39 +4552,27 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files\\RealVNC\\VNC Server\\*", + "*\\RealVNC\\VNC Server\\*" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "encapto.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml", - "Description": "Detects potential network activity of Encapto RMM tool" - } - ], - "References": [ - "https://www.encapto.com - used to manage Cisco services" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "ShowMyPC", - "Description": "ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Echoware", + "Description": "Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4476,45 +4587,164 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SMPCSetup.exe", - "showmypc*.exe", - "showmypc.exe", - "smpcsetup.exe" + "echoserver*.exe", + "echoware.dll" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml", + "Description": "Detects potential processes activity of Echoware RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Alpemix", + "Description": "Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", + "Details": { + "Website": "https://www.alpemix.com/en/Home", + "PEMetadata": [ + { + "Filename": "Alpemix.exe", + "OriginalFileName": "Alpemix", + "Description": "Alpemix", + "Product": "Alpemix", + "InternalName": "Alpemix" + } + ], + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [ + "Windows", + "Linux", + "Android", + "Mac", + "IOS" + ], + "Capabilities": [ + "5 Different Solutions for Remote Support", + "Access to Unattended Computers", + "Access to User Account Control (UAC) Screens", + "Add Your Own Logo", + "Auto Sizing", + "Automatic Update", + "Clipboard Transfer", + "Computer Independent Licensing", + "Contact List and Groups", + "Encrypted Communication", + "External Communication Barrier", + "File Transfer", + "Instant Messaging", + "Multi-Platform Support", + "Multiple Chat", + "Multiple Connections", + "No Port Forwarding Required", + "Peer to Peer Connection (p2p)", + "Receiving Offline Message", + "Remote Restart", + "ReportingRestricting The Authority", + "Screen Sharing", + "Sending Announcement Message", + "Sharing a certain part of the screen", + "Video Recording", + "Voice Communication", + "Who is currently supporting?", + "Working in Black Screen Mode" + ], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\AlpemixService.exe", + "C:\\AlpemixSrvc\\" + ] + }, + "Artifacts": { + "Disk": [ + { + "File": "%localappdata%\\Alpemix\\Alpemix.ini", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "AlpemixSrvc", + "ImagePath": "*\\Alpemix.exe servicestartxxx", + "Description": "Service installation event as result of Alpemix installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx", + "Description": "N/A" + } + ], "Network": [ { - "Description": "Known remote domains", "Domains": [ - "*.showmypc.com", - "showmypc.com" + "*.alpemix.com" ], - "Ports": [] + "Ports": [ + 443 + ], + "Description": "N/A" + }, + { + "Domains": [ + "*.teknopars.com" + ], + "Ports": [ + 80 + ], + "Description": "N/A" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml", - "Description": "Detects potential network activity of ShowMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml", + "Description": "Detects potential registry activity of Alpemix RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml", - "Description": "Detects potential processes activity of ShowMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml", + "Description": "Detects potential network activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml", + "Description": "Detects potential files activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml", + "Description": "Detects potential processes activity of Alpemix RMM tool" } ], "References": [ - "https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf" + "https://www.alpemix.com/en/remote-access" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, { - "Name": "Lite Manager", - "Description": "Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal TS", + "Description": "Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4532,24 +4762,39 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\LiteManager Pro – Viewer\\*", - "*\\LiteManager Pro – Viewer\\*", - "*\\LMNoIpServer.exe." + "royalts.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "royalapps.com" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml", + "Description": "Detects potential network activity of Royal TS RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal TS RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Netop Remote Control (aka Impero Connect)", - "Description": "Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DragonDisk", + "Description": "DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4567,10 +4812,50 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nhostsvc.exe", - "nhstw32.exe", - "nldrw32.exe", - "rmserverconsolemediator.exe" + "C:\\Program Files (x86)\\Almageste\\DragonDisk\\*", + "*\\Almageste\\DragonDisk\\*", + "*\\DragonDisk.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml", + "Description": "Detects potential processes activity of DragonDisk RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Pcvisit", + "Description": "Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "pcvisit.exe", + "pcvisit_client.exe", + "pcvisit-easysupport.exe", + "pcvisit_service_client.exe" ] }, "Artifacts": { @@ -4581,7 +4866,8 @@ { "Description": "Known remote domains", "Domains": [ - "imperosoftware.com/impero-connect/" + "*.pcvisit.de", + "pcvisit.de" ], "Ports": [] } @@ -4589,23 +4875,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml", - "Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml", + "Description": "Detects potential network activity of Pcvisit RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml", - "Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcvisit RMM tool" } ], - "References": [], + "References": [ + "https://www.pcvisit.de/" + ], "Acknowledgement": [] }, { - "Name": "GoToAssist", - "Description": "GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Connectwise Automate (LabTech)", + "Description": "Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -4620,9 +4908,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "gotoassist.exe", - "g2a*.exe", - "GoTo Assist Opener.exe" + "ltsvc.exe", + "ltsvcmon.exe", + "lttray.exe" ] }, "Artifacts": { @@ -4633,14 +4921,7 @@ { "Description": "Known remote domains", "Domains": [ - "goto.com", - "*.getgo.com", - "*.fastsupport.com", - "*.gotoassist.com", - "helpme.net", - "*.gotoassist.me", - "*.gotoassist.at", - "*.desktopstreaming.com" + "*.hostedrmm.com" ], "Ports": [] } @@ -4648,22 +4929,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml", - "Description": "Detects potential network activity of GoToAssist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml", + "Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml", - "Description": "Detects potential processes activity of GoToAssist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml", + "Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool" } ], "References": [ - "https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5" + "https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate" ], "Acknowledgement": [] }, { - "Name": "Ericom Connect", - "Description": "Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DameWare", + "Description": "DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -4681,8 +4962,15 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "EricomConnectRemoteHost*.exe", - "ericomconnnectconfigurationtool.exe" + "SolarWinds-Dameware-DRS*.exe", + "DameWare Mini Remote Control*.exe", + "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\*", + "dntus*.exe", + "dwrcs.exe", + "*\\dwrcs\\*", + "*\\dwrcst.exe", + "DameWare Remote Support.exe", + "SolarWinds-Dameware-MRC*.exe" ] }, "Artifacts": { @@ -4693,8 +4981,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ericom.com" + "dameware.com" ], "Ports": [] } @@ -4702,312 +4989,122 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml", - "Description": "Detects potential network activity of Ericom Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml", + "Description": "Detects potential network activity of Dameware-mini remote control Protocol RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Ericom Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml", + "Description": "Detects potential processes activity of DameWare RMM tool" } ], "References": [ - "https://www.ericom.com/connect-accessnow/" + "https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm" ], "Acknowledgement": [] }, { - "Name": "TeamViewer", - "Description": "TeamViewer is a remote monitoring and management (RMM) tool.\n", - "Author": "Nasreddine Bencherchali, Michael Haag", - "Created": "2024-08-02", - "LastModified": "2024-08-02", + "Name": "Onionshare", + "Description": "Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", "Details": { - "Website": "https://www.teamviewer.com/en", - "PEMetadata": [ - { - "Filename": "TeamViewer.exe", - "OriginalFileName": "", - "Description": "", - "Product": "TeamViewer" - } - ], - "Privileges": "user", - "Free": true, - "Verification": false, - "SupportedOS": [ - "Android", - "ChromeOS", - "IOS", - "Linux", - "Mac", - "Windows" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], "Capabilities": [], - "Vulnerabilities": [ - "https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html" - ], + "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\TeamViewer\\", - "teamviewer_desktop.exe", - "teamviewer_service.exe", - "teamviewerhost" + "C:\\Program Files (x86)\\OnionShare\\*", + "*\\OnionShare\\*", + "*\\onionshare*.exe", + "OnionShare-win*.msi" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "TeamViewer\\d\\d_Logfile\\.log", - "Description": "N/A", - "OS": "Windows", - "Type": "Regex" - }, - { - "File": "C:\\Program Files\\TeamViewer\\Connections_incoming.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\TeamViewer\\TVNetwork.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log", - "Description": "N/A", - "OS": "Windows", - "Type": "Regex" - }, - { - "File": "teamviewerqs.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_w32.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_w64.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_x64.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "teamviewer.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "teamviewer_service.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db", - "Description": "SQlite 3 database storing cache about TeamViewer chat", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db", - "Description": "SQlite 3 database storing TeamViewer print jobs", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\TeamViewer\\connections*.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "TeamViewer", - "ImagePath": "\"C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"", - "Description": "Service installation event as result of TeamViewer installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKU\\\\SOFTWARE\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions", - "Description": "N/A" - } - ], - "Network": [ + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml", + "Description": "Detects potential processes activity of Onionshare RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Tailscale", + "Description": "Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/14/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "tailscale-*.exe", + "tailscaled.exe", + "tailscale-ipn.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.teamviewer.com" + "*.tailscale.com", + "*.tailscale.io", + "tailscale.com" ], "Ports": [] - }, - { - "Description": "N/A", - "Domains": [ - "router15.teamviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "client.teamviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "taf.teamviewer.com" - ], - "Ports": [ - 443 - ] - } - ], - "Other": [ - { - "Type": "Mutex", - "Value": "TeamViewer_LogMutex" - }, - { - "Type": "Mutex", - "Value": "TeamViewerHooks_DynamicMemMutex" - }, - { - "Type": "Mutex", - "Value": "TeamViewer3_Win32_Instance_Mutex" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml", - "Description": "Detects potential registry activity of TeamViewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml", - "Description": "Detects potential network activity of TeamViewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml", - "Description": "Detects potential files activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml", + "Description": "Detects potential network activity of Tailscale RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml", + "Description": "Detects potential processes activity of Tailscale RMM tool" } ], "References": [ - "https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer", - "https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#", - "https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/", - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", - "https://github.com/Purp1eW0lf/Blue-Team-Notes" + "https://tailscale.com/kb/1023/troubleshooting" ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - } - ] + "Acknowledgement": [] }, { - "Name": "Access Remote PC", - "Description": "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Senso.cloud", + "Description": "Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5022,31 +5119,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rpcgrab.exe", - "rpcsetup.exe" + "SensoClient.exe", + "SensoService.exe", + "aadg.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.senso.cloud", + "senso.cloud" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml", - "Description": "Detects potential processes activity of Access Remote PC RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml", + "Description": "Detects potential network activity of Senso.cloud RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml", + "Description": "Detects potential processes activity of Senso.cloud RMM tool" + } + ], + "References": [ + "https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration" + ], + "Acknowledgement": [] + }, { - "Name": "SecureCRT", - "Description": "SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "UltraViewer", + "Description": "UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -5061,32 +5174,56 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\SecureCRT.EXE", - "*\\SecureCRT.EXE", - "*\\VanDyke Software\\ClientPack\\*" + "UltraViewer_Service.exe", + "UltraViewer_setup*", + "UltraViewer_Desktop.exe", + "ultraviewer.exe", + "C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe", + "*\\UltraViewer\\", + "*\\UltraViewer_Desktop.exe", + "ultraviewer_desktop.exe", + "ultraviewer_service.exe", + "UltraViewer_Desktop.exe", + "UltraViewer_setup*", + "UltraViewer_Service.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "* .ultraviewer.net", + "ultraviewer.net" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml", - "Description": "Detects potential processes activity of SecureCRT RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml", + "Description": "Detects potential network activity of UltraViewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraViewer RMM tool" } ], - "References": [], + "References": [ + "https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html" + ], "Acknowledgement": [] }, { - "Name": "Acronic Cyber Protect (Remotix)", - "Description": "Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KickIdler", + "Description": "KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -5101,8 +5238,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "AcronisCyberProtectConnectQuickAssist*.exe", - "AcronisCyberProtectConnectAgent.exe" + "grabberEM.*msi", + "grabberTT*.msi" ] }, "Artifacts": { @@ -5113,10 +5250,8 @@ { "Description": "Known remote domains", "Domains": [ - "cloud.acronis.com", - "agents*-cloud.acronis.com", - "gw.remotix.com", - "connect.acronis.com" + "kickidler.com", + "my.kickidler.com" ], "Ports": [] } @@ -5124,25 +5259,52 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml", - "Description": "Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml", - "Description": "Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml", + "Description": "Detects potential network activity of KickIdler RMM tool" } ], "References": [ - "https://kb.acronis.com/content/47189" + "https://www.kickidler.com/for-it/faq/" ], "Acknowledgement": [] }, { - "Name": "Sorillus", - "Description": "Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remmina", + "Description": "Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "eHorus", + "Description": "eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5157,8 +5319,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Sorillus-Launcher*.exe", - "Sorillus Launcher.exe" + "ehorus standalone.exe" ] }, "Artifacts": { @@ -5169,8 +5330,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.sorillus.com", - "sorillus.com" + "ehorus.com" ], "Ports": [] } @@ -5178,25 +5338,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml", - "Description": "Detects potential network activity of Sorillus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml", + "Description": "Detects potential network activity of eHorus RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml", - "Description": "Detects potential processes activity of Sorillus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml", + "Description": "Detects potential processes activity of eHorus RMM tool" } ], - "References": [ - "https://sorillus.com/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Barracuda", - "Description": "Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Quick Assist", + "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5210,7 +5368,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "quickassist.exe" + ] }, "Artifacts": { "Disk": [], @@ -5220,9 +5380,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.islonline.net", - "rmm.barracudamsp.com", - "barracudamsp.com" + "*.support.services.microsoft.com" ], "Ports": [] } @@ -5230,21 +5388,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml", - "Description": "Detects potential network activity of Barracuda RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Quick Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Quick Assist RMM tool" } ], - "References": [ - "https://help.islonline.com/19799/166125" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "DeskDay", - "Description": "DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-Able Advanced Monitoring Agent", + "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5259,7 +5419,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ultimate_*.exe" + "Agent_*_RW.exe", + "BASEClient.exe", + "BASupApp.exe", + "BASupSrvc.exe", + "BASupSrvcCnfg.exe", + "BASupTSHelper.exe" ] }, "Artifacts": { @@ -5270,8 +5435,17 @@ { "Description": "Known remote domains", "Domains": [ - "deskday.ai", - "app.deskday.ai" + "*remote.management", + "*.logicnow.com", + "*systemmonitor.us", + "*systemmonitor.eu.com", + "*system-monitor.com", + "systemmonitor.us.cdn.cloudflare.net", + "*cloudbackup.management", + "*systemmonitor.co.uk", + "*.n-able.com", + "*.beanywhere.com ", + "*.swi-tc.com" ], "Ports": [] } @@ -5279,25 +5453,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml", - "Description": "Detects potential network activity of DeskDay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml", - "Description": "Detects potential processes activity of DeskDay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" } ], "References": [ - "https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate" + "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" ], "Acknowledgement": [] }, { - "Name": "RemoteCall", - "Description": "RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KiTTY", + "Description": "KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5312,50 +5486,29 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rcengmgru.exe", - "rcmgrsvc.exe", - "rxstartsupport.exe", - "rcstartsupport.exe", - "raautoup.exe", - "agentu.exe", - "remotesupportplayeru.exe" + "C:\\*\\kitty.exe", + "*\\kitty.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.remotecall.com", - "*.startsupport.com", - "remotecall.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml", - "Description": "Detects potential network activity of RemoteCall RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteCall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml", + "Description": "Detects potential processes activity of KiTTY RMM tool" } ], - "References": [ - "https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Splashtop", - "Description": "Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "Nasreddine Bencherchali", + "Name": "FleetDeck.io", + "Description": "FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", "Created": "", "LastModified": "", "Details": { @@ -5372,197 +5525,50 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Splashtop\\*", - "*\\Splashtop\\Splashtop Remote\\Client for RMM\\*", - "strwinclt.exe" + "fleetdeck_agent_svc.exe", + "fleetdeck_commander_svc.exe", + "fleetdeck_installer.exe", + "fleetdeck_commander_launcher.exe", + "fleetdeck_agent.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe", - "Description": "Splashtop Remote Service", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe", - "Description": "SplashTop Remote Agent", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe", - "Description": "Splashtop Updater", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Splashtop Software Updater Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"", - "Description": "Service installation event as result of Splashtop Software Updater Service installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Splashtop® Remote Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", - "Description": "Service installation event as result of Splashtop Remote Service installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "SplashtopRemoteService", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", - "Description": "Service installation event as result of Splashtop Remote Service installation." - } - ], - "Registry": [ - { - "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*", - "Description": "Splashtop Inc. registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", - "Description": "Splashtop Software Updater uninstall key" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService", - "Description": "Splashtop Remote Service registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational", - "Description": "Splashtop Streamer Remote Session event log channel" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational", - "Description": "Splashtop Streamer Status event log channel" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount", - "Description": "Splashtop Software Updater install reference count" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService", - "Description": "Splashtop Remote Service safe boot configuration" - }, - { - "Path": "HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*", - "Description": "Default user Splashtop Inc. registry key" - }, - { - "Path": "HKU\\SID\\Software\\Splashtop Inc.\\*", - "Description": "User-specific Splashtop Inc. registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer", - "Description": "Splashtop PDF Remote Printer configuration" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*", - "Description": "Splashtop Remote Server client information" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.splashtop.com" + "*.fleetdeck.io", + "cognito-idp.us-west-2.amazonaws.com", + "fleetdeck.io" ], - "Ports": [ - "N/A" - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml", - "Description": "Detects potential registry activity of Splashtop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml", - "Description": "Detects potential network activity of Splashtop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml", - "Description": "Detects potential files activity of Splashtop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml", + "Description": "Detects potential network activity of FleetDesk.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml", + "Description": "Detects potential processes activity of FleetDesk.io RMM tool" } ], "References": [ - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html" + "https://fleetdeck.io/faq/" ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - } - ] + "Acknowledgement": [] }, { - "Name": "ManageEngine RMM Central", - "Description": "ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TeleDesktop", + "Description": "TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -5576,7 +5582,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "pstlaunch.exe", + "ptdskclient.exe", + "ptdskhost.exe" + ] }, "Artifacts": { "Disk": [], @@ -5586,7 +5596,8 @@ { "Description": "Known remote domains", "Domains": [ - "manageengine.com/remote-monitoring-management/" + "user_managed", + "tele-desk.com" ], "Ports": [] } @@ -5594,19 +5605,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml", - "Description": "Detects potential network activity of ManageEngine RMM Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml", + "Description": "Detects potential network activity of TeleDesktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of TeleDesktop RMM tool" } ], - "References": [], + "References": [ + "http://potomacsoft.com/ - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "AeroAdmin", - "Description": "AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Utilities", + "Description": "Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5621,8 +5638,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "aeroadmin.exe", - "AeroAdmin.exe" + "rutview.exe", + "rutserv.exe" ] }, "Artifacts": { @@ -5633,8 +5650,7 @@ { "Description": "Known remote domains", "Domains": [ - "auth*.aeroadmin.com", - "aeroadmin.com" + "*.internetid.ru" ], "Ports": [] } @@ -5642,22 +5658,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml", - "Description": "Detects potential network activity of AeroAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml", + "Description": "Detects potential network activity of Remote Utilities RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml", - "Description": "Detects potential processes activity of AeroAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Utilities RMM tool" } ], "References": [ - "https://support.aeroadmin.com/kb/faq.php?id=58" + "https://www.remoteutilities.com/download/" ], "Acknowledgement": [] }, { - "Name": "NoMachine", - "Description": "NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NetSupport Manager", + "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -5675,9 +5691,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nomachine*.exe", - "nxservice*.ese", - "nxd.exe" + "pcictlui.exe", + "pcicfgui.exe", + "client32.exe" ] }, "Artifacts": { @@ -5688,8 +5704,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "nomachine.com" + "*.netsupportmanager.com", + "netsupportmanager.com" ], "Ports": [] } @@ -5697,25 +5713,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml", - "Description": "Detects potential network activity of NoMachine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", + "Description": "Detects potential network activity of NetSupport Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml", - "Description": "Detects potential processes activity of NoMachine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of NetSupport Manager RMM tool" } ], "References": [ - "https://kb.nomachine.com/AR04S01122" + "https://www.netsupportmanager.com/resources/" ], "Acknowledgement": [] }, { - "Name": "UltraVNC", - "Description": "UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GotoHTTP", + "Description": "GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -5730,8 +5746,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "UltraVNC*.exe" - ] + "GotoHTTP_x64.exe", + "gotohttp.exe", + "GotoHTTP*.exe" + ] }, "Artifacts": { "Disk": [], @@ -5741,8 +5759,8 @@ { "Description": "Known remote domains", "Domains": [ - "ultravnc.com", - "user_managed" + "*.gotohttp.com", + "gotohttp.com" ], "Ports": [] } @@ -5750,25 +5768,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml", - "Description": "Detects potential network activity of UltraVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml", + "Description": "Detects potential network activity of GotoHTTP RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml", - "Description": "Detects potential processes activity of UltraVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml", + "Description": "Detects potential processes activity of GotoHTTP RMM tool" } ], "References": [ - "https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html" + "https://gotohttp.com/goto/help.12x" ], "Acknowledgement": [] }, { - "Name": "Instant Housecall", - "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteUtilities", + "Description": "RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5783,10 +5801,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "hsloader.exe", - "ihcserver.exe", - "instanthousecall.exe", - "instanthousecall.exe" + "rutview.exe", + "*\\Remote Manipulator System - Server\\*", + "C:\\Program Files\\Remote Utilities\\*", + "*\\Remote Utilities\\*", + "rutserv.exe", + "*\\rutserv.exe" ] }, "Artifacts": { @@ -5797,10 +5817,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.instanthousecall.com", - "*.instanthousecall.net", - "instanthousecall.com", - "secure.instanthousecall.com" + "remoteutilities.com" ], "Ports": [] } @@ -5808,32 +5825,146 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", - "Description": "Detects potential network activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml", + "Description": "Detects potential network activity of RemoteUtilities RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", - "Description": "Detects potential processes activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteUtilities RMM tool" } ], - "References": [ - "https://instanthousecall.com/features/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "NinjaRMM", - "Description": "NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", + "Name": "GoToMyPC", + "Description": "GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "PEMetadata": [ + { + "Filename": "AppCore.exe" + }, + { + "Filename": "g2comm.exe" + }, + { + "Filename": "g2file*.exe" + }, + { + "Filename": "g2fileh.exe" + }, + { + "Filename": "g2host.exe" + }, + { + "Filename": "g2m_download.exe" + }, + { + "Filename": "g2mainh.exe" + }, + { + "Filename": "G2MChat.exe" + }, + { + "Filename": "G2MCodecInstExtractor.exe" + }, + { + "Filename": "G2MComm.exe" + }, + { + "Filename": "G2MCoreInstExtractor.exe" + }, + { + "Filename": "G2MFeedback.exe" + }, + { + "Filename": "G2MHost.exee" + }, + { + "Filename": "G2MInstaller.exe" + }, + { + "Filename": "G2MInstallerExtractor.exe" + }, + { + "Filename": "G2MInstHigh.exe" + }, + { + "Filename": "G2MLauncher.exe" + }, + { + "Filename": "G2MMatchMaking.exe" + }, + { + "Filename": "G2MMaterials.exe" + }, + { + "Filename": "G2MPolling.exe" + }, + { + "Filename": "G2MQandA.exe" + }, + { + "Filename": "G2MRecorder.exe" + }, + { + "Filename": "G2MScrUtil64.exe" + }, + { + "Filename": "G2MSessionControl.exe" + }, + { + "Filename": "G2MStart.exe" + }, + { + "Filename": "G2MTesting.exe" + }, + { + "Filename": "G2MTranscoder.exe" + }, + { + "Filename": "G2MUI.exe" + }, + { + "Filename": "G2MUninstall.exe" + }, + { + "Filename": "g2mupload.exe" + }, + { + "Filename": "g2mvideoconference.exe" + }, + { + "Filename": "G2MView.exe" + }, + { + "Filename": "g2printh.exe" + }, + { + "Filename": "g2quick.exe" + }, + { + "Filename": "g2svc.exe" + }, + { + "Filename": "g2tray.exe" + }, + { + "Filename": "gopcsrv.exe" + }, + { + "Filename": "GoToScrUtils.exe" + }, + { + "Filename": "GoTo.exe", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", "Free": "", "Verification": "", @@ -5841,50 +5972,80 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ninjarmmagent.exe", - "NinjaRMMAgent.exe", - "NinjaRMMAgenPatcher.exe", - "ninjarmm-cli.exe" + "C:\\Program Files (x86)\\GoToMyPC\\*" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "%AppData%\\GoTo\\Logs\\goto.log", + "Description": "N/A", + "OS": "Windows" + } + ], "EventLog": [], - "Registry": [], + "Registry": [ + { + "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc", + "Description": "Configuration settings including registration email" + }, + { + "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite", + "Description": "Guest invites send to connect" + }, + { + "Path": "HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", + "Description": "hostname of the computer making connections and location of transferred files" + }, + { + "Path": "HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", + "Description": "hostname of the computer making connections and location of transferred files" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "*.ninjarmm.com", - "*.ninjaone.com", - "resources.ninjarmm.com", - "ninjaone.com" + "*.GoToMyPC.com" ], - "Ports": [] + "Ports": [ + "N/A" + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml", - "Description": "Detects potential network activity of NinjaRMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml", + "Description": "Detects potential registry activity of GoToMyPC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml", - "Description": "Detects potential processes activity of NinjaRMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml", + "Description": "Detects potential network activity of GoToMyPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml", + "Description": "Detects potential files activity of GoToMyPC RMM tool" } ], "References": [ - "https://www.ninjaone.com/faq/" + "https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#", + "https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls", + "https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Phill Moore", + "Handle": "@phillmoore" + } + ] }, { - "Name": "ngrok", - "Description": "ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", + "Name": "SmartCode Web VNC", + "Description": "SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5899,47 +6060,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ngrok.exe", - "C:\\*\\ngrok.zip", - "*\\ngrok*" + "C:\\Program Files\\TightVNC\\*", + "*\\TightVNC\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "ngrok.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml", - "Description": "Detects potential network activity of ngrok RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml", - "Description": "Detects potential processes activity of ngrok RMM tool" - } - ], - "References": [ - "https://ngrok.com/docs/guides/running-behind-firewalls/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Bitvise SSH Client", - "Description": "Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Seetrol", + "Description": "Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5954,62 +6094,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Bitvise SSH Client\\*", - "*\\Bitvise SSH Client\\*", - "*\\BvSshClient-Inst.exe" + "seetrolcenter.exe", + "seetrolclient.exe", + "seetrolmyservice.exe", + "seetrolremote.exe", + "seetrolsetting.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "seetrol.co.kr" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml", - "Description": "Detects potential processes activity of Bitvise SSH Client RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml", + "Description": "Detects potential network activity of Seetrol RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml", + "Description": "Detects potential processes activity of Seetrol RMM tool" } ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Chicken (of the VNC)", - "Description": "Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], "References": [ - "https://github.com/flit/cotvnc" + "http://www.seetrol.com/en/features/features3.php" ], "Acknowledgement": [] }, { - "Name": "SkyFex", - "Description": "SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RDPView", + "Description": "RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -6027,8 +6150,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Deskroll.exe", - "DeskRollUA.exe" + "dwrcs.exe" ] }, "Artifacts": { @@ -6039,9 +6161,8 @@ { "Description": "Known remote domains", "Domains": [ - "skyfex.com", - "deskroll.com", - "*.deskroll.com" + "user_managed", + "systemmanager.ru/dntu.en/rdp_view.htm" ], "Ports": [] } @@ -6049,25 +6170,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml", - "Description": "Detects potential network activity of SkyFex RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml", + "Description": "Detects potential network activity of RDPView RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml", - "Description": "Detects potential processes activity of SkyFex RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml", + "Description": "Detects potential processes activity of RDPView RMM tool" } ], "References": [ - "https://skyfex.com/" + "systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware" ], "Acknowledgement": [] }, { - "Name": "Ericom AccessNow", - "Description": "Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Zoho Assist", + "Description": "Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -6082,8 +6203,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "accessserver*.exe", - "accessserver.exe" + "zaservice.exe", + "ZMAgent.exe", + "C:\\*\\ZA_Access.exe", + "ZohoMeeting.exe", + "Zohours.exe", + "zohotray.exe", + "ZohoURSService.exe", + "*\\ZA_Access.exe", + "Zaservice.exe", + "za_connect.exe" ] }, "Artifacts": { @@ -6094,8 +6223,19 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ericom.com" + "*.zoho.com.au", + "*.zohoassist.jp", + "assist.zoho.com", + "zoho.com/assist/", + "*.zoho.in", + "downloads.zohodl.com.cn", + "*.zohoassist.com", + "downloads.zohocdn.com", + "gateway.zohoassist.com", + "*.zohoassist.com.cn", + "*.zoho.com.cn", + "*.zoho.com", + "*.zoho.eu" ], "Ports": [] } @@ -6103,25 +6243,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml", - "Description": "Detects potential network activity of Ericom AccessNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml", + "Description": "Detects potential network activity of Zoho Assist RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml", - "Description": "Detects potential processes activity of Ericom AccessNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Zoho Assist RMM tool" } ], "References": [ - "https://www.ericom.com/connect-accessnow/" + "https://www.zoho.com/assist/kb/firewall-configuration.html" ], "Acknowledgement": [] }, { - "Name": "Microsoft RDP", - "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xpra", + "Description": "Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6136,9 +6276,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "termsrv.exe", - "mstsc.exe", - "Microsoft Remote Desktop" + "C:\\Program Files (x86)\\Xpra\\*", + "*\\Xpra\\*", + "*\\Xpra-Launcher.exe", + "*\\Xpra-x86_64_Setup.exe" ] }, "Artifacts": { @@ -6149,21 +6290,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft RDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml", + "Description": "Detects potential processes activity of Xpra RMM tool" } ], - "References": [ - "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Royal Server", - "Description": "Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DeskNets", + "Description": "DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -6183,30 +6322,17 @@ "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "royalapps.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml", - "Description": "Detects potential network activity of Royal Server RMM tool" - } - ], + "Detections": [], "References": [ - "https://royalapps.com/server/main/features" + "https://www.desknets.com/en/download.html" ], "Acknowledgement": [] }, { - "Name": "Solar-PuTTY", - "Description": "Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "XRDP", + "Description": "XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6223,11 +6349,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\Solar-Putty-v4\\*", - "*\\Solar-Putty-v4\\*", - "*\\Solar-PuTTY.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -6235,18 +6357,13 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml", - "Description": "Detects potential processes activity of Solar-PuTTY RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Duplicati", - "Description": "Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ManageEngine", + "Description": "ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6264,8 +6381,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "c:\\Program Files\\*\\Duplicati.Server.exe", - "*\\*\\Duplicati.Server.exe" + "InstallShield Setup.exe", + "ManageEngine_Remote_Access_Plus.exe", + "*\\dcagentservice.exe", + "C:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\*", + "*\\DesktopCentral_Agent\\bin\\*" ] }, "Artifacts": { @@ -6276,19 +6396,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml", - "Description": "Detects potential processes activity of Duplicati RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml", + "Description": "Detects potential processes activity of ManageEngine RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Remote Desktop Plus", - "Description": "Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Impero Connect", + "Description": "Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6303,7 +6423,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rdp.exe" + "ImperoClientSVC.exe" ] }, "Artifacts": { @@ -6314,7 +6434,7 @@ { "Description": "Known remote domains", "Domains": [ - "donkz.nl" + "imperosoftware.com" ], "Ports": [] } @@ -6322,25 +6442,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml", - "Description": "Detects potential network activity of Remote Desktop Plus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml", + "Description": "Detects potential network activity of Impero Connect RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Desktop Plus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Impero Connect RMM tool" } ], - "References": [ - "https://www.donkz.nl/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "ITSupport247 (ConnectWise)", - "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remcos", + "Description": "Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6355,42 +6473,27 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "saazapsc.exe" + "remcos*.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.itsupport247.net", - "itsupport247.net" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml", + "Description": "Detects potential processes activity of Remcos RMM tool" } ], - "References": [ - "https://control.itsupport247.net/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "DesktopNow", - "Description": "DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PDQ Connect", + "Description": "PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/26/2024", @@ -6408,7 +6511,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "desktopnow.exe" + "pdq-connect*.exe" ] }, "Artifacts": { @@ -6419,7 +6522,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.nchuser.com" + "app.pdq.com", + "cfcdn.pdq.com" ], "Ports": [] } @@ -6427,22 +6531,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml", - "Description": "Detects potential network activity of DesktopNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml", + "Description": "Detects potential network activity of PDQ Connect RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml", - "Description": "Detects potential processes activity of DesktopNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of PDQ Connect RMM tool" } ], "References": [ - "https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US" + "https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements" ], "Acknowledgement": [] }, { - "Name": "Remmina", - "Description": "Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Terminals", + "Description": "Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6472,11 +6576,11 @@ "Acknowledgement": [] }, { - "Name": "Distant Desktop", - "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syncro", + "Description": "Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -6491,9 +6595,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ddsystem.exe", - "dd.exe", - "distant-desktop.exe" + "Syncro.Installer.exe", + "Kabuto.App.Runner.exe", + "Syncro.Overmind.Service.exe", + "Kabuto.Installer.exe", + "KabutoSetup.exe", + "Syncro.Service.exe", + "Kabuto.Service.Runner.exe", + "Syncro.App.Runner.exe", + "SyncroLive.Service.exe", + "SyncroLive.Agent.exe" ] }, "Artifacts": { @@ -6504,8 +6615,17 @@ { "Description": "Known remote domains", "Domains": [ - "*.distantdesktop.com", - "*signalserver.xyz" + "kabuto.io", + "*.syncromsp.com", + "*.syncroapi.com", + "syncromsp.com", + "servably.com", + "ld.aurelius.host", + "app.kabuto.io ", + "*.kabutoservices.com", + "repairshopr.com", + "kabutoservices.com", + "attachments.servably.com" ], "Ports": [] } @@ -6513,25 +6633,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Distant Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml", + "Description": "Detects potential network activity of Syncro RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Distant Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncro RMM tool" } ], "References": [ - "https://www.distantdesktop.com/manual/first-start.htm" + "https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004" ], "Acknowledgement": [] }, { - "Name": "DameWare", - "Description": "DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "247ithelp.com (ConnectWise)", + "Description": "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6546,15 +6666,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SolarWinds-Dameware-DRS*.exe", - "DameWare Mini Remote Control*.exe", - "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\*", - "dntus*.exe", - "dwrcs.exe", - "*\\dwrcs\\*", - "*\\dwrcst.exe", - "DameWare Remote Support.exe", - "SolarWinds-Dameware-MRC*.exe" + "Remote Workforce Client.exe" ] }, "Artifacts": { @@ -6565,7 +6677,7 @@ { "Description": "Known remote domains", "Domains": [ - "dameware.com" + "*.247ithelp.com" ], "Ports": [] } @@ -6573,22 +6685,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml", - "Description": "Detects potential network activity of Dameware-mini remote control Protocol RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml", - "Description": "Detects potential processes activity of DameWare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool" } ], "References": [ - "https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm" + "Similar / replaced by ScreenConnect" ], "Acknowledgement": [] }, { - "Name": "Level", - "Description": "Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netviewer", + "Description": "Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6605,7 +6717,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "netviewer*.exe", + "netviewer.exe" + ] }, "Artifacts": { "Disk": [], @@ -6615,7 +6730,7 @@ { "Description": "Known remote domains", "Domains": [ - "level.io" + "download.cnet.com/Net-Viewer/3000-2370_4-10034828.html" ], "Ports": [] } @@ -6623,19 +6738,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml", - "Description": "Detects potential network activity of Level RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml", + "Description": "Detects potential network activity of Netviewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Insync", - "Description": "Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syspectr", + "Description": "Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -6650,29 +6769,43 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\USERNAME\\AppData\\Roaming\\Insync\\App\\Insync.exe", - "*Users\\*\\AppData\\Roaming\\Insync\\App\\Insync.exe", - "*\\Insync.exe" + "oo-syspectr*.exe", + "OOSysAgent.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "atled.syspectr.com", + "app.syspectr.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml", - "Description": "Detects potential processes activity of Insync RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml", + "Description": "Detects potential network activity of Syspectr RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml", + "Description": "Detects potential processes activity of Syspectr RMM tool" } ], - "References": [], + "References": [ + "https://www.syspectr.com/en/installation-in-a-network" + ], "Acknowledgement": [] }, { - "Name": "ISL Online", - "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "I'm InTouch", + "Description": "I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -6690,14 +6823,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "*\\ISLLight.exe", - "isllight.exe", - "ISLLightClient.exe", - "C:\\Program Files (x86)\\ISL Online\\ISL Light*", - "*\\ISL Online\\ISL Light*", - "ISLLight.exe", - "isllightservice.exe", - "islalwaysonmonitor.exe" + "iit.exe", + "intouch.exe", + "I'm InTouch Go Installer.exe" ] }, "Artifacts": { @@ -6708,8 +6836,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.islonline.com", - "*.islonline.net" + "*.01com.com", + "01com.com/imintouch-remote-pc-desktop" ], "Ports": [] } @@ -6717,25 +6845,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", - "Description": "Detects potential network activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml", + "Description": "Detects potential network activity of I'm InTouch RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml", + "Description": "Detects potential processes activity of I'm InTouch RMM tool" } ], "References": [ - "https://help.islonline.com/19818/165940" + "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" ], "Acknowledgement": [] }, { - "Name": "Remote.it", - "Description": "Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Light", + "Description": "ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6750,9 +6878,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remote-it-installer.exe", - "remote.it.exe", - "remoteit.exe" + "islalwaysonmonitor.exe", + "isllight.exe", + "isllightservice.exe" ] }, "Artifacts": { @@ -6763,9 +6891,7 @@ { "Description": "Known remote domains", "Domains": [ - "auth.api.remote.it", - "api.remote.it", - "remote.it" + "islonline.com" ], "Ports": [] } @@ -6773,25 +6899,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml", - "Description": "Detects potential network activity of Remote.it RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml", + "Description": "Detects potential network activity of ISL Light RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote.it RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Light RMM tool" } ], - "References": [ - "https://docs.remote.it/introduction/get-started" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Netreo", - "Description": "Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Mocha VNC Lite", + "Description": "Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6805,7 +6929,45 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "This installs a modified VNC and cannot be blocked by path separate from VNC", + "This installs a modified VNC and cannot be blocked by path separate from VNC", + "*\\RealVNC\\VNC4\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Ericom Connect", + "Description": "Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "EricomConnectRemoteHost*.exe", + "ericomconnnectconfigurationtool.exe" + ] }, "Artifacts": { "Disk": [], @@ -6815,10 +6977,8 @@ { "Description": "Known remote domains", "Domains": [ - "charon.netreo.net", - "activation.netreo.net", - "*.api.netreo.com", - "netreo.com" + "user_managed", + "ericom.com" ], "Ports": [] } @@ -6826,18 +6986,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml", - "Description": "Detects potential network activity of Netreo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml", + "Description": "Detects potential network activity of Ericom Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom Connect RMM tool" } ], "References": [ - "https://solutions.netreo.com/docs/firewall-requirements" + "https://www.ericom.com/connect-accessnow/" ], "Acknowledgement": [] }, { - "Name": "NoteOn-desktop sharing", - "Description": "NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Yandex.Disk", + "Description": "Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6855,9 +7019,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nateon*.exe", - "nateon.exe", - "nateonmain.exe" + "C:\\Program Files (x86)\\Yandex\\*", + "*\\Yandex\\*", + "*\\YandexDisk2.exe" ] }, "Artifacts": { @@ -6868,19 +7032,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml", + "Description": "Detects potential processes activity of Yandex.Disk RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Royal TS", - "Description": "Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LiteManager", + "Description": "LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6895,7 +7059,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "royalts.exe" + "lmnoipserver.exe", + "ROMFUSClient.exe", + "romfusclient.exe", + "romviewer.exe", + "romserver.exe", + "ROMServer.exe" ] }, "Artifacts": { @@ -6906,7 +7075,9 @@ { "Description": "Known remote domains", "Domains": [ - "royalapps.com" + "*.litemanager.ru", + "*.litemanager.com", + "litemanager.com" ], "Ports": [] } @@ -6914,56 +7085,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml", - "Description": "Detects potential network activity of Royal TS RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml", + "Description": "Detects potential network activity of LiteManager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml", - "Description": "Detects potential processes activity of Royal TS RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml", + "Description": "Detects potential processes activity of LiteManager RMM tool" } ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "DeskNets", - "Description": "DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], "References": [ - "https://www.desknets.com/en/download.html" + "https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/" ], "Acknowledgement": [] }, { - "Name": "QQ IM-remote assistance", - "Description": "QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeAnyWhere", + "Description": "BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -6978,9 +7118,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "qq.exe", - "QQProtect.exe", - "qqpcmgr.exe" + "basuptshelper.exe", + "basupsrvcupdate.exe", + "BASupApp.exe", + "BASupSysInf.exe", + "BASupAppSrvc.exe", + "TakeControl.exe", + "BASupAppElev.exe", + "basupsrvc.exe" ] }, "Artifacts": { @@ -6991,10 +7136,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.mdt.qq.com", - "*.desktop.qq.com", - "upload_data.qq.com", - "qq-messenger.en.softonic.com" + "beanywhere.en.uptodown.com/windows", + "beanywhere.com" ], "Ports": [] } @@ -7002,25 +7145,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml", - "Description": "Detects potential network activity of QQ IM-remote assistance RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml", + "Description": "Detects potential network activity of BeAnyWhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml", - "Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of BeAnyWhere RMM tool" } ], "References": [ - "https://en.wikipedia.org/wiki/Tencent_QQ" + "https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx" ], "Acknowledgement": [] }, { - "Name": "PuTTY Tray", - "Description": "PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Jump Cloud", + "Description": "Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -7035,28 +7178,38 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\puttytray.exe", - "*\\puttytray.exe" + "JumpCloud*.exe " ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.api.jumpcloud.com", + "*.assist.jumpcloud.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml", - "Description": "Detects potential processes activity of PuTTY Tray RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml", + "Description": "Detects potential network activity of Jump Cloud RMM tool" } ], - "References": [], + "References": [ + "https://jumpcloud.com/support/understand-remote-assist-agent" + ], "Acknowledgement": [] }, { - "Name": "XRDP", - "Description": "XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Desktop Manager (Devolutions)", + "Description": "Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7086,8 +7239,8 @@ "Acknowledgement": [] }, { - "Name": "FastViewer", - "Description": "FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AweRay", + "Description": "AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -7105,9 +7258,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "fastclient.exe", - "fastmaster.exe", - "FastViewer.exe" + "aweray_remote*.exe", + "AweSun.exe" ] }, "Artifacts": { @@ -7118,8 +7270,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.fastviewer.com", - "fastviewer.com" + "asapi*.aweray.net", + "client-api.aweray.com" ], "Ports": [] } @@ -7127,22 +7279,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml", - "Description": "Detects potential network activity of FastViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml", + "Description": "Detects potential network activity of AweRay RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of FastViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml", + "Description": "Detects potential processes activity of AweRay RMM tool" } ], "References": [ - "https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf" + "https://sun.aweray.com/help" ], "Acknowledgement": [] }, { - "Name": "Jump Desktop", - "Description": "Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remobo", + "Description": "Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -7160,11 +7312,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "jumpclient.exe", - "jumpdesktop.exe", - "jumpservice.exe", - "jumpconnect.exe", - "jumpupdater.exe" + "remobo.exe", + "remobo_client.exe", + "remobo_tracker.exe" ] }, "Artifacts": { @@ -7175,10 +7325,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.jumpdesktop.com", - "jumpdesktop.com", - "jumpto.me", - "*.jumpto.me" + "user_managed", + "remobo.en.softonic.com" ], "Ports": [] } @@ -7186,25 +7334,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Jump Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml", + "Description": "Detects potential network activity of Remobo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Jump Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml", + "Description": "Detects potential processes activity of Remobo RMM tool" } ], "References": [ - "https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect" + "https://www.remobo.com - DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "Ivanti Remote Control", - "Description": "Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ESET Remote Administrator", + "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -7219,9 +7367,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "IvantiRemoteControl.exe", - "ArcUI.exe", - "AgentlessRC.exe" + "era.exe", + "einstaller.exe", + "ezhelp*.exe", + "eratool.exe", + "ERAAgent.exe" ] }, "Artifacts": { @@ -7232,7 +7382,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.ivanticloud.com" + "user_managed", + "eset.com/me/business/remote-management/remote-administrator/" ], "Ports": [] } @@ -7240,25 +7391,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of Ivanti Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", + "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of Ivanti Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", + "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" } ], "References": [ - "https://rc1.ivanticloud.com/" + "eset.com/me/business/remote-management/remote-administrator/" ], "Acknowledgement": [] }, { - "Name": "BeInSync", - "Description": "BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ultra VNC", + "Description": "Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7273,42 +7424,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Beinsync*.exe" + "C:\\Program Files\\uvnc bvba\\UltraVNC\\*", + "*\\uvnc bvba\\UltraVNC\\*", + "*\\UVNC_Launch.exe", + "*\\winvnc.exe", + "*\\vncviewer.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.beinsync.net", - "*.beinsync.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml", - "Description": "Detects potential network activity of BeInSync RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml", - "Description": "Detects potential processes activity of BeInSync RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of Ultra VNC RMM tool" } ], - "References": [ - "https://en.wikipedia.org/wiki/Phoenix_Technologies" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "NateOn-desktop sharing", - "Description": "NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "pcAnywhere", + "Description": "pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -7326,9 +7466,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nateon*.exe", - "nateon.exe", - "nateonmain.exe" + "awhost32.exe", + "awrem32.exe", + "pcaquickconnect.exe", + "winaw32.exe" ] }, "Artifacts": { @@ -7339,7 +7480,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.nate.com" + "user_managed" ], "Ports": [] } @@ -7347,25 +7488,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml", - "Description": "Detects potential network activity of NateOn-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml", + "Description": "Detects potential network activity of pcAnywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of NateOn-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of pcAnywhere RMM tool" } ], "References": [ - "http://rsupport.nate.com/rview/r8/main/index.aspx" + "https://en.wikipedia.org/wiki/PcAnywhere" ], "Acknowledgement": [] }, { - "Name": "Xeox", - "Description": "Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote.it", + "Description": "Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7380,10 +7521,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "xeox-agent_x64.exe", - "xeox_service_windows.exe", - "xeox-agent_*.exe", - "xeox-agent_x86.exe" + "remote-it-installer.exe", + "remote.it.exe", + "remoteit.exe" ] }, "Artifacts": { @@ -7394,8 +7534,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.xeox.com", - "xeox.com" + "auth.api.remote.it", + "api.remote.it", + "remote.it" ], "Ports": [] } @@ -7403,25 +7544,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml", - "Description": "Detects potential network activity of Xeox RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml", + "Description": "Detects potential network activity of Remote.it RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml", - "Description": "Detects potential processes activity of Xeox RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote.it RMM tool" } ], "References": [ - "https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW" + "https://docs.remote.it/introduction/get-started" ], "Acknowledgement": [] }, { - "Name": "WinSCP", - "Description": "WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Guacamole", + "Description": "Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -7436,33 +7577,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\IEUser\\Downloads\\WinSCP-5.21.6-Portable\\*", - "*\\WinSCP*Portable\\*", - "*\\WinSCP.exe", - "*\\WinSCP\\*" + "guacd.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "guacamole.apache.org" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml", - "Description": "Detects potential processes activity of WinSCP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml", + "Description": "Detects potential network activity of Guacamole RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml", + "Description": "Detects potential processes activity of Guacamole RMM tool" } ], - "References": [], + "References": [ + "guacamole.apache.org" + ], "Acknowledgement": [] }, { - "Name": "DW Service", - "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Addigy", + "Description": "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -7477,9 +7630,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dwagsvc.exe", - "dwagent.exe", - "dwagsvc.exe" + "addigy-*.pkg" ] }, "Artifacts": { @@ -7490,7 +7641,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.dwservice.net" + "prod.addigy.com", + "grtmprod.addigy.com", + "agents.addigy.com" ], "Ports": [] } @@ -7498,25 +7651,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", - "Description": "Detects potential network activity of DW Service RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", - "Description": "Detects potential processes activity of DW Service RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml", + "Description": "Detects potential network activity of Addigy RMM tool" } ], "References": [ - "https://news.dwservice.net/dwservice-security-infrastructure/" + "https://addigy.com/" ], "Acknowledgement": [] }, { - "Name": "NTR Remote", - "Description": "NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AeroAdmin", + "Description": "AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -7531,7 +7680,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "NTRsupportPro_EN.exe" + "aeroadmin.exe", + "AeroAdmin.exe" ] }, "Artifacts": { @@ -7542,7 +7692,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.ntrsupport.com" + "auth*.aeroadmin.com", + "aeroadmin.com" ], "Ports": [] } @@ -7550,25 +7701,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml", - "Description": "Detects potential network activity of NTR Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml", + "Description": "Detects potential network activity of AeroAdmin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of NTR Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml", + "Description": "Detects potential processes activity of AeroAdmin RMM tool" } ], "References": [ - "DOA as of 2024" + "https://support.aeroadmin.com/kb/faq.php?id=58" ], "Acknowledgement": [] }, { - "Name": "TurboMeeting", - "Description": "TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Access Remote PC", + "Description": "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -7583,47 +7734,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcstarter.exe", - "turbomeeting.exe", - "turbomeetingstarter.exe" + "rpcgrab.exe", + "rpcsetup.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "acceo.com/turbomeeting/" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml", - "Description": "Detects potential network activity of TurboMeeting RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml", - "Description": "Detects potential processes activity of TurboMeeting RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml", + "Description": "Detects potential processes activity of Access Remote PC RMM tool" } ], - "References": [ - "http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "RemoteUtilities", - "Description": "RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Acronic Cyber Protect (Remotix)", + "Description": "Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -7638,12 +7773,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rutview.exe", - "*\\Remote Manipulator System - Server\\*", - "C:\\Program Files\\Remote Utilities\\*", - "*\\Remote Utilities\\*", - "rutserv.exe", - "*\\rutserv.exe" + "AcronisCyberProtectConnectQuickAssist*.exe", + "AcronisCyberProtectConnectAgent.exe" ] }, "Artifacts": { @@ -7654,7 +7785,10 @@ { "Description": "Known remote domains", "Domains": [ - "remoteutilities.com" + "cloud.acronis.com", + "agents*-cloud.acronis.com", + "gw.remotix.com", + "connect.acronis.com" ], "Ports": [] } @@ -7662,23 +7796,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml", - "Description": "Detects potential network activity of RemoteUtilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml", + "Description": "Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteUtilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml", + "Description": "Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool" } ], - "References": [], + "References": [ + "https://kb.acronis.com/content/47189" + ], "Acknowledgement": [] }, { - "Name": "Pulseway", - "Description": "Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Instant Housecall", + "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -7693,8 +7829,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "PCMonitorManager.exe", - "pcmonitorsrv.exe" + "hsloader.exe", + "InstantHousecall.exe", + "ihcserver.exe", + "instanthousecall.exe" ] }, "Artifacts": { @@ -7705,30 +7843,33 @@ { "Description": "Known remote domains", "Domains": [ - "pulseway.com" - ], - "Ports": [] - } + "*.instanthousecall.com", + "secure.instanthousecall.com", + "*.instanthousecall.net", + "instanthousecall.com" + ], + "Ports": [] + } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml", - "Description": "Detects potential network activity of Pulseway RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml", - "Description": "Detects potential processes activity of Pulseway RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" } ], "References": [ - "https://intercom.help/pulseway/en/" + "https://instanthousecall.com/features/" ], "Acknowledgement": [] }, { - "Name": "Panorama9", - "Description": "Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SkyFex", + "Description": "SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -7746,7 +7887,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "p9agent*.exe" + "Deskroll.exe", + "DeskRollUA.exe" ] }, "Artifacts": { @@ -7757,9 +7899,9 @@ { "Description": "Known remote domains", "Domains": [ - "trusted.panorama9.com", - "changes.panorama9.com", - "panorama9.com" + "skyfex.com", + "deskroll.com", + "*.deskroll.com" ], "Ports": [] } @@ -7767,382 +7909,78 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml", - "Description": "Detects potential network activity of Panorama9 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml", + "Description": "Detects potential network activity of SkyFex RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml", - "Description": "Detects potential processes activity of Panorama9 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml", + "Description": "Detects potential processes activity of SkyFex RMM tool" } ], "References": [ - "https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with" + "https://skyfex.com/" ], "Acknowledgement": [] }, { - "Name": "Atera", - "Description": "Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement.\n", - "Created": "2024-08-03", - "LastModified": "2024-10-06", + "Name": "PSEXEC", + "Description": "PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", "Details": { - "Website": "https://www.atera.com/", - "PEMetadata": [ - { - "Filename": "AteraAgent.exe", - "OriginalFileName": "AteraAgent.exe", - "Description": "AteraAgent" - } - ], - "Privileges": "SYSTEM", - "Free": "30 day trial", - "Verification": "None", - "SupportedOS": [ - "Windows", - "MacOS", - "Linux" - ], - "Capabilities": [ - "Integrated remote access with Splashtop and AnyDesk", - "Remote monitoring and management", - "Patch management", - "Network discovery", - "Backup and disaster recovery", - "Helpdesk and ticketing", - "Reporting and analytics", - "Billing and invoicing", - "Customer portal", - "Mobile app" - ], - "Vulnerabilities": [ - "CVE-2023-26078", - "CVE-2023-26077" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], "InstallationPaths": [ - "*\\AgentPackageNetworkDiscovery.exe", - "*\\AgentPackageTaskScheduler.exe", - "*\\ATERA Networks\\AteraAgent\\*", - "*\\AteraAgent.exe", - "atera_agent.exe", - "atera_agent.exe", - "ateraagent.exe", - "C:\\Program Files\\ATERA Networks\\AteraAgent\\*", - "C:\\Program Files\\Atera Networks", - "C:\\Program Files (x86)\\Atera Networks", - "syncrosetup.exe" + "psexec.exe", + "psexecsvc.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe", - "Description": "Atera service binary", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\Atera Networks\\AlphaAgent.exe", - "Description": "Atera service binary", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "AteraAgent", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"", - "Description": "Service installation event as result of AteraAgent installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "WinRing0_1_2_0", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"", - "Description": "Service installation event as result of Atera pakcage manager installation." - }, - { - "EventID": 11707, - "ProviderName": "MsiInstaller", - "LogFile": "Application.evtx", - "Data": "Product: AteraAgent -- Installation completed successfully.", - "Description": "Service installation event as result of AteraAgent installation." - }, - { - "EventID": 4697, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]", - "Description": "Service installation event as result of AteraAgent installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent", - "Description": null - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent", - "Description": null - }, - { - "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.", - "Description": null - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", - "Description": null - }, - { - "Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent", - "Description": null - }, - { - "Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent", - "Description": null - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32", - "Description": null - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS", - "Description": null - }, - { - "Path": "HKLM\\SOFTWARE\\ATERA Networks\\*", - "Description": null - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { - "Description": "N/A", - "Domains": [ - "pubsub.atera.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "pubsub.pubnub.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "agentreporting.atera.com" + "user_managed" ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "getalphacontrol.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "app.atera.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "agenthb.atera.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "packagesstore.blob.core.windows.net" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "ps.pndsn.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "agent-api.atera.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "cacerts.thawte.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "agentreportingstore.blob.core.windows.net" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "atera-agent-heartbeat.servicebus.windows.net" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "ps.atera.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "atera.pubnubapi.com" - ], - "Ports": [ - "N/A" - ] - }, - { - "Description": "N/A", - "Domains": [ - "appcdn.atera.com" - ], - "Ports": [ - "N/A" - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml", - "Name": "AteraAgent malicious installations", - "Description": "Detects AteraAgent installations with suspicious command line arguments." - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml", - "Name": "Atera Agent Installation", - "Description": "Detects Atera Agent installation." - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml", - "Description": "Detects potential registry activity of Atera RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml", - "Description": "Detects potential network activity of Atera RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml", - "Description": "Detects potential files activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml", - "Description": "Detects potential processes activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC RMM tool" } ], "References": [ - "https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations", - "https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent", - "https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018", - "https://thedfirreport.com/?s=ateraagent" + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - }, - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - }, - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] + "Acknowledgement": [] }, { - "Name": "JollysFastVNC", - "Description": "JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MSP360", + "Description": "MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -8156,21 +7994,55 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "Online Backup.exe", + "CBBackupPlan.exe", + "Cloud.Backup.Scheduler.exe", + "Cloud.Backup.RM.Service.exe", + "cbb.exe", + "CloudRaService.exe", + "CloudRaSd.exe", + "CloudRaCmd.exe", + "CloudRaUtilities.exe", + "Remote Desktop.exe", + "Connect.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.cloudberrylab.com", + "*.msp360.com", + "*.mspbackups.com", + "msp360.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml", + "Description": "Detects potential network activity of MSP360 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml", + "Description": "Detects potential processes activity of MSP360 RMM tool" + } + ], + "References": [ + "https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#" + ], "Acknowledgement": [] }, { - "Name": "RunSmart", - "Description": "RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SecureCRT", + "Description": "SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -8187,37 +8059,33 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\*\\SecureCRT.EXE", + "*\\SecureCRT.EXE", + "*\\VanDyke Software\\ClientPack\\*" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "runsmart.io" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml", - "Description": "Detects potential network activity of RunSmart RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml", + "Description": "Detects potential processes activity of SecureCRT RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Chrome Remote Desktop", - "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "VNC", + "Description": "VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -8232,11 +8100,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remote_host.exe", - "remoting_host.exe", - "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", - "*\\Google\\Chrome Remote Desktop\\*", - "*\\remoting_host.exe" + "winvnc*.exe", + "vncserver.exe", + "winwvc.exe", + "winvncsc.exe", + "vncserverui.exe", + "vncviewer.exe", + "winvnc.exe" ] }, "Artifacts": { @@ -8247,9 +8117,8 @@ { "Description": "Known remote domains", "Domains": [ - "*remotedesktop.google.com", - "*remotedesktop-pa.googleapis.com", - "remotedesktop.google.com" + "user_managed", + "realvnc.com/en/connect/download/vnc" ], "Ports": [] } @@ -8257,22 +8126,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml", + "Description": "Detects potential network activity of VNC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of VNC RMM tool" } ], "References": [ - "https://support.google.com/chrome/a/answer/2799701?hl=en" + "https://realvnc.com/en/connect/download/vnc" ], "Acknowledgement": [] }, { - "Name": "Netviewer (GoToMeet)", - "Description": "Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Panorama9", + "Description": "Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -8290,49 +8159,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nvClient.exe", - "netviewer.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml", - "Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool" - } - ], - "References": [ - "Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html" - ], - "Acknowledgement": [] - }, - { - "Name": "Netviewer", - "Description": "Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "netviewer*.exe", - "netviewer.exe" + "p9agent*.exe" ] }, "Artifacts": { @@ -8343,7 +8170,9 @@ { "Description": "Known remote domains", "Domains": [ - "download.cnet.com/Net-Viewer/3000-2370_4-10034828.html" + "trusted.panorama9.com", + "changes.panorama9.com", + "panorama9.com" ], "Ports": [] } @@ -8351,23 +8180,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml", - "Description": "Detects potential network activity of Netviewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml", + "Description": "Detects potential network activity of Panorama9 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of Netviewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml", + "Description": "Detects potential processes activity of Panorama9 RMM tool" } ], - "References": [], + "References": [ + "https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with" + ], "Acknowledgement": [] }, { - "Name": "ConnectWise Control", - "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FixMe.it", + "Description": "FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -8382,9 +8213,17 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "connectwisechat-customer.exe", - "connectwisecontrol.client.exe", - "screenconnect.windowsclient.exe" + "FixMeit Client.exe", + "TiExpertStandalone.exe", + "FixMeitClient*.exe", + "TiExpertCore.exe", + "FixMeit Unattended Access Setup.exe", + "FixMeit Expert Setup.exe", + "TiExpertCore.exe", + "fixmeitclient.exe", + "TiClientCore.exe", + "TiClientHelper*.exe", + "9380CC75B872221A7425D7503565B67580407F60" ] }, "Artifacts": { @@ -8395,8 +8234,11 @@ { "Description": "Known remote domains", "Domains": [ - "live.screenconnect.com", - "control.connectwise.com" + "*.fixme.it", + "*.techinline.net", + "fixme.it", + "*set.me", + "*setme.net" ], "Ports": [] } @@ -8404,63 +8246,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", - "Description": "Detects potential network activity of ConnectWise Control RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", - "Description": "Detects potential processes activity of ConnectWise Control RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "ExtraPuTTY", - "Description": "ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml", + "Description": "Detects potential network activity of FixMe RMM tool" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", - "*Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", - "*\\ExtraPuTTY-0.30-2016-01-28-installer.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml", - "Description": "Detects potential processes activity of ExtraPuTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml", + "Description": "Detects potential processes activity of FixMe RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "FleetDeck.io", - "Description": "FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Online", + "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -8475,11 +8277,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "fleetdeck_agent_svc.exe", - "fleetdeck_commander_svc.exe", - "fleetdeck_installer.exe", - "fleetdeck_commander_launcher.exe", - "fleetdeck_agent.exe" + "*\\ISLLight.exe", + "isllight.exe", + "ISLLightClient.exe", + "C:\\Program Files (x86)\\ISL Online\\ISL Light*", + "*\\ISL Online\\ISL Light*", + "ISLLight.exe", + "isllightservice.exe", + "islalwaysonmonitor.exe" ] }, "Artifacts": { @@ -8490,9 +8295,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.fleetdeck.io", - "cognito-idp.us-west-2.amazonaws.com", - "fleetdeck.io" + "*.islonline.com", + "*.islonline.net" ], "Ports": [] } @@ -8500,25 +8304,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml", - "Description": "Detects potential network activity of FleetDesk.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml", - "Description": "Detects potential processes activity of FleetDesk.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" } ], "References": [ - "https://fleetdeck.io/faq/" + "https://help.islonline.com/19818/165940" ], "Acknowledgement": [] }, { - "Name": "HelpU", - "Description": "HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RES Automation Manager", + "Description": "RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -8533,9 +8337,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "helpu_install.exe", - "HelpuUpdater.exe", - "HelpuManager.exe" + "wisshell*.exe", + "wmc.exe", + "wmc_deployer.exe", + "wmcsvc.exe" ] }, "Artifacts": { @@ -8546,8 +8351,8 @@ { "Description": "Known remote domains", "Domains": [ - "helpu.co.kr", - "*.helpu.co.kr" + "user_managed", + "ivanti.com/" ], "Ports": [] } @@ -8555,613 +8360,382 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml", - "Description": "Detects potential network activity of HelpU RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml", + "Description": "Detects potential network activity of RES Automation Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml", - "Description": "Detects potential processes activity of HelpU RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of RES Automation Manager RMM tool" } ], "References": [ - "https://helpu.co.kr/" + "https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1" ], "Acknowledgement": [] }, { - "Name": "ToDesk", - "Description": "ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/14/2024", + "Name": "Atera", + "Description": "Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement.\n", + "Created": "2024-08-03", + "LastModified": "2024-10-06", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "todesk.exe", - "ToDesk_Service.exe", - "ToDesk_Setup.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Website": "https://www.atera.com/", + "PEMetadata": [ { - "Description": "Known remote domains", - "Domains": [ - "todesk.com", - "*.todesk.com", - "*.todesk.com", - "todesktop.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml", - "Description": "Detects potential network activity of ToDesk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml", - "Description": "Detects potential processes activity of ToDesk RMM tool" - } - ], - "References": [ - "https://www.todesk.com/" - ], - "Acknowledgement": [] - }, - { - "Name": "RAdmin", - "Description": "RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", - "Details": { - "Website": "https://www.radmin.com/", - "PEMetadata": [ - { - "Filename": "RServer3.exe", - "OriginalFileName": "RServer3.exe", - "InternalName": "RServer3", - "Description": "Radmin Server", - "Product": "Radmin Server", - "Comments": "Radmin - Remote Control Server" - }, - { - "Filename": "Radmin.exe", - "OriginalFileName": "Radmin.exe", - "InternalName": "Radmin", - "Description": "Radmin Viewer", - "Product": "Radmin Viewer", - "Comments": "Radmin Viewer" + "Filename": "AteraAgent.exe", + "OriginalFileName": "AteraAgent.exe", + "Description": "AteraAgent" } ], - "Privileges": "", - "Free": "", - "Verification": "", + "Privileges": "SYSTEM", + "Free": "30 day trial", + "Verification": "None", "SupportedOS": [ - "Windows" + "Windows", + "MacOS", + "Linux" + ], + "Capabilities": [ + "Integrated remote access with Splashtop and AnyDesk", + "Remote monitoring and management", + "Patch management", + "Network discovery", + "Backup and disaster recovery", + "Helpdesk and ticketing", + "Reporting and analytics", + "Billing and invoicing", + "Customer portal", + "Mobile app" + ], + "Vulnerabilities": [ + "CVE-2023-26078", + "CVE-2023-26077" ], - "Capabilities": [], - "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Radmin Viewer 3\\Radmin.exe", - "C:\\Windows\\SysWOW64\\rserver30\\rserver3.exe", - "C:\\Windows\\SysWOW64\\rserver30\\FamItrfc", - "C:\\Windows\\SysWOW64\\rserver30\\FamItrf2" + "*\\AgentPackageNetworkDiscovery.exe", + "*\\AgentPackageTaskScheduler.exe", + "*\\ATERA Networks\\AteraAgent\\*", + "*\\AteraAgent.exe", + "atera_agent.exe", + "atera_agent.exe", + "ateraagent.exe", + "C:\\Program Files\\ATERA Networks\\AteraAgent\\*", + "C:\\Program Files\\Atera Networks", + "C:\\Program Files (x86)\\Atera Networks", + "syncrosetup.exe" ] }, "Artifacts": { "Disk": [ { - "File": "C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm", - "Description": "RAdmin log file (32-bit)", + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt", + "Description": "N/A", "OS": "Windows" }, { - "File": "C:\\Windows\\System32\\rserver30\\Radm_log.htm", - "Description": "RAdmin log file (64-bit)", + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*", + "Description": "N/A", "OS": "Windows" }, { - "File": "C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm", - "Description": "RAdmin chat logs", + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe", + "Description": "Atera service binary", "OS": "Windows" }, { - "File": "C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm", - "Description": "RAdmin user chat logs", + "File": "C:\\Program Files\\Atera Networks\\AlphaAgent.exe", + "Description": "Atera service binary", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe", + "Description": "N/A", "OS": "Windows" } ], - "EventLog": [], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "AteraAgent", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"", + "Description": "Service installation event as result of AteraAgent installation." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "WinRing0_1_2_0", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"", + "Description": "Service installation event as result of Atera pakcage manager installation." + }, + { + "EventID": 11707, + "ProviderName": "MsiInstaller", + "LogFile": "Application.evtx", + "Data": "Product: AteraAgent -- Installation completed successfully.", + "Description": "Service installation event as result of AteraAgent installation." + }, + { + "EventID": 4697, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]", + "Description": "Service installation event as result of AteraAgent installation." + } + ], "Registry": [ { - "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security", - "Description": "N/A" + "Path": "HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent", + "Description": null + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent", + "Description": null + }, + { + "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.", + "Description": null + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", + "Description": null + }, + { + "Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent", + "Description": null + }, + { + "Path": "HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent", + "Description": null + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32", + "Description": null + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS", + "Description": null + }, + { + "Path": "HKLM\\SOFTWARE\\ATERA Networks\\*", + "Description": null } ], "Network": [ { "Description": "N/A", "Domains": [ - "radmin.com" + "pubsub.atera.com" ], "Ports": [ - 443 + "N/A" ] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml", - "Description": "PUA - Radmin Viewer Utility Execution" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml", - "Description": "Enumeration for 3rd Party Creds From CLI" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml", - "Description": "Detects potential registry activity of RAdmin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml", - "Description": "Detects potential network activity of RAdmin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml", - "Description": "Detects potential files activity of RAdmin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml", - "Description": "Detects potential processes activity of RAdmin RMM tool" - } - ], - "References": [ - "https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/", - "https://helpdesk.radmin.com/radmin3help/", - "https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm", - "https://helpdesk.radmin.com/radmin3help/files/cmd.htm" - ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] - }, - { - "Name": "CrossLoop", - "Description": "CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "crossloopservice.exe", - "CrossLoopConnect.exe", - "WinVNCStub.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "*.crossloop.com", - "crossloop.en.softonic.com" + "pubsub.pubnub.com" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml", - "Description": "Detects potential network activity of CrossLoop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml", - "Description": "Detects potential processes activity of CrossLoop RMM tool" - } - ], - "References": [ - "www.CrossLoop.com -> redirects to avast.com" - ], - "Acknowledgement": [] - }, - { - "Name": "Centurion", - "Description": "Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "ctiserv.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Ports": [ + "N/A" + ] + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "centuriontech.com" + "agentreporting.atera.com" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml", - "Description": "Detects potential network activity of Centurion RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml", - "Description": "Detects potential processes activity of Centurion RMM tool" - } - ], - "References": [ - "https://data443.atlassian.net/servicedesk/customer/portal/20" - ], - "Acknowledgement": [] - }, - { - "Name": "KickIdler", - "Description": "KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "grabberEM.*msi", - "grabberTT*.msi" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Ports": [ + "N/A" + ] + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "kickidler.com", - "my.kickidler.com" + "getalphacontrol.com" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml", - "Description": "Detects potential network activity of KickIdler RMM tool" - } - ], - "References": [ - "https://www.kickidler.com/for-it/faq/" - ], - "Acknowledgement": [] - }, - { - "Name": "Syncro", - "Description": "Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/13/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "Syncro.Installer.exe", - "Kabuto.App.Runner.exe", - "Syncro.Overmind.Service.exe", - "Kabuto.Installer.exe", - "KabutoSetup.exe", - "Syncro.Service.exe", - "Kabuto.Service.Runner.exe", - "Syncro.App.Runner.exe", - "SyncroLive.Service.exe", - "SyncroLive.Agent.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Ports": [ + "N/A" + ] + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "kabuto.io", - "*.syncromsp.com", - "*.syncroapi.com", - "syncromsp.com", - "servably.com", - "ld.aurelius.host", - "app.kabuto.io ", - "*.kabutoservices.com", - "repairshopr.com", - "kabutoservices.com", - "attachments.servably.com" + "app.atera.com" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml", - "Description": "Detects potential network activity of Syncro RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml", - "Description": "Detects potential processes activity of Syncro RMM tool" - } - ], - "References": [ - "https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004" - ], - "Acknowledgement": [] - }, - { - "Name": "AweRay", - "Description": "AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "aweray_remote*.exe", - "AweSun.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Ports": [ + "N/A" + ] + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "asapi*.aweray.net", - "client-api.aweray.com" + "agenthb.atera.com" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml", - "Description": "Detects potential network activity of AweRay RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml", - "Description": "Detects potential processes activity of AweRay RMM tool" - } - ], - "References": [ - "https://sun.aweray.com/help" - ], - "Acknowledgement": [] - }, - { - "Name": "SunLogin", - "Description": "SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "OrayRemoteShell.exe", - "OrayRemoteService.exe", - "sunlogin*.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Ports": [ + "N/A" + ] + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "sunlogin.oray.com", - "client.oray.net" + "packagesstore.blob.core.windows.net" ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml", - "Description": "Detects potential network activity of SunLogin RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml", - "Description": "Detects potential processes activity of SunLogin RMM tool" - } - ], - "References": [ - "https://sunlogin.oray.com/en/embed/software.html" - ], - "Acknowledgement": [] - }, - { - "Name": "Koofr", - "Description": "Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "SysAid", - "Description": "SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\SysAidServer\\*", - "*\\SysAidServer\\*", - "*\\SysAid\\*", - "*\\IliAS.exe" + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "ps.pndsn.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "agent-api.atera.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "cacerts.thawte.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "agentreportingstore.blob.core.windows.net" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "atera-agent-heartbeat.servicebus.windows.net" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "ps.atera.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "atera.pubnubapi.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "appcdn.atera.com" + ], + "Ports": [ + "N/A" + ] + } ] }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml", - "Description": "Detects potential processes activity of SysAid RMM tool" + "Sigma": "https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml", + "Name": "AteraAgent malicious installations", + "Description": "Detects AteraAgent installations with suspicious command line arguments." + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml", + "Name": "Atera Agent Installation", + "Description": "Detects Atera Agent installation." + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml", + "Description": "Detects potential registry activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml", + "Description": "Detects potential network activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml", + "Description": "Detects potential files activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml", + "Description": "Detects potential processes activity of Atera RMM tool" } ], - "References": [], - "Acknowledgement": [] + "References": [ + "https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations", + "https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent", + "https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018", + "https://thedfirreport.com/?s=ateraagent" + ], + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + }, + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + }, + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "Neturo", - "Description": "Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CrossLoop", + "Description": "CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9176,9 +8750,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "neturo*.exe", - "ntrntservice.exe", - "neturo.exe" + "crossloopservice.exe", + "CrossLoopConnect.exe", + "WinVNCStub.exe" ] }, "Artifacts": { @@ -9189,7 +8763,8 @@ { "Description": "Known remote domains", "Domains": [ - "neturo.uplus.co.kr" + "*.crossloop.com", + "crossloop.en.softonic.com" ], "Ports": [] } @@ -9197,25 +8772,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml", - "Description": "Detects potential network activity of Neturo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml", + "Description": "Detects potential network activity of CrossLoop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml", - "Description": "Detects potential processes activity of Neturo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml", + "Description": "Detects potential processes activity of CrossLoop RMM tool" } ], "References": [ - "Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2" + "www.CrossLoop.com -> redirects to avast.com" ], "Acknowledgement": [] }, { - "Name": "SmarTTY", - "Description": "SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level.io", + "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -9230,32 +8805,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "c:\\Program Files (x86)\\Sysprogs\\SmarTTY\\*", - "*\\Sysprogs\\SmarTTY\\*", - "*\\SmarTTY.exe" + "level-windows-amd64.exe", + "level.exe", + "level-remote-control-ffmpeg.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "level.io", + "*.level.io" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml", - "Description": "Detects potential processes activity of SmarTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" } ], - "References": [], + "References": [ + "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" + ], "Acknowledgement": [] }, { - "Name": "Impero Connect", - "Description": "Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tactical RMM", + "Description": "Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -9270,7 +8860,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ImperoClientSVC.exe" + "tacticalrmm.exe", + "tacticalrmm.exe" ] }, "Artifacts": { @@ -9281,7 +8872,9 @@ { "Description": "Known remote domains", "Domains": [ - "imperosoftware.com" + "login.tailscale.com", + "login.tailscale.com", + "docs.tacticalrmm.com" ], "Ports": [] } @@ -9289,23 +8882,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml", - "Description": "Detects potential network activity of Impero Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Tactical RMM RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Impero Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Tactical RMM RMM tool" } ], - "References": [], + "References": [ + "docs.tacticalrmm.com" + ], "Acknowledgement": [] }, { - "Name": "247ithelp.com (ConnectWise)", - "Description": "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Fortra", + "Description": "Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9319,9 +8914,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "Remote Workforce Client.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -9331,7 +8924,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.247ithelp.com" + "fortra.com" ], "Ports": [] } @@ -9339,22 +8932,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml", + "Description": "Detects potential network activity of Fortra RMM tool" } ], "References": [ - "Similar / replaced by ScreenConnect" + "https://www.fortra.com - No free/cloud RMM softwars listed" ], "Acknowledgement": [] }, { - "Name": "Remobo", - "Description": "Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Sorillus", + "Description": "Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -9372,9 +8961,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remobo.exe", - "remobo_client.exe", - "remobo_tracker.exe" + "Sorillus-Launcher*.exe", + "Sorillus Launcher.exe" ] }, "Artifacts": { @@ -9385,8 +8973,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "remobo.en.softonic.com" + "*.sorillus.com", + "sorillus.com" ], "Ports": [] } @@ -9394,59 +8982,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml", - "Description": "Detects potential network activity of Remobo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml", + "Description": "Detects potential network activity of Sorillus RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml", - "Description": "Detects potential processes activity of Remobo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml", + "Description": "Detects potential processes activity of Sorillus RMM tool" } ], "References": [ - "https://www.remobo.com - DOA as of 2024" + "https://sorillus.com/" ], "Acknowledgement": [] }, { - "Name": "Free Tools Launcher", - "Description": "Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\ManageEngine\\ManageEngine Free Tools\\Launcher\\*", - "*\\ManageEngine\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Echoware", - "Description": "Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteCall", + "Description": "RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -9461,31 +9015,52 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "echoserver*.exe", - "echoware.dll" + "rcengmgru.exe", + "rcmgrsvc.exe", + "rxstartsupport.exe", + "rcstartsupport.exe", + "raautoup.exe", + "agentu.exe", + "remotesupportplayeru.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.remotecall.com", + "*.startsupport.com", + "remotecall.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml", - "Description": "Detects potential processes activity of Echoware RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml", + "Description": "Detects potential network activity of RemoteCall RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteCall RMM tool" } ], - "References": [], + "References": [ + "https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall" + ], "Acknowledgement": [] }, { - "Name": "Zoho Assist", - "Description": "Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Laplink Everywhere", + "Description": "Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -9500,16 +9075,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zaservice.exe", - "ZMAgent.exe", - "C:\\*\\ZA_Access.exe", - "ZohoMeeting.exe", - "Zohours.exe", - "zohotray.exe", - "ZohoURSService.exe", - "*\\ZA_Access.exe", - "Zaservice.exe", - "za_connect.exe" + "laplink.exe", + "laplink-everywhere-setup*.exe", + "laplinkeverywhere.exe", + "llrcservice.exe", + "serverproxyservice.exe", + "OOSysAgent.exe" ] }, "Artifacts": { @@ -9520,19 +9091,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.zoho.com.au", - "*.zohoassist.jp", - "assist.zoho.com", - "zoho.com/assist/", - "*.zoho.in", - "downloads.zohodl.com.cn", - "*.zohoassist.com", - "downloads.zohocdn.com", - "gateway.zohoassist.com", - "*.zohoassist.com.cn", - "*.zoho.com.cn", - "*.zoho.com", - "*.zoho.eu" + "everywhere.laplink.com", + "le.laplink.com", + "atled.syspectr.com" ], "Ports": [] } @@ -9540,22 +9101,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml", - "Description": "Detects potential network activity of Zoho Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Everywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Zoho Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Everywhere RMM tool" } ], "References": [ - "https://www.zoho.com/assist/kb/firewall-configuration.html" + "https://everywhere.laplink.com/docs" ], "Acknowledgement": [] }, { - "Name": "KiTTY", - "Description": "KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MEGAsync", + "Description": "MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9573,8 +9134,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\kitty.exe", - "*\\kitty.exe" + "C:\\Users\\*\\AppData\\Local\\MEGAsync\\*", + "*Users\\*\\AppData\\Local\\MEGAsync\\*", + "*Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "*ProgramData\\MEGAsync\\*", + "*\\MEGAsyncSetup64.exe", + "*\\MEGAupdater.exe" ] }, "Artifacts": { @@ -9585,16 +9150,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml", - "Description": "Detects potential processes activity of KiTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml", + "Description": "Detects potential processes activity of MEGAsync RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "SimpleHelp", - "Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Neturo", + "Description": "Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -9612,11 +9177,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "simplehelpcustomer.exe", - "simpleservice.exe", - "simplegatewayservice.exe", - "remote access.exe", - "windowslauncher.exe" + "neturo*.exe", + "ntrntservice.exe", + "neturo.exe" ] }, "Artifacts": { @@ -9627,8 +9190,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "simple-help.com" + "neturo.uplus.co.kr" ], "Ports": [] } @@ -9636,25 +9198,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml", - "Description": "Detects potential network activity of SimpleHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml", + "Description": "Detects potential network activity of Neturo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml", - "Description": "Detects potential processes activity of SimpleHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml", + "Description": "Detects potential processes activity of Neturo RMM tool" } ], "References": [ - "https://simple-help.com/remote-support" + "Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2" ], "Acknowledgement": [] }, { - "Name": "CloudFlare Tunnel", - "Description": "CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Distant Desktop", + "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -9669,7 +9231,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "cloudflared.exe" + "ddsystem.exe", + "dd.exe", + "distant-desktop.exe" ] }, "Artifacts": { @@ -9680,7 +9244,8 @@ { "Description": "Known remote domains", "Domains": [ - "cloudflare.com/products/tunnel/" + "*.distantdesktop.com", + "*signalserver.xyz" ], "Ports": [] } @@ -9688,59 +9253,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml", - "Description": "Detects potential network activity of CloudFlare Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Distant Desktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml", - "Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Distant Desktop RMM tool" } ], "References": [ - "cloudflare.com/products/tunnel/" + "https://www.distantdesktop.com/manual/first-start.htm" ], "Acknowledgement": [] }, { - "Name": "GoTo Opener", - "Description": "GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\GoTo Opener", - "*\\GoTo Opener" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Pcvisit", - "Description": "Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Anyplace Control", + "Description": "Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9755,10 +9286,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcvisit.exe", - "pcvisit_client.exe", - "pcvisit-easysupport.exe", - "pcvisit_service_client.exe" + "apc_host.exe" ] }, "Artifacts": { @@ -9769,8 +9297,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.pcvisit.de", - "pcvisit.de" + "anyplace-control.com" ], "Ports": [] } @@ -9778,22 +9305,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml", - "Description": "Detects potential network activity of Pcvisit RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml", + "Description": "Detects potential network activity of Anyplace Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml", - "Description": "Detects potential processes activity of Pcvisit RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Anyplace Control RMM tool" } ], "References": [ - "https://www.pcvisit.de/" + "http://www.anyplace-control.com/anyplace-control/help/faq.htm" ], "Acknowledgement": [] }, { - "Name": "Mocha VNC Lite", - "Description": "Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "JollysFastVNC", + "Description": "JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9810,11 +9337,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "This installs a modified VNC and cannot be blocked by path separate from VNC", - "This installs a modified VNC and cannot be blocked by path separate from VNC", - "*\\RealVNC\\VNC4\\*" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -9827,11 +9350,11 @@ "Acknowledgement": [] }, { - "Name": "Laplink Gold", - "Description": "Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ExtraPuTTY", + "Description": "ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9846,46 +9369,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tsircusr.exe", - "laplink.exe" + "C:\\Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", + "*Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", + "*\\ExtraPuTTY-0.30-2016-01-28-installer.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "wen.laplink.com/product/laplink-gold" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml", - "Description": "Detects potential network activity of Laplink Gold RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml", - "Description": "Detects potential processes activity of Laplink Gold RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml", + "Description": "Detects potential processes activity of ExtraPuTTY RMM tool" } ], - "References": [ - "wen.laplink.com/product/laplink-gold" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Iperius Remote", - "Description": "Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "rdpwrap", + "Description": "rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -9900,8 +9409,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iperius.exe", - "iperiusremote.exe" + "RDPWInst.exe", + "RDPCheck.exe", + "RDPConf.exe" ] }, "Artifacts": { @@ -9909,13 +9419,11 @@ "EventLog": [], "Registry": [], "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.iperiusremote.com", - "*.iperius.com", - "*.iperius-rs.com", - "iperiusremote.com" + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "github.com/stascorp/rdpwrap" ], "Ports": [] } @@ -9923,25 +9431,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml", - "Description": "Detects potential network activity of Iperius Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml", + "Description": "Detects potential network activity of rdpwrap RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of Iperius Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml", + "Description": "Detects potential processes activity of rdpwrap RMM tool" } ], "References": [ - "https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx" + "github.com/stascorp/rdpwrap" ], "Acknowledgement": [] }, { - "Name": "BeamYourScreen", - "Description": "BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-ABLE Remote Access Software", + "Description": "N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9955,10 +9463,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "beamyourscreen.exe", - "beamyourscreen-host.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -9968,8 +9473,7 @@ { "Description": "Known remote domains", "Domains": [ - "beamyourscreen.com", - "*.beamyourscreen.com" + "n-able.com" ], "Ports": [] } @@ -9977,25 +9481,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml", - "Description": "Detects potential network activity of BeamYourScreen RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml", - "Description": "Detects potential processes activity of BeamYourScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml", + "Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool" } ], - "References": [ - "beamyourscreen redirects to https://www.mikogo.com/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "TeleDesktop", - "Description": "TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Solar-PuTTY", + "Description": "Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10010,47 +9508,319 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pstlaunch.exe", - "ptdskclient.exe", - "ptdskhost.exe" + "C:\\Program Files\\Solar-Putty-v4\\*", + "*\\Solar-Putty-v4\\*", + "*\\Solar-PuTTY.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml", + "Description": "Detects potential processes activity of Solar-PuTTY RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "TeamViewer", + "Description": "TeamViewer is a remote monitoring and management (RMM) tool.\n", + "Author": "Nasreddine Bencherchali, Michael Haag", + "Created": "2024-08-02", + "LastModified": "2024-08-02", + "Details": { + "Website": "https://www.teamviewer.com/en", + "PEMetadata": [ + { + "Filename": "TeamViewer.exe", + "OriginalFileName": "", + "Description": "", + "Product": "TeamViewer" + } + ], + "Privileges": "user", + "Free": true, + "Verification": false, + "SupportedOS": [ + "Android", + "ChromeOS", + "IOS", + "Linux", + "Mac", + "Windows" + ], + "Capabilities": [], + "Vulnerabilities": [ + "https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html" + ], + "InstallationPaths": [ + "C:\\Program Files\\TeamViewer\\", + "teamviewer_desktop.exe", + "teamviewer_service.exe", + "teamviewerhost" + ] + }, + "Artifacts": { + "Disk": [ + { + "File": "C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "TeamViewer\\d\\d_Logfile\\.log", + "Description": "N/A", + "OS": "Windows", + "Type": "Regex" + }, + { + "File": "C:\\Program Files\\TeamViewer\\Connections_incoming.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\TeamViewer\\TVNetwork.log", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log", + "Description": "N/A", + "OS": "Windows", + "Type": "Regex" + }, + { + "File": "teamviewerqs.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "tv_w32.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "tv_w64.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "tv_x64.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "teamviewer.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "teamviewer_service.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db", + "Description": "SQlite 3 database storing cache about TeamViewer chat", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db", + "Description": "SQlite 3 database storing TeamViewer print jobs", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\TeamViewer\\connections*.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "TeamViewer", + "ImagePath": "\"C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"", + "Description": "Service installation event as result of TeamViewer installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKU\\\\SOFTWARE\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions", + "Description": "N/A" + } + ], "Network": [ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "tele-desk.com" + "*.teamviewer.com" ], "Ports": [] + }, + { + "Description": "N/A", + "Domains": [ + "router15.teamviewer.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "client.teamviewer.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "taf.teamviewer.com" + ], + "Ports": [ + 443 + ] + } + ], + "Other": [ + { + "Type": "Mutex", + "Value": "TeamViewer_LogMutex" + }, + { + "Type": "Mutex", + "Value": "TeamViewerHooks_DynamicMemMutex" + }, + { + "Type": "Mutex", + "Value": "TeamViewer3_Win32_Instance_Mutex" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml", - "Description": "Detects potential network activity of TeleDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml", + "Description": "Detects potential registry activity of TeamViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml", - "Description": "Detects potential processes activity of TeleDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml", + "Description": "Detects potential network activity of TeamViewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml", + "Description": "Detects potential files activity of TeamViewer RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of TeamViewer RMM tool" } ], "References": [ - "http://potomacsoft.com/ - DOA as of 2024" + "https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer", + "https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#", + "https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/", + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", + "https://github.com/Purp1eW0lf/Blue-Team-Notes" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + } + ] }, { - "Name": "Parallels Access", - "Description": "Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Itarian", + "Description": "Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10065,11 +9835,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "parallelsaccess-*.exe", - "TSClient.exe", - "prl_deskctl_agent.exe", - "prl_deskctl_wizard.exe", - "prl_pm_service.exe" + "ITSMAgent.exe", + "RViewer.exe", + "ItsmRsp.exe", + "RAccess.exe", + "RmmService.exe", + "ITarianRemoteAccessSetup.exe", + "RDesktop.exe", + "ComodoRemoteControl.exe", + "ITSMService.exe", + "RHost.exe" ] }, "Artifacts": { @@ -10080,8 +9855,11 @@ { "Description": "Known remote domains", "Domains": [ - "*.parallels.com", - "parallels.com/products/ras/try" + "mdmsupport.comodo.com", + "*.itsm-us1.comodo.com", + "*.cmdm.comodo.com", + "remoteaccess.itarian.com", + "servicedesk.itarian.com" ], "Ports": [] } @@ -10089,22 +9867,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml", - "Description": "Detects potential network activity of Parallels Access RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml", + "Description": "Detects potential network activity of Itarian RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml", - "Description": "Detects potential processes activity of Parallels Access RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml", + "Description": "Detects potential processes activity of Itarian RMM tool" } ], "References": [ - "https://kb.parallels.com/en/129097" + "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" ], "Acknowledgement": [] }, { - "Name": "Basecamp", - "Description": "Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Visual Studio Dev Tunnel", + "Description": "Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -10131,7 +9909,9 @@ { "Description": "Known remote domains", "Domains": [ - "basecamp.com" + "global.rel.tunnels.api.visualstudio.com", + "*.rel.tunnels.api.visualstudio.com", + "*.devtunnels.ms" ], "Ports": [] } @@ -10139,21 +9919,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml", - "Description": "Detects potential network activity of Basecamp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool" } ], "References": [ - "basecamp.com - No specific RMM tool listed" + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security" ], "Acknowledgement": [] }, { - "Name": "Weezo", - "Description": "Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ITSupport247 (ConnectWise)", + "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10168,9 +9948,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "weezohttpd.exe", - "weezo.exe", - "weezo setup*.exe" + "saazapsc.exe" ] }, "Artifacts": { @@ -10181,10 +9959,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.weezo.me", - "weezo.net", - "*.weezo.net", - "weezo.en.softonic.com" + "*.itsupport247.net" ], "Ports": [] } @@ -10192,72 +9967,52 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml", - "Description": "Detects potential network activity of Weezo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml", - "Description": "Detects potential processes activity of Weezo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" } ], "References": [ - "weezo.en.softonic.com" - ], - "Acknowledgement": [] - }, - { - "Name": "X2Go", - "Description": "X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [ - "https://wiki.x2go.org/doku.php" + "https://control.itsupport247.net/" ], "Acknowledgement": [] }, { - "Name": "Dev Tunnels (aka Visual Studio Dev Tunnel)", - "Description": "Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", + "Name": "LogMeIn", + "Description": "LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Website": "https://www.logmein.com/", + "PEMetadata": [ + { + "Filename": "lmiguardiansvc.exe" + }, + { + "Filename": "lmiignition.exe" + }, + { + "Filename": "logmeinsystray.exe" + }, + { + "Filename": "logmein.exe", + "OriginalFileName": "", + "Company": "LogMeIn, Inc.", + "Description": "LMIGuardianSvc", + "Product": "LMIGuardianSvc" + } + ], "Privileges": "", "Free": "", "Verification": "", "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": null }, "Artifacts": { "Disk": [], @@ -10265,29 +10020,82 @@ "Registry": [], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", + "Domains": [ + "logmein-gateway.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.logmein.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.logmein.eu" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", "Domains": [ - "learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview" + "logmeinrescue.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.logmeininc.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml", - "Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml", + "Description": "DNS Query To Remote Access Software Domain From Non-Browser App" + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml", + "Description": "Remote Access Tool - LogMeIn Execution" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn RMM tool" } ], - "References": [], - "Acknowledgement": [] + "References": [ + "https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration" + ], + "Acknowledgement": [ + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, { - "Name": "Connectwise Automate (LabTech)", - "Description": "Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PuTTY", + "Description": "PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10301,47 +10109,24 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ltsvc.exe", - "ltsvcmon.exe", - "lttray.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.hostedrmm.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml", - "Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml", - "Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool" - } - ], - "References": [ - "https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "Splashtop (Beta)", - "Description": "Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netreo", + "Description": "Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -10355,12 +10140,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "SRServer.exe", - "SplashtopSOS.exe", - "Splashtop_Streamer_Windows*.exe", - "SRManager.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -10370,7 +10150,10 @@ { "Description": "Known remote domains", "Domains": [ - "splashtop.com" + "charon.netreo.net", + "activation.netreo.net", + "*.api.netreo.com", + "netreo.com" ], "Ports": [] } @@ -10378,23 +10161,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml", - "Description": "Detects potential network activity of Splashtop (Beta) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop (Beta) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml", + "Description": "Detects potential network activity of Netreo RMM tool" } ], - "References": [], + "References": [ + "https://solutions.netreo.com/docs/firewall-requirements" + ], "Acknowledgement": [] }, { - "Name": "Netop", - "Description": "Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop Remote Control (Impero Connect)", + "Description": "Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -10409,145 +10190,27 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Danware Data\\NetOp Packn Deploy\\*", - "*\\Danware Data\\NetOp Packn Deploy\\*", - "*\\Netop Remote Control\\*" + "nhostsvc.exe", + "nhstw32.exe", + "ngstw32.exe", + "Netop Ondemand.exe", + "nldrw32.exe", + "rmserverconsolemediator.exe", + "ImperoInit.exe", + "Connect.Backdrop.cloud*.exe", + "ImperoClientSVC.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Kaseya (VSA)", - "Description": "Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", - "Details": { - "Website": "", - "PEMetadata": [ - { - "Filename": "agentmon.exe" - }, - { - "Filename": "KaUpdHlp.exe" - }, - { - "Filename": "KaUsrTsk.exe", - "OriginalFileName": "", - "Description": "" - } - ], - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\Kaseya\\", - "C:\\ProgramData\\Kaseya\\" - ] - }, - "Artifacts": { - "Disk": [ - { - "File": "%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*", - "Description": "Kaseya Live Connect logs", - "OS": "Windows" - }, - { - "File": "~/Library/Logs/com.kaseya/KaseyaLiveConnect/*", - "Description": "Kaseya Live Connect logs", - "OS": "MacOS" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*", - "Description": "Kaseya Endpoint logs", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\Kaseya\\*\\agentmon.log", - "Description": "Kaseya Agent Monitor log" - }, - { - "File": "/var/log/system.log", - "Description": "Kaseya Agent Monitor log", - "OS": "MacOS 32bit" - }, - { - "File": " ~/opt/kaseya/*/logs*", - "Description": "Kaseya Agent Monitor log", - "OS": "MacOS 64bit" - }, - { - "File": "C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log", - "Description": "Kaseya Setup log in user temp directory", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Temp\\KASetup.log", - "Description": "Kaseya Setup log in Windows temp directory", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*", - "Description": "Kaseya Edge Services logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.0\\logs\\", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.5\\endpoint\\logs", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.5\\endpoints\\logs", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\", - "Description": "Certificate creation", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\WebPages\\install\\makecert.txt", - "Description": "Certificate creation", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*", - "Description": "Endpoint service logs", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*", - "Description": "Session logs", - "OS": "Windows" - } - ], - "EventLog": [], - "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "deploy01.kaseya.com", - "*managedsupport.kaseya.net", - "*.kaseya.net", - "kaseya.com" + "*.connect.backdrop.cloud", + "*.netop.com" ], "Ports": [] } @@ -10555,28 +10218,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml", - "Description": "Detects potential network activity of Kaseya (VSA) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml", - "Description": "Detects potential files activity of Kaseya (VSA) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool" } ], "References": [ - "https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements", - "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations", - "https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/", - "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations" + "https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html" ], "Acknowledgement": [] }, { - "Name": "HelpBeam", - "Description": "HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Splashtop (Beta)", + "Description": "Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10591,7 +10251,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "helpbeam*.exe" + "SRServer.exe", + "SplashtopSOS.exe", + "Splashtop_Streamer_Windows*.exe", + "SRManager.exe" ] }, "Artifacts": { @@ -10602,7 +10265,7 @@ { "Description": "Known remote domains", "Domains": [ - "helpbeam.software.informer.com" + "splashtop.com" ], "Ports": [] } @@ -10610,25 +10273,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml", - "Description": "Detects potential network activity of HelpBeam RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml", + "Description": "Detects potential network activity of Splashtop (Beta) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml", - "Description": "Detects potential processes activity of HelpBeam RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop (Beta) RMM tool" } ], - "References": [ - "https://www.helpbeam.com domain for sale in 2024" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Quest KACE Agent (formerly Dell KACE)", - "Description": "Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FastViewer", + "Description": "FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -10643,7 +10304,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "konea.exe" + "fastclient.exe", + "fastmaster.exe", + "FastViewer.exe" ] }, "Artifacts": { @@ -10654,8 +10317,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.kace.com", - "www.quest.com/kace/" + "*.fastviewer.com", + "fastviewer.com" ], "Ports": [] } @@ -10663,25 +10326,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml", - "Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml", + "Description": "Detects potential network activity of FastViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml", - "Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of FastViewer RMM tool" } ], "References": [ - "https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function" + "https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf" ], "Acknowledgement": [] }, { - "Name": "DeskShare", - "Description": "DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RustDesk", + "Description": "RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -10696,8 +10359,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "TeamTaskManager.exe", - "DSGuest.exe" + "rustdesk*.exe", + "rustdesk.exe" ] }, "Artifacts": { @@ -10708,7 +10371,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "rustdesk.com", + "user_managed", + "web.rustdesk.com" ], "Ports": [] } @@ -10716,25 +10381,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml", - "Description": "Detects potential network activity of DeskShare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml", + "Description": "Detects potential network activity of RustDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml", - "Description": "Detects potential processes activity of DeskShare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of RustDesk RMM tool" } ], "References": [ - "https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx" + "https://rustdesk.com/docs/en/" ], "Acknowledgement": [] }, { - "Name": "rdpwrap", - "Description": "rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MobaXterm", + "Description": "MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10749,9 +10414,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "RDPWInst.exe", - "RDPCheck.exe", - "RDPConf.exe" + "C:\\*\\MobaXterm_installer_12.1.msi", + "*\\MobaXterm_installer_*.msi", + "*\\Mobatek\\MobaXterm\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "GoToAssist", + "Description": "GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "gotoassist.exe", + "g2a*.exe", + "GoTo Assist Opener.exe" ] }, "Artifacts": { @@ -10762,8 +10462,14 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/stascorp/rdpwrap" + "goto.com", + "*.getgo.com", + "*.fastsupport.com", + "*.gotoassist.com", + "helpme.net", + "*.gotoassist.me", + "*.gotoassist.at", + "*.desktopstreaming.com" ], "Ports": [] } @@ -10771,22 +10477,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml", - "Description": "Detects potential network activity of rdpwrap RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml", + "Description": "Detects potential network activity of GoToAssist RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml", - "Description": "Detects potential processes activity of rdpwrap RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml", + "Description": "Detects potential processes activity of GoToAssist RMM tool" } ], "References": [ - "github.com/stascorp/rdpwrap" + "https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5" ], "Acknowledgement": [] }, { - "Name": "Total Software Deployment", - "Description": "Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Free Ping Tool", + "Description": "Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10804,10 +10510,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\ProgramData\\Total Software Deployment\\*", - "*\\Total Software Deployment\\*", - "*\\tniwinagent.exe", - "*\\Tsdservice.exe" + "can't find this one", + "can't find this one" ] }, "Artifacts": { @@ -10816,21 +10520,68 @@ "Registry": [], "Network": [] }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "HelpBeam", + "Description": "HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/8/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "helpbeam*.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "helpbeam.software.informer.com" + ], + "Ports": [] + } + ] + }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml", - "Description": "Detects potential processes activity of Total Software Deployment RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml", + "Description": "Detects potential network activity of HelpBeam RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpBeam RMM tool" } ], - "References": [], + "References": [ + "https://www.helpbeam.com domain for sale in 2024" + ], "Acknowledgement": [] }, { - "Name": "PuTTY", - "Description": "PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NTR Remote", + "Description": "NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -10844,21 +10595,42 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "NTRsupportPro_EN.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ntrsupport.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml", + "Description": "Detects potential network activity of NTR Remote RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of NTR Remote RMM tool" + } + ], + "References": [ + "DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "RDPView", - "Description": "RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ServerEye", + "Description": "ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -10876,7 +10648,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dwrcs.exe" + "servereye*.exe", + "ServiceProxyLocalSys.exe" ] }, "Artifacts": { @@ -10887,8 +10660,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "systemmanager.ru/dntu.en/rdp_view.htm" + "*.server-eye.de" ], "Ports": [] } @@ -10896,25 +10668,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml", - "Description": "Detects potential network activity of RDPView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml", + "Description": "Detects potential network activity of ServerEye RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml", - "Description": "Detects potential processes activity of RDPView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml", + "Description": "Detects potential processes activity of ServerEye RMM tool" } ], "References": [ - "systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware" + "https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf" ], "Acknowledgement": [] }, { - "Name": "Fortra", - "Description": "Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WebRDP", + "Description": "WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -10928,7 +10700,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "webrdp.exe" + ] }, "Artifacts": { "Disk": [], @@ -10938,7 +10712,8 @@ { "Description": "Known remote domains", "Domains": [ - "fortra.com" + "user_managed", + "github.com/Mikej81/WebRDP" ], "Ports": [] } @@ -10946,18 +10721,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml", - "Description": "Detects potential network activity of Fortra RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml", + "Description": "Detects potential network activity of WebRDP RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml", + "Description": "Detects potential processes activity of WebRDP RMM tool" } ], "References": [ - "https://www.fortra.com - No free/cloud RMM softwars listed" + "github.com/Mikej81/WebRDP" ], "Acknowledgement": [] }, { - "Name": "ISL Light", - "Description": "ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoTo Opener", + "Description": "GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10975,44 +10754,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "islalwaysonmonitor.exe", - "isllight.exe", - "isllightservice.exe" + "C:\\Program Files (x86)\\GoTo Opener", + "*\\GoTo Opener" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "islonline.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml", - "Description": "Detects potential network activity of ISL Light RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Light RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Pocket Controller (Soti Xsight)", - "Description": "Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "S3 Browser", + "Description": "S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11027,46 +10788,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcontroller.exe", - "wysebrowser.exe", - "XSightService.exe" + "C:\\Program Files (x86)\\S3 Browser\\*", + "*\\S3 Browser\\*", + "*\\s3browser*.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*soti.net" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml", - "Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml", + "Description": "Detects potential processes activity of S3 Browser RMM tool" } ], - "References": [ - "https://pulse.soti.net/support/soti-xsight/help/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "GatherPlace-desktop sharing", - "Description": "GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Any Support", + "Description": "Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -11081,9 +10828,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "gp3.exe", - "gp4.exe", - "gp5.exe" + "ManualLauncher.exe" ] }, "Artifacts": { @@ -11094,9 +10839,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.gatherplace.com", - "*.gatherplace.net", - "gatherplace.com" + "*.anysupport.net" ], "Ports": [] } @@ -11104,25 +10847,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml", - "Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml", + "Description": "Detects potential network activity of Any Support RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml", + "Description": "Detects potential processes activity of Any Support RMM tool" } ], "References": [ - "https://www.gatherplace.com/kb?id=136377" + "https://www.anysupport.net/introduce_howto.php" ], "Acknowledgement": [] }, { - "Name": "Site24x7", - "Description": "Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeamYourScreen", + "Description": "BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -11137,10 +10880,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "MEAgentHelper.exe", - "MonitoringAgent.exe", - "Site24x7WindowsAgentTrayIcon.exe", - "Site24x7PluginAgent.exe" + "beamyourscreen.exe", + "beamyourscreen-host.exe" ] }, "Artifacts": { @@ -11151,12 +10892,8 @@ { "Description": "Known remote domains", "Domains": [ - "plus*.site24x7.com", - "plus*.site24x7.eu", - "plus*.site24x7.in", - "plus*.site24x7.cn", - "plus*.site24x7.net.au", - "site24x7.com/msp" + "beamyourscreen.com", + "*.beamyourscreen.com" ], "Ports": [] } @@ -11164,86 +10901,56 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml", - "Description": "Detects potential network activity of Site24x7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml", + "Description": "Detects potential network activity of BeamYourScreen RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml", - "Description": "Detects potential processes activity of Site24x7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of BeamYourScreen RMM tool" } ], "References": [ - "https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent" + "beamyourscreen redirects to https://www.mikogo.com/" ], "Acknowledgement": [] }, { - "Name": "MeshCentral", - "Description": "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", - "Author": "@kostastsale", - "Created": "2024-09-20", - "LastModified": "2024-09-20", + "Name": "Sophos-Remote Management System", + "Description": "Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", "Details": { - "Website": "https://meshcentral.com/", + "Website": "", "PEMetadata": { - "Filename": "MeshAgent.exe", + "Filename": "", "OriginalFileName": "", - "Description": "MeshCentral Background Service Agent" + "Description": "" }, - "Privileges": "SYSTEM", - "Free": "Yes", - "Verification": "N/A", - "SupportedOS": [ - "Windows", - "Linux", - "MacOS", - "FreeBSD" - ], - "Capabilities": [ - "Remote Desktop & Terminal", - "Remote File Access", - "Text and Voice Chat", - "Server File Storage", - "Real-time User interface", - "Port Forwarding" - ], - "Vulnerabilities": [ - "CVE-2024-26135" - ], + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], "InstallationPaths": [ - "meshcentral*.exe", - "meshagent*.exe" + "clientmrinit.exe", + "mgntsvc.exe", + "routernt.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe", - "Description": "Local MeshAgent service binary after installation", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh", - "Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Mesh Agent background service", - "ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"", - "Description": "Service installation event as result of MeshAgent installation." - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "meshcentral.com" + "*.sophos.com", + "*.sophosupd.com", + "*.sophosupd.net", + "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" ], "Ports": [] } @@ -11251,32 +10958,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml", - "Description": "Detects potential network activity of MeshCentral RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", - "Description": "Detects potential processes activity of MeshCentral RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml", + "Description": "Detects potential network activity of Sophos-Remote Management System RMM tool" }, { - "Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml", - "Description": "Detects MeshAgent Command Execution via MeshCentral" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool" } ], - "References": [ - "https://ylianst.github.io/MeshCentral/meshcentral/", - "https://github.com/Ylianst/MeshAgent" - ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] + "References": [ + "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" + ], + "Acknowledgement": [] }, { - "Name": "MSP360", - "Description": "MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PSEXEC (Clone)", + "Description": "PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -11294,17 +10991,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Online Backup.exe", - "CBBackupPlan.exe", - "Cloud.Backup.Scheduler.exe", - "Cloud.Backup.RM.Service.exe", - "cbb.exe", - "CloudRaService.exe", - "CloudRaSd.exe", - "CloudRaCmd.exe", - "CloudRaUtilities.exe", - "Remote Desktop.exe", - "Connect.exe" + "paexec.exe", + "PAExec-*.exe", + "csexec.exe ", + "remcom.exe", + "remcomsvc.exe", + "xcmd.exe", + "xcmdsvc.exe" ] }, "Artifacts": { @@ -11315,10 +11008,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.cloudberrylab.com", - "*.msp360.com", - "*.mspbackups.com", - "msp360.com" + "user_managed" ], "Ports": [] } @@ -11326,100 +11016,54 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml", - "Description": "Detects potential network activity of MSP360 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC (Clone) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml", - "Description": "Detects potential processes activity of MSP360 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool" } ], "References": [ - "https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#" + "https://www.poweradmin.com/paexec/" ], "Acknowledgement": [] }, { - "Name": "ScreenConnect", - "Description": "ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "Ali Alwashali, Nasreddine Bencherchali", - "Created": "2023-10-01", - "LastModified": "2024-08-03", + "Name": "GetScreen", + "Description": "GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", "Details": { - "Website": "https://www.connectwise.com", - "PEMetadata": [ - { - "Filename": "", - "OriginalFileName": "", - "Description": "" - } - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", - "Free": "14-Days Free Trial", + "Free": "", "Verification": "", - "SupportedOS": [ - "Android", - "IOS", - "Linux", - "Mac", - "Windows" - ], - "Capabilities": [ - "Command Line Support", - "File Transfer", - "Install Windows updates", - "Receive notification when user performs a predefined event", - "Remote Command Line", - "Remote Control", - "Sound Capture", - "Start / Stop services", - "View event logs" - ], + "SupportedOS": [], + "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\ScreenConnect Client (Random)\\ScreenConnect.ClientService.exe", - "Remote Workforce Client.exe", - "*\\*\\ScreenConnect.ClientService.exe", - "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", - "*\\ScreenConnect Client*\\*", - "*\\*\\ScreenConnect.WindowsClient.exe", - "screenconnect*.exe", - "screenconnect.windowsclient.exe", - "Remote Workforce Client.exe", - "screenconnect*.exe", - "ConnectWiseControl*.exe", - "connectwise*.exe", - "screenconnect.windowsclient.exe", - "screenconnect.clientservice.exe" + "GetScreen.exe", + "getscreen.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db", - "Description": "ScreenConnect session database", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml", - "Description": "ScreenConnect user configuration", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\ScreenConnect Client*\\user.config", - "Description": "ScreenConnect client user configuration", - "OS": "Windows" - } - ], + "Disk": [], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "control.connectwise.com", - "*.connectwise.com", - "*.screenconnect.com" + "getscreen.me", + "GetScreen.me", + "*.getscreen.me" ], "Ports": [] } @@ -11427,29 +11071,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml", - "Description": "Detects potential network activity of ScreenConnect RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml", - "Description": "Detects potential files activity of ScreenConnect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml", + "Description": "Detects potential network activity of GetScreen RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml", - "Description": "Detects potential processes activity of ScreenConnect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of GetScreen RMM tool" } ], "References": [ - "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/" + "https://docs.getscreen.me/self-hosted/system-requirements/" ], "Acknowledgement": [] }, { - "Name": "Microsoft TSC", - "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemotePC", + "Description": "RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -11464,24 +11104,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "termsrv.exe", - "mstsc.exe" + "C:\\Program Files (x86)\\RemotePC\\*", + "Idrive.File-Transfer", + "*\\RemotePC\\*", + "remotepcservice.exe", + "RemotePC.exe", + "remotepchost.exe", + "idrive.RemotePCAgent", + "rpcsuite.exe", + "*\\RemotePCService.exe", + "RemotePCService.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.remotedesktop.com", + "*.remotepc.com", + "www.remotepc.com", + "remotepc.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft TSC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml", + "Description": "Detects potential network activity of RemotePC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePC RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" + "https://www.remotedesktop.com/helpdesk/faq-firewall" ], "Acknowledgement": [] }, @@ -11543,8 +11206,8 @@ "Acknowledgement": [] }, { - "Name": "Ultra VNC", - "Description": "Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LabTeach (Connectwise Automate)", + "Description": "LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -11562,11 +11225,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\uvnc bvba\\UltraVNC\\*", - "*\\uvnc bvba\\UltraVNC\\*", - "*\\UVNC_Launch.exe", - "*\\winvnc.exe", - "*\\vncviewer.exe" + "ltsvc.exe" ] }, "Artifacts": { @@ -11577,16 +11236,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml", - "Description": "Detects potential processes activity of Ultra VNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Remote Manipulator System", - "Description": "Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteView", + "Description": "RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -11604,8 +11263,64 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rfusclient.exe", - "rutserv.exe" + "remoteview.exe", + "rv.exe", + "rvagent.exe", + "rvagtray.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*content.rview.com", + "*.rview.com", + "content.rview.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml", + "Description": "Detects potential network activity of RemoteView RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteView RMM tool" + } + ], + "References": [ + "https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall" + ], + "Acknowledgement": [] + }, + { + "Name": "UltraVNC", + "Description": "UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/14/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "UltraVNC*.exe" ] }, "Artifacts": { @@ -11616,8 +11331,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.internetid.ru", - "rmansys.ru" + "ultravnc.com", + "user_managed" ], "Ports": [] } @@ -11625,25 +11340,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml", - "Description": "Detects potential network activity of Remote Manipulator System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml", + "Description": "Detects potential network activity of UltraVNC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Manipulator System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraVNC RMM tool" } ], "References": [ - "https://rmansys.ru/files/" + "https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html" ], "Acknowledgement": [] }, { - "Name": "Domotz", - "Description": "Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SmarTTY", + "Description": "SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11658,51 +11373,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "domotz.exe", - "Domotz Pro Desktop App.exe", - "domotz_bash.exe", - "domotz*.exe", - "Domotz Pro Desktop App Setup*.exe", - "domotz-windows*.exe" + "c:\\Program Files (x86)\\Sysprogs\\SmarTTY\\*", + "*\\Sysprogs\\SmarTTY\\*", + "*\\SmarTTY.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.domotz.co", - "domotz.com", - "*cell-1.domotz.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml", - "Description": "Detects potential network activity of Domotz RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml", - "Description": "Detects potential processes activity of Domotz RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml", + "Description": "Detects potential processes activity of SmarTTY RMM tool" } ], - "References": [ - "https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "FixMe.it", - "Description": "FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Absolute (Computrace)", + "Description": "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "6/18/2024", "Details": { "Website": "", "PEMetadata": { @@ -11717,17 +11413,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "FixMeit Client.exe", - "TiExpertStandalone.exe", - "FixMeitClient*.exe", - "TiExpertCore.exe", - "FixMeit Unattended Access Setup.exe", - "FixMeit Expert Setup.exe", - "TiExpertCore.exe", - "fixmeitclient.exe", - "TiClientCore.exe", - "TiClientHelper*.exe", - "9380CC75B872221A7425D7503565B67580407F60" + "rpcnet.exe", + "ctes.exe", + "ctespersitence.exe", + "cteshostsvc.exe", + "rpcld.exe" ] }, "Artifacts": { @@ -11738,11 +11428,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.fixme.it", - "*.techinline.net", - "fixme.it", - "*set.me", - "*setme.net" + "*search.namequery.com", + "*server.absolute.com" ], "Ports": [] } @@ -11750,23 +11437,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml", - "Description": "Detects potential network activity of FixMe RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml", + "Description": "Detects potential network activity of Absolute (Computrace) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml", - "Description": "Detects potential processes activity of FixMe RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml", + "Description": "Detects potential processes activity of Absolute (Computrace) RMM tool" } ], - "References": [], + "References": [ + "https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com" + ], "Acknowledgement": [] }, { - "Name": "Tanium Deploy", - "Description": "Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Quest KACE Agent (formerly Dell KACE)", + "Description": "Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -11780,7 +11469,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "konea.exe" + ] }, "Artifacts": { "Disk": [], @@ -11790,7 +11481,8 @@ { "Description": "Known remote domains", "Domains": [ - "tanium.com/products/tanium-deploy" + "*.kace.com", + "www.quest.com/kace/" ], "Ports": [] } @@ -11798,19 +11490,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml", - "Description": "Detects potential network activity of Tanium Deploy RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml", + "Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml", + "Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool" } ], - "References": [], + "References": [ + "https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function" + ], "Acknowledgement": [] }, { - "Name": "N-ABLE Remote Access Software", - "Description": "N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DeskShare", + "Description": "DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -11824,7 +11522,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "TeamTaskManager.exe", + "DSGuest.exe" + ] }, "Artifacts": { "Disk": [], @@ -11834,7 +11535,7 @@ { "Description": "Known remote domains", "Domains": [ - "n-able.com" + "user_managed" ], "Ports": [] } @@ -11842,19 +11543,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml", - "Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml", + "Description": "Detects potential network activity of DeskShare RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskShare RMM tool" } ], - "References": [], + "References": [ + "https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx" + ], "Acknowledgement": [] }, { - "Name": "Quick Assist", - "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Cloud (Wyse)", + "Description": "Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -11869,153 +11576,88 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "quickassist.exe" + "pocketcloud*.exe", + "pocketcloudservice.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.support.services.microsoft.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml", - "Description": "Detects potential network activity of Quick Assist RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool" } ], - "References": [], + "References": [ + "https://wyse-pocketcloud.informer.com/2.1/" + ], "Acknowledgement": [] }, { - "Name": "AnyViewer", - "Description": "AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "@kostastsale", - "Created": "2024-08-03", - "LastModified": "2024-08-03", + "Name": "Pilixo", + "Description": "Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", "Details": { - "Website": "https://www.anyviewer.com/", - "PEMetadata": [ - { - "Filename": "AnyViewer.exe", - "OriginalFileName": "AnyViewer", - "Description": "Splash Window" - }, - { - "Filename": "RCClient.exe", - "OriginalFileName": "RCClient.exe", - "Description": "AnyViewer Core" - }, - { - "Filename": "ScreanCap.exe", - "Description": "Screan capture" - }, - { - "Filename": "AVCore.exe" - }, - { - "Filename": "RCService.exe" - } - ], - "Privileges": "System", - "Free": "up to 10 devices", - "Verification": "None", - "SupportedOS": [ - "Windows" - ], - "Capabilities": [ - "Remote desktop", - "Remote file transfer", - "Remote monitoring and management", - "Remote shell open" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\AnyViewer\\*" + "rdp.exe", + "Pilixo_Installer*.exe" ] }, - "Artifacts": { - "Disk": [], - "EventLog": [ - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "\"C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\" -d", - "Description": "Taking actions on the remote machine such as opening a command prompt." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "RCService", - "ImagePath": "C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe", - "Description": "AnyViewer service installation service." - } - ], + "Artifacts": { + "Disk": [], + "EventLog": [], "Registry": [], "Network": [ { - "Description": "N/A", - "Domains": [ - "*.anyviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.aomeisoftware.com" + "pilixo.com", + "download.pilixo.com", + "*.pilixo.com" ], - "Ports": [ - 443 - ] + "Ports": [] } ] }, "Detections": [ { - "Name": "Arbitrary code execution and remote sessions via Action1 RMM", - "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", - "author": "@kostastsale", - "Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml", + "Description": "Detects potential network activity of Pilixo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml", - "Description": "Detects potential network activity of AnyViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml", + "Description": "Detects potential processes activity of Pilixo RMM tool" } ], "References": [ - "https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html", - "https://www.anyviewer.com/help/remote-technical-support.html" + "https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls" ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] + "Acknowledgement": [] }, { - "Name": "Naverisk", - "Description": "Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Mikogo", + "Description": "Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -12030,7 +11672,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "AgentSetup-*.exe" + "mikogo.exe", + "mikogo-starter.exe", + "mikogo-service.exe", + "mikogolauncher.exe", + "C:\\Users\\*\\AppData\\Roaming\\Mikogo\\*", + "*Users\\*\\AppData\\Roaming\\Mikogo\\*", + "*\\Mikogo-Service.exe", + "*\\Mikogo-Screen-Service.exe" ] }, "Artifacts": { @@ -12041,8 +11690,10 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "naverisk.com" + "*.real-time-collaboration.com", + "*.mikogo4.com", + "*.mikogo.com", + "mikogo.com" ], "Ports": [] } @@ -12050,25 +11701,89 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml", - "Description": "Detects potential network activity of Naverisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml", + "Description": "Detects potential network activity of Mikogo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml", - "Description": "Detects potential processes activity of Naverisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml", + "Description": "Detects potential processes activity of Mikogo RMM tool" } ], "References": [ - "http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents" + "https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services" ], "Acknowledgement": [] }, { - "Name": "Addigy", - "Description": "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WebEx (Remote Access)", + "Description": "WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/27/2024", + "LastModified": "2/14/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [ + "https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access" + ], + "Acknowledgement": [] + }, + { + "Name": "Koofr", + "Description": "Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Duplicati", + "Description": "Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12083,9 +11798,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "addigy-*.pkg" + "c:\\Program Files\\*\\Duplicati.Server.exe", + "*\\*\\Duplicati.Server.exe" ] }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml", + "Description": "Detects potential processes activity of Duplicati RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "ManageEngine RMM Central", + "Description": "ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, "Artifacts": { "Disk": [], "EventLog": [], @@ -12094,9 +11846,7 @@ { "Description": "Known remote domains", "Domains": [ - "prod.addigy.com", - "grtmprod.addigy.com", - "agents.addigy.com" + "manageengine.com/remote-monitoring-management/" ], "Ports": [] } @@ -12104,188 +11854,116 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml", - "Description": "Detects potential network activity of Addigy RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml", + "Description": "Detects potential network activity of ManageEngine RMM Central RMM tool" } ], - "References": [ - "https://addigy.com/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Action1", - "Description": "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. \nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n", - "Author": "@kostastsale", - "Created": "2024-08-03", - "LastModified": "2024-10-06", + "Name": "WinSCP", + "Description": "WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", "Details": { - "Website": "https://www.action1.com/", - "PEMetadata": [ - { - "Filename": "action1_connector.exe" - }, - { - "Filename": "action1_remote.exe" - }, - { - "Filename": "action1_update.exe" - }, - { - "Filename": "action1_agent.exe", - "OriginalFileName": "action1_agent.exe", - "Description": "Endpoint Agent" - } - ], - "Privileges": "SYSTEM", - "Free": "Yes", - "Verification": "Corporate email required although temporary email services are accepted", - "SupportedOS": [ - "Windows" - ], - "Capabilities": [ - "Backup and disaster recovery", - "Billing and invoicing", - "Customer portal", - "HelpDesk and ticketing", - "Mobile app", - "Network discovery", - "Patch management", - "Remote monitoring and management", - "Reporting and analytics" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Users\\IEUser\\Downloads\\WinSCP-5.21.6-Portable\\*", + "*\\WinSCP*Portable\\*", + "*\\WinSCP.exe", + "*\\WinSCP\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml", + "Description": "Detects potential processes activity of WinSCP RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "GatherPlace-desktop sharing", + "Description": "GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Windows\\Action1\\*" + "gp3.exe", + "gp4.exe", + "gp5.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Windows\\Action1\\action1_agent.exe", - "Description": "Action1 service binary", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\*", - "Description": "Multiple files and binaries related to Action1 installation", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\scripts\\*", - "Description": "Multiple scripts related to Action1 installation", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\rule_data\\*", - "Description": "Files related to Action1 rules", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\action1_log_*.log", - "Description": "Contains history, errors, system notifications. Incoming and outgoing connections.", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "A1Agent", - "ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"", - "Description": "Service installation event as result of Action1 installation." - }, - { - "EventID": 4697, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "ServiceName": "A1Agent", - "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service", - "Description": "Service installation event as result of Action1 installation." - }, - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser", - "Description": "Executing command to get logged on user." - } - ], - "Registry": [ - { - "Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent", - "Description": "Service installation event as result of Action1 installation." - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe", - "Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software." - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1", - "Description": "Storing its configuration settings and other relevant information" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { - "Description": "N/A", - "Domains": [ - "*.action1.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "a1-backend-packages.s3.amazonaws.com" + "*.gatherplace.com", + "*.gatherplace.net", + "gatherplace.com" ], - "Ports": [ - 443 - ] + "Ports": [] } ] }, "Detections": [ { - "Name": "Arbitrary code execution and remote sessions via Action1 RMM", - "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", - "author": "@kostastsale", - "Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml", - "Description": "Detects potential registry activity of Action1 RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml", - "Description": "Detects potential network activity of Action1 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml", - "Description": "Detects potential files activity of Action1 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool" } ], "References": [ - "https://www.action1.com/documentation/firewall-configuration/", - "https://www.action1.com/documentation/", - "https://twitter.com/Kostastsale/status/1646256901506605063?s=20", - "https://ruler-project.github.io/ruler-project/RULER/remote/Action1/" + "https://www.gatherplace.com/kb?id=136377" ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] + "Acknowledgement": [] }, { - "Name": "AliWangWang-remote-control", - "Description": "AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Laplink Gold", + "Description": "Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -12300,7 +11978,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "alitask.exe" + "tsircusr.exe", + "laplink.exe" ] }, "Artifacts": { @@ -12311,7 +11990,8 @@ { "Description": "Known remote domains", "Domains": [ - "wangwang.taobao.com" + "user_managed", + "wen.laplink.com/product/laplink-gold" ], "Ports": [] } @@ -12319,25 +11999,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml", - "Description": "Detects potential network activity of AliWangWang-remote-control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Gold RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml", - "Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Gold RMM tool" } ], "References": [ - "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" + "wen.laplink.com/product/laplink-gold" ], "Acknowledgement": [] }, { - "Name": "FreeRDP", - "Description": "FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Centurion", + "Description": "Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -12351,24 +12031,45 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "ctiserv.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "centuriontech.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml", + "Description": "Detects potential network activity of Centurion RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml", + "Description": "Detects potential processes activity of Centurion RMM tool" + } + ], + "References": [ + "https://data443.atlassian.net/servicedesk/customer/portal/20" + ], "Acknowledgement": [] }, { - "Name": "MioNet (Also known as WD Anywhere Access)", - "Description": "MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ivanti Remote Control", + "Description": "Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12383,28 +12084,43 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mionet.exe", - "mionetmanager.exe" + "IvantiRemoteControl.exe", + "ArcUI.exe", + "AgentlessRC.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ivanticloud.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml", - "Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of Ivanti Remote Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Ivanti Remote Control RMM tool" } ], - "References": [], + "References": [ + "https://rc1.ivanticloud.com/" + ], "Acknowledgement": [] }, { - "Name": "SmartCode Web VNC", - "Description": "SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NordLocker", + "Description": "NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -12419,12 +12135,9 @@ "Free": "", "Verification": "", "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\TightVNC\\*", - "*\\TightVNC\\*" - ] + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -12437,11 +12150,11 @@ "Acknowledgement": [] }, { - "Name": "Onionshare", - "Description": "Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xeox", + "Description": "Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -12456,33 +12169,48 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\OnionShare\\*", - "*\\OnionShare\\*", - "*\\onionshare*.exe", - "OnionShare-win*.msi" + "xeox-agent_x64.exe", + "xeox_service_windows.exe", + "xeox-agent_*.exe", + "xeox-agent_x86.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.xeox.com", + "xeox.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml", - "Description": "Detects potential processes activity of Onionshare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml", + "Description": "Detects potential network activity of Xeox RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml", + "Description": "Detects potential processes activity of Xeox RMM tool" } ], - "References": [], + "References": [ + "https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW" + ], "Acknowledgement": [] }, { - "Name": "Rocket Remote Desktop", - "Description": "Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ezHelp", + "Description": "ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -12497,31 +12225,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "RDConsole.exe", - "RocketRemoteDesktop_Setup.exe" + "ezhelpclientmanager.exe", + "ezHelpManager.exe", + "ezhelpclient.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ezhelp.co.kr", + "ezhelp.co.kr" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml", + "Description": "Detects potential network activity of ezHelp RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml", + "Description": "Detects potential processes activity of ezHelp RMM tool" } ], - "References": [], + "References": [ + "https://www.exhelp.co.kr" + ], "Acknowledgement": [] }, { - "Name": "WebRDP", - "Description": "WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level.io", + "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -12536,7 +12280,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "webrdp.exe" + "level-windows-amd64.exe", + "level.exe", + "level-remote-control-ffmpeg.exe" ] }, "Artifacts": { @@ -12547,8 +12293,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/Mikej81/WebRDP" + "level.io", + "*.level.io" ], "Ports": [] } @@ -12556,22 +12302,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml", - "Description": "Detects potential network activity of WebRDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml", - "Description": "Detects potential processes activity of WebRDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" } ], "References": [ - "github.com/Mikej81/WebRDP" + "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" ], "Acknowledgement": [] }, { - "Name": "BeyondTrust", - "Description": "BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MultCloud", + "Description": "MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -12588,7 +12334,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "requires sign up", + "requires sign up" + ] }, "Artifacts": { "Disk": [], @@ -12601,11 +12350,11 @@ "Acknowledgement": [] }, { - "Name": "SuperOps", - "Description": "SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Synergy", + "Description": "Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -12619,10 +12368,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "superopsticket.exe", - "superops.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -12632,11 +12378,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.superopsbeta.com", - "superops.ai", - "serv.superopsalpha.com", - "*.superops.ai", - "*.superopsalpha.com" + "user_managed" ], "Ports": [] } @@ -12644,25 +12386,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml", - "Description": "Detects potential network activity of SuperOps RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml", - "Description": "Detects potential processes activity of SuperOps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml", + "Description": "Detects potential network activity of Synergy RMM tool" } ], "References": [ - "https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent" + "https://symless.com/synergy" ], "Acknowledgement": [] }, { - "Name": "RemotePass", - "Description": "RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "OptiTune", + "Description": "OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -12677,9 +12415,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remotepass-access.exe", - "rpaccess.exe", - "rpwhostscr.exe" + "OTService.exe", + "OTPowerShell.exe" ] }, "Artifacts": { @@ -12690,7 +12427,8 @@ { "Description": "Known remote domains", "Domains": [ - "remotepass.com" + "*.optitune.us", + "*.opti-tune.com" ], "Ports": [] } @@ -12698,25 +12436,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml", - "Description": "Detects potential network activity of RemotePass RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml", + "Description": "Detects potential network activity of OptiTune RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml", - "Description": "Detects potential processes activity of RemotePass RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml", + "Description": "Detects potential processes activity of OptiTune RMM tool" } ], "References": [ - "https://www.remotepass.com/rpaccess.html - DOA as of 2024" + "https://www.bravurasoftware.com/optitune/support/faq.aspx" ], "Acknowledgement": [] }, { - "Name": "Itarian", - "Description": "Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop", + "Description": "Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12731,18 +12469,76 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ITSMAgent.exe", - "RViewer.exe", - "ItsmRsp.exe", - "RAccess.exe", - "RmmService.exe", - "ITarianRemoteAccessSetup.exe", - "RDesktop.exe", - "ComodoRemoteControl.exe", - "ITSMService.exe", - "RHost.exe" + "C:\\Program Files\\Danware Data\\NetOp Packn Deploy\\*", + "*\\Danware Data\\NetOp Packn Deploy\\*", + "*\\Netop Remote Control\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "ConnectWise", + "Description": "ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", + "*\\ScreenConnect*Client*\\*" ] }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Encapto", + "Description": "Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, "Artifacts": { "Disk": [], "EventLog": [], @@ -12751,11 +12547,7 @@ { "Description": "Known remote domains", "Domains": [ - "mdmsupport.comodo.com", - "*.itsm-us1.comodo.com", - "*.cmdm.comodo.com", - "remoteaccess.itarian.com", - "servicedesk.itarian.com" + "encapto.com" ], "Ports": [] } @@ -12763,78 +12555,188 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml", - "Description": "Detects potential network activity of Itarian RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml", - "Description": "Detects potential processes activity of Itarian RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml", + "Description": "Detects potential network activity of Encapto RMM tool" } ], "References": [ - "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" + "https://www.encapto.com - used to manage Cisco services" ], "Acknowledgement": [] }, { - "Name": "PSEXEC", - "Description": "PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", + "Name": "Action1", + "Description": "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. \nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n", + "Author": "@kostastsale", + "Created": "2024-08-03", + "LastModified": "2024-10-06", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "Website": "https://www.action1.com/", + "PEMetadata": [ + { + "Filename": "action1_connector.exe" + }, + { + "Filename": "action1_remote.exe" + }, + { + "Filename": "action1_update.exe" + }, + { + "Filename": "action1_agent.exe", + "OriginalFileName": "action1_agent.exe", + "Description": "Endpoint Agent" + } + ], + "Privileges": "SYSTEM", + "Free": "Yes", + "Verification": "Corporate email required although temporary email services are accepted", + "SupportedOS": [ + "Windows" + ], + "Capabilities": [ + "Backup and disaster recovery", + "Billing and invoicing", + "Customer portal", + "HelpDesk and ticketing", + "Mobile app", + "Network discovery", + "Patch management", + "Remote monitoring and management", + "Reporting and analytics" + ], "Vulnerabilities": [], "InstallationPaths": [ - "psexec.exe", - "psexecsvc.exe" + "C:\\Windows\\Action1\\*" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\Windows\\Action1\\action1_agent.exe", + "Description": "Action1 service binary", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\*", + "Description": "Multiple files and binaries related to Action1 installation", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\scripts\\*", + "Description": "Multiple scripts related to Action1 installation", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\rule_data\\*", + "Description": "Files related to Action1 rules", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\action1_log_*.log", + "Description": "Contains history, errors, system notifications. Incoming and outgoing connections.", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "A1Agent", + "ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"", + "Description": "Service installation event as result of Action1 installation." + }, + { + "EventID": 4697, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "ServiceName": "A1Agent", + "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service", + "Description": "Service installation event as result of Action1 installation." + }, + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser", + "Description": "Executing command to get logged on user." + } + ], + "Registry": [ + { + "Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent", + "Description": "Service installation event as result of Action1 installation." + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe", + "Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software." + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1", + "Description": "Storing its configuration settings and other relevant information" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "user_managed" + "*.action1.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "a1-backend-packages.s3.amazonaws.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml", - "Description": "Detects potential network activity of PSEXEC RMM tool" + "Name": "Arbitrary code execution and remote sessions via Action1 RMM", + "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", + "author": "@kostastsale", + "Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml", - "Description": "Detects potential processes activity of PSEXEC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml", + "Description": "Detects potential registry activity of Action1 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml", + "Description": "Detects potential network activity of Action1 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml", + "Description": "Detects potential files activity of Action1 RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" + "https://www.action1.com/documentation/firewall-configuration/", + "https://www.action1.com/documentation/", + "https://twitter.com/Kostastsale/status/1646256901506605063?s=20", + "https://ruler-project.github.io/ruler-project/RULER/remote/Action1/" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "Level.io", - "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SuperPuTTY", + "Description": "SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12849,47 +12751,33 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "level-windows-amd64.exe", - "level.exe", - "level-remote-control-ffmpeg.exe" + "C:\\Downloads\\SuperPuTTY\\*", + "*Downloads\\SuperPuTTY\\*", + "*\\superputty.exe", + "*\\SuperPuTTY\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "level.io", - "*.level.io" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", - "Description": "Detects potential network activity of Level.io RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", - "Description": "Detects potential processes activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperPuTTY RMM tool" } ], - "References": [ - "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "ezHelp", - "Description": "ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal Apps", + "Description": "Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12904,9 +12792,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ezhelpclientmanager.exe", - "ezHelpManager.exe", - "ezhelpclient.exe" + "royalserver.exe", + "royalts.exe" ] }, "Artifacts": { @@ -12917,8 +12804,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.ezhelp.co.kr", - "ezhelp.co.kr" + "user_managed" ], "Ports": [] } @@ -12926,25 +12812,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml", - "Description": "Detects potential network activity of ezHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml", + "Description": "Detects potential network activity of Royal Apps RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml", - "Description": "Detects potential processes activity of ezHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal Apps RMM tool" } ], "References": [ - "https://www.exhelp.co.kr" + "https://www.royalapps.com/ts/win/download" ], "Acknowledgement": [] }, { - "Name": "Kabuto", - "Description": "Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tanium Deploy", + "Description": "Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12958,9 +12844,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "Kabuto.App.Runner.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -12970,8 +12854,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.kabuto.io", - "repairtechsolutions.com/kabuto/" + "tanium.com/products/tanium-deploy" ], "Ports": [] } @@ -12979,25 +12862,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml", - "Description": "Detects potential network activity of Kabuto RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml", - "Description": "Detects potential processes activity of Kabuto RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml", + "Description": "Detects potential network activity of Tanium Deploy RMM tool" } ], - "References": [ - "https://www.repairtechsolutions.com/documentation/kabuto/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Synergy", - "Description": "Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Zabbix Agent", + "Description": "Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -13011,7 +12888,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "zabbix_agent*.exe" + ] }, "Artifacts": { "Disk": [], @@ -13021,7 +12900,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "user_managed", + "zabbix.com" ], "Ports": [] } @@ -13029,21 +12909,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml", - "Description": "Detects potential network activity of Synergy RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml", + "Description": "Detects potential network activity of Zabbix Agent RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of Zabbix Agent RMM tool" } ], "References": [ - "https://symless.com/synergy" + "https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent" ], "Acknowledgement": [] }, { - "Name": "ConnectWise", - "Description": "ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Weezo", + "Description": "Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -13058,23 +12942,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", - "*\\ScreenConnect*Client*\\*" + "weezohttpd.exe", + "weezo.exe", + "weezo setup*.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.weezo.me", + "weezo.net", + "*.weezo.net", + "weezo.en.softonic.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml", + "Description": "Detects potential network activity of Weezo RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml", + "Description": "Detects potential processes activity of Weezo RMM tool" + } + ], + "References": [ + "weezo.en.softonic.com" + ], "Acknowledgement": [] }, { - "Name": "TigerVNC", - "Description": "TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeInSync", + "Description": "BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/26/2024", @@ -13092,11 +12999,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tigervnc*.exe", - "winvnc4.exe", - "C:\\Program Files\\TightVNC\\*", - "*\\TightVNC\\*", - "*\\tvnserver.exe" + "Beinsync*.exe" ] }, "Artifacts": { @@ -13107,7 +13010,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "*.beinsync.net", + "*.beinsync.com" ], "Ports": [] } @@ -13115,148 +13019,32 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml", - "Description": "Detects potential network activity of TigerVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml", + "Description": "Detects potential network activity of BeInSync RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml", - "Description": "Detects potential processes activity of TigerVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml", + "Description": "Detects potential processes activity of BeInSync RMM tool" } ], "References": [ - "https://github.com/TigerVNC/tigervnc/releases" + "https://en.wikipedia.org/wiki/Phoenix_Technologies" ], "Acknowledgement": [] }, { - "Name": "GoToMyPC", - "Description": "GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "ScreenMeet", + "Description": "ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", "Details": { "Website": "", - "PEMetadata": [ - { - "Filename": "AppCore.exe" - }, - { - "Filename": "g2comm.exe" - }, - { - "Filename": "g2file*.exe" - }, - { - "Filename": "g2fileh.exe" - }, - { - "Filename": "g2host.exe" - }, - { - "Filename": "g2m_download.exe" - }, - { - "Filename": "g2mainh.exe" - }, - { - "Filename": "G2MChat.exe" - }, - { - "Filename": "G2MCodecInstExtractor.exe" - }, - { - "Filename": "G2MComm.exe" - }, - { - "Filename": "G2MCoreInstExtractor.exe" - }, - { - "Filename": "G2MFeedback.exe" - }, - { - "Filename": "G2MHost.exee" - }, - { - "Filename": "G2MInstaller.exe" - }, - { - "Filename": "G2MInstallerExtractor.exe" - }, - { - "Filename": "G2MInstHigh.exe" - }, - { - "Filename": "G2MLauncher.exe" - }, - { - "Filename": "G2MMatchMaking.exe" - }, - { - "Filename": "G2MMaterials.exe" - }, - { - "Filename": "G2MPolling.exe" - }, - { - "Filename": "G2MQandA.exe" - }, - { - "Filename": "G2MRecorder.exe" - }, - { - "Filename": "G2MScrUtil64.exe" - }, - { - "Filename": "G2MSessionControl.exe" - }, - { - "Filename": "G2MStart.exe" - }, - { - "Filename": "G2MTesting.exe" - }, - { - "Filename": "G2MTranscoder.exe" - }, - { - "Filename": "G2MUI.exe" - }, - { - "Filename": "G2MUninstall.exe" - }, - { - "Filename": "g2mupload.exe" - }, - { - "Filename": "g2mvideoconference.exe" - }, - { - "Filename": "G2MView.exe" - }, - { - "Filename": "g2printh.exe" - }, - { - "Filename": "g2quick.exe" - }, - { - "Filename": "g2svc.exe" - }, - { - "Filename": "g2tray.exe" - }, - { - "Filename": "gopcsrv.exe" - }, - { - "Filename": "GoToScrUtils.exe" - }, - { - "Filename": "GoTo.exe", - "OriginalFileName": "", - "Description": "" - } - ], + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", @@ -13264,80 +13052,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\GoToMyPC\\*" + "ScreenMeetSupport.exe", + "ScreenMeet.Support.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "%AppData%\\GoTo\\Logs\\goto.log", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [], - "Registry": [ - { - "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc", - "Description": "Configuration settings including registration email" - }, - { - "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite", - "Description": "Guest invites send to connect" - }, - { - "Path": "HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", - "Description": "hostname of the computer making connections and location of transferred files" - }, - { - "Path": "HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", - "Description": "hostname of the computer making connections and location of transferred files" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.GoToMyPC.com" + "*.screenmeet.com", + "*.scrn.mt" ], - "Ports": [ - "N/A" - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml", - "Description": "Detects potential registry activity of GoToMyPC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml", - "Description": "Detects potential network activity of GoToMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml", + "Description": "Detects potential network activity of ScreenMeet RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml", - "Description": "Detects potential files activity of GoToMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenMeet RMM tool" } ], "References": [ - "https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#", - "https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls", - "https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/" + "https://docs.screenmeet.com/docs/firewall-white-list" ], - "Acknowledgement": [ - { - "Person": "Phill Moore", - "Handle": "@phillmoore" - } - ] + "Acknowledgement": [] }, { - "Name": "Laplink Everywhere", - "Description": "Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MyIVO", + "Description": "MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -13352,12 +13106,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "laplink.exe", - "laplink-everywhere-setup*.exe", - "laplinkeverywhere.exe", - "llrcservice.exe", - "serverproxyservice.exe", - "OOSysAgent.exe" + "myivomgr.exe", + "myivomanager.exe" ] }, "Artifacts": { @@ -13368,9 +13118,7 @@ { "Description": "Known remote domains", "Domains": [ - "everywhere.laplink.com", - "le.laplink.com", - "atled.syspectr.com" + "myivo-server.software.informer.com" ], "Ports": [] } @@ -13378,25 +13126,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml", - "Description": "Detects potential network activity of Laplink Everywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml", + "Description": "Detects potential network activity of MyIVO RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of Laplink Everywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml", + "Description": "Detects potential processes activity of MyIVO RMM tool" } ], "References": [ - "https://everywhere.laplink.com/docs" + "myivo.com - DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "Syspectr", - "Description": "Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LabTech RMM (Now ConnectWise Automate)", + "Description": "LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13411,8 +13159,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "oo-syspectr*.exe", - "OOSysAgent.exe" + "ltsvc.exe", + "ltsvcmon.exe", + "lttray.exe" ] }, "Artifacts": { @@ -13423,8 +13172,7 @@ { "Description": "Known remote domains", "Domains": [ - "atled.syspectr.com", - "app.syspectr.com" + "connectwise.com" ], "Ports": [] } @@ -13432,25 +13180,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml", - "Description": "Detects potential network activity of Syspectr RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml", + "Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml", - "Description": "Detects potential processes activity of Syspectr RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool" } ], - "References": [ - "https://www.syspectr.com/en/installation-in-a-network" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Remote Utilities", - "Description": "Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Kabuto", + "Description": "Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -13465,8 +13211,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rutview.exe", - "rutserv.exe" + "Kabuto.App.Runner.exe" ] }, "Artifacts": { @@ -13477,7 +13222,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.internetid.ru" + "*.kabuto.io", + "repairtechsolutions.com/kabuto/" ], "Ports": [] } @@ -13485,22 +13231,53 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml", - "Description": "Detects potential network activity of Remote Utilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml", + "Description": "Detects potential network activity of Kabuto RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Utilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml", + "Description": "Detects potential processes activity of Kabuto RMM tool" } ], "References": [ - "https://www.remoteutilities.com/download/" + "https://www.repairtechsolutions.com/documentation/kabuto/" ], "Acknowledgement": [] }, { - "Name": "Remcos", - "Description": "Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FreeRDP", + "Description": "FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "ZOC", + "Description": "ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13518,7 +13295,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remcos*.exe" + "C:\\Program Files\\ZOC8\\*", + "*\\ZOC?\\*", + "*\\zoc.exe" ] }, "Artifacts": { @@ -13529,16 +13308,68 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml", - "Description": "Detects potential processes activity of Remcos RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml", + "Description": "Detects potential processes activity of ZOC RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "ISL Online", - "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AliWangWang-remote-control", + "Description": "AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "alitask.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "wangwang.taobao.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml", + "Description": "Detects potential network activity of AliWangWang-remote-control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml", + "Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool" + } + ], + "References": [ + "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" + ], + "Acknowledgement": [] + }, + { + "Name": "Goverlan", + "Description": "Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -13556,13 +13387,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "islalwaysonmonitor.exe", - "isllight.exe", - "isllightservice.exe", - "ISLLightClient.exe", - "C:\\Program Files (x86)\\ISL Online\\ISL Light*", - "*\\ISL Online\\ISL Light*", - "*\\ISLLight.exe" + "goverrmc.exe", + "govsrv*.exe", + "GovAgentInstallHelper.exe", + "GovAgentx64.exe", + "GovReachClient.exe", + "C:\\Program Files (x86)\\PJ Technologies\\GOVsrv\\*", + "*\\PJ Technologies\\GOVsrv\\*", + "*\\GovSrv.exe" ] }, "Artifacts": { @@ -13573,8 +13405,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.islonline.com", - "*.islonline.net" + "user_managed", + "goverlan.com" ], "Ports": [] } @@ -13582,22 +13414,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", - "Description": "Detects potential network activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml", + "Description": "Detects potential network activity of Goverlan RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml", + "Description": "Detects potential processes activity of Goverlan RMM tool" } ], "References": [ - "https://help.islonline.com/19818/165940" + "https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf" ], "Acknowledgement": [] }, { - "Name": "DragonDisk", - "Description": "DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft Quick Assist", + "Description": "Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13615,32 +13447,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Almageste\\DragonDisk\\*", - "*\\Almageste\\DragonDisk\\*", - "*\\DragonDisk.exe" + "quickassist.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "*.support.services.microsoft.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml", - "Description": "Detects potential processes activity of DragonDisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Microsoft Quick Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool" } ], - "References": [], + "References": [ + "https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca" + ], "Acknowledgement": [] }, { - "Name": "RealVNC", - "Description": "RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-Able Advanced Monitoring Agent", + "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -13654,24 +13499,69 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "BASupSrvc.exe", + "winagent.exe", + "BASupApp.exe", + "BASupTSHelper.exe", + "Agent_*_RW.exe", + "BASEClient.exe", + "BASupSrvcCnfg.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.beanywhere.com ", + "systemmonitor.co.uk", + "*system-monitor.com", + "cloudbackup.management", + "*systemmonitor.co.uk", + "n-able.com", + "systemmonitor.us", + "*systemmonitor.eu.com", + "*.logicnow.com", + "*.swi-tc.com", + "*remote.management", + "systemmonitor.us.cdn.cloudflare.net", + "*cloudbackup.management", + "remote.management", + "logicnow.com", + "system-monitor.com", + "*systemmonitor.us", + "systemmonitor.eu.com", + "*.n-able.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + } + ], + "References": [ + "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" + ], "Acknowledgement": [] }, { - "Name": "Supremo", - "Description": "Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MyGreenPC", + "Description": "MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -13686,10 +13576,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "supremo.exe", - "supremoservice.exe", - "supremosystem.exe", - "supremohelper.exe" + "mygreenpc.exe" ] }, "Artifacts": { @@ -13700,9 +13587,7 @@ { "Description": "Known remote domains", "Domains": [ - "supremocontrol.com", - "*.supremocontrol.com", - "* .nanosystems.it" + "*mygreenpc.com" ], "Ports": [] } @@ -13710,22 +13595,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml", - "Description": "Detects potential network activity of Supremo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml", + "Description": "Detects potential network activity of MyGreenPC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml", - "Description": "Detects potential processes activity of Supremo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml", + "Description": "Detects potential processes activity of MyGreenPC RMM tool" } ], "References": [ - "https://www.supremocontrol.com/frequently-asked-questions/" + "http://www.mygreenpc.com/" ], "Acknowledgement": [] }, { - "Name": "GoToAssist Agent Desktop Console", - "Description": "GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syncthing", + "Description": "Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13743,8 +13628,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\G2RDesktopConsole-x64.msi", - "*\\G2RDesktopConsole-x64.msi" + "C:\\Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", + "*Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", + "*\\Syncthing.exe" ] }, "Artifacts": { @@ -13753,16 +13639,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncthing RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "RemoteView", - "Description": "RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chrome Remote Desktop", + "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -13777,10 +13668,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remoteview.exe", - "rv.exe", - "rvagent.exe", - "rvagtray.exe" + "remote_host.exe", + "remoting_host.exe", + "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", + "*\\Google\\Chrome Remote Desktop\\*", + "*\\remoting_host.exe" ] }, "Artifacts": { @@ -13791,9 +13683,9 @@ { "Description": "Known remote domains", "Domains": [ - "*content.rview.com", - "*.rview.com", - "content.rview.com" + "*remotedesktop.google.com", + "*remotedesktop-pa.googleapis.com", + "remotedesktop.google.com" ], "Ports": [] } @@ -13801,25 +13693,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml", - "Description": "Detects potential network activity of RemoteView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" } ], "References": [ - "https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall" + "https://support.google.com/chrome/a/answer/2799701?hl=en" ], "Acknowledgement": [] }, { - "Name": "VNC Connect", - "Description": "VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Desktop Plus", + "Description": "Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -13834,26 +13726,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\RealVNC\\VNC Server\\*", - "*\\RealVNC\\VNC Server\\*" + "rdp.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "donkz.nl" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml", + "Description": "Detects potential network activity of Remote Desktop Plus RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Desktop Plus RMM tool" + } + ], + "References": [ + "https://www.donkz.nl/" + ], "Acknowledgement": [] }, { - "Name": "Syncthing", - "Description": "Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NateOn-desktop sharing", + "Description": "NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -13868,32 +13778,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", - "*Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", - "*\\Syncthing.exe" + "nateon*.exe", + "nateon.exe", + "nateonmain.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.nate.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml", - "Description": "Detects potential processes activity of Syncthing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of NateOn-desktop sharing RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NateOn-desktop sharing RMM tool" } ], - "References": [], + "References": [ + "http://rsupport.nate.com/rview/r8/main/index.aspx" + ], "Acknowledgement": [] }, { - "Name": "KHelpDesk", - "Description": "KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Barracuda", + "Description": "Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -13907,9 +13831,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "KHelpDesk.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -13919,7 +13841,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.khelpdesk.com.br" + "*.islonline.net", + "rmm.barracudamsp.com", + "barracudamsp.com" ], "Ports": [] } @@ -13927,25 +13851,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml", - "Description": "Detects potential network activity of KHelpDesk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml", - "Description": "Detects potential processes activity of KHelpDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml", + "Description": "Detects potential network activity of Barracuda RMM tool" } ], "References": [ - "https://www.khelpdesk.com.br/en-us" + "https://help.islonline.com/19799/166125" ], "Acknowledgement": [] }, { - "Name": "Netop Remote Control (Impero Connect)", - "Description": "Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CrossTec Remote Control", + "Description": "CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -13960,15 +13880,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nhostsvc.exe", - "nhstw32.exe", - "ngstw32.exe", - "Netop Ondemand.exe", - "nldrw32.exe", - "rmserverconsolemediator.exe", - "ImperoInit.exe", - "Connect.Backdrop.cloud*.exe", - "ImperoClientSVC.exe" + "PCIVIDEO.EXE", + "supporttool.exe" ] }, "Artifacts": { @@ -13979,8 +13892,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.connect.backdrop.cloud", - "*.netop.com" + "user_managed", + "crosstecsoftware.com/remotecontrol" ], "Ports": [] } @@ -13988,25 +13901,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml", - "Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of CrossTec Remote Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml", - "Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of CrossTec Remote Control RMM tool" } ], "References": [ - "https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html" + "www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024" ], "Acknowledgement": [] }, { - "Name": "Bitvise SSH Server", - "Description": "Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DeskDay", + "Description": "DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -14021,32 +13934,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Bitvise SSH Server\\*", - "*\\Bitvise SSH Server\\*", - "*\\BvSshServer-Inst.exe" + "ultimate_*.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "deskday.ai", + "app.deskday.ai" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml", - "Description": "Detects potential processes activity of Bitvise SSH Server RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml", + "Description": "Detects potential network activity of DeskDay RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskDay RMM tool" } ], - "References": [], + "References": [ + "https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate" + ], "Acknowledgement": [] }, { - "Name": "Apple Remote Desktop", - "Description": "Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "mRemoteNG", + "Description": "mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/24/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -14061,18 +13987,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ARDAgent.app" + "mRemoteNG.exe", + "C:\\Program Files (x86)\\mRemoteNG\\*", + "*\\mRemoteNG\\*", + "*\\mRemoteNG.exe", + "c:\\Program Files (x86)%\\mRemoteNG", + "*%\\mRemoteNG", + "mRemoteNG-Installer-*.msi", + "*\\mRemoteNG.exe" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log", + "Description": "mRemoteNG log file", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml", + "Description": "mRemoteNG configuration file", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config", + "Description": "mRemoteNG user configuration file", + "OS": "Windows" + } + ], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "user_managed", + "mremoteng.org" ], "Ports": [] } @@ -14080,18 +14030,26 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Apple Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml", + "Description": "Detects potential network activity of mRemoteNG RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml", + "Description": "Detects potential files activity of mRemoteNG RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml", + "Description": "Detects potential processes activity of mRemoteNG RMM tool" } ], "References": [ - "https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac" + "https://github.com/mRemoteNG/mRemoteNG" ], "Acknowledgement": [] }, { - "Name": "Chrome SSH Extension", - "Description": "Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FreeNX", + "Description": "FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14109,8 +14067,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*", - "*Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*" + "C:\\*\\nxplayer.exe", + "*\\nxplayer.exe" ] }, "Artifacts": { @@ -14119,7 +14077,12 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml", + "Description": "Detects potential processes activity of FreeNX RMM tool" + } + ], "References": [], "Acknowledgement": [] }, @@ -14180,11 +14143,11 @@ "Acknowledgement": [] }, { - "Name": "ESET Remote Administrator", - "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "rdp2tcp", + "Description": "rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -14199,11 +14162,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "era.exe", - "einstaller.exe", - "ezhelp*.exe", - "eratool.exe", - "ERAAgent.exe" + "tdp2tcp.exe", + "rdp2tcp.py" ] }, "Artifacts": { @@ -14215,7 +14175,7 @@ "Description": "Known remote domains", "Domains": [ "user_managed", - "eset.com/me/business/remote-management/remote-administrator/" + "github.com/V-E-O/rdp2tcp" ], "Ports": [] } @@ -14223,25 +14183,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", - "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml", + "Description": "Detects potential network activity of rdp2tcp RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", - "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml", + "Description": "Detects potential processes activity of rdp2tcp RMM tool" } ], "References": [ - "eset.com/me/business/remote-management/remote-administrator/" + "github.com/V-E-O/rdp2tcp" ], "Acknowledgement": [] }, { - "Name": "Yandex.Disk", - "Description": "Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ITSupport247 (ConnectWise)", + "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14256,29 +14216,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Yandex\\*", - "*\\Yandex\\*", - "*\\YandexDisk2.exe" + "saazapsc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.itsupport247.net", + "itsupport247.net" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml", - "Description": "Detects potential processes activity of Yandex.Disk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" } ], - "References": [], + "References": [ + "https://control.itsupport247.net/" + ], "Acknowledgement": [] }, { - "Name": "N-Able Advanced Monitoring Agent", - "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pulseway", + "Description": "Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -14296,13 +14269,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "BASupSrvc.exe", - "winagent.exe", - "BASupApp.exe", - "BASupTSHelper.exe", - "Agent_*_RW.exe", - "BASEClient.exe", - "BASupSrvcCnfg.exe" + "PCMonitorManager.exe", + "pcmonitorsrv.exe" ] }, "Artifacts": { @@ -14313,25 +14281,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.beanywhere.com ", - "systemmonitor.co.uk", - "*system-monitor.com", - "cloudbackup.management", - "*systemmonitor.co.uk", - "n-able.com", - "systemmonitor.us", - "*systemmonitor.eu.com", - "*.logicnow.com", - "*.swi-tc.com", - "*remote.management", - "systemmonitor.us.cdn.cloudflare.net", - "*cloudbackup.management", - "remote.management", - "logicnow.com", - "system-monitor.com", - "*systemmonitor.us", - "systemmonitor.eu.com", - "*.n-able.com" + "pulseway.com" ], "Ports": [] } @@ -14339,25 +14289,78 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", - "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml", + "Description": "Detects potential network activity of Pulseway RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml", + "Description": "Detects potential processes activity of Pulseway RMM tool" + } + ], + "References": [ + "https://intercom.help/pulseway/en/" + ], + "Acknowledgement": [] + }, + { + "Name": "Naverisk", + "Description": "Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "AgentSetup-*.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "naverisk.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml", + "Description": "Detects potential network activity of Naverisk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml", + "Description": "Detects potential processes activity of Naverisk RMM tool" } ], "References": [ - "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" + "http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents" ], "Acknowledgement": [] }, { - "Name": "MyIVO", - "Description": "MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Total Software Deployment", + "Description": "Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14372,42 +14375,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "myivomgr.exe", - "myivomanager.exe" + "C:\\ProgramData\\Total Software Deployment\\*", + "*\\Total Software Deployment\\*", + "*\\tniwinagent.exe", + "*\\Tsdservice.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "myivo-server.software.informer.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml", - "Description": "Detects potential network activity of MyIVO RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml", - "Description": "Detects potential processes activity of MyIVO RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml", + "Description": "Detects potential processes activity of Total Software Deployment RMM tool" } ], - "References": [ - "myivo.com - DOA as of 2024" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "ITSupport247 (ConnectWise)", - "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Online", + "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -14425,7 +14416,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "saazapsc.exe" + "islalwaysonmonitor.exe", + "isllight.exe", + "isllightservice.exe", + "ISLLightClient.exe", + "C:\\Program Files (x86)\\ISL Online\\ISL Light*", + "*\\ISL Online\\ISL Light*", + "*\\ISLLight.exe" ] }, "Artifacts": { @@ -14436,7 +14433,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.itsupport247.net" + "*.islonline.com", + "*.islonline.net" ], "Ports": [] } @@ -14444,25 +14442,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" } ], "References": [ - "https://control.itsupport247.net/" + "https://help.islonline.com/19818/165940" ], "Acknowledgement": [] }, { - "Name": "VNC", - "Description": "VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NinjaOne (formerly NinjaRMM)", + "Description": "NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14477,48 +14475,22 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "winvnc*.exe", - "vncserver.exe", - "winwvc.exe", - "winvncsc.exe", - "vncserverui.exe", - "vncviewer.exe", - "winvnc.exe" + "*ProgramData\\NinjaRMMAgent\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "realvnc.com/en/connect/download/vnc" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml", - "Description": "Detects potential network activity of VNC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml", - "Description": "Detects potential processes activity of VNC RMM tool" - } - ], - "References": [ - "https://realvnc.com/en/connect/download/vnc" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "ServerEye", - "Description": "ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "QQ IM-remote assistance", + "Description": "QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -14536,8 +14508,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "servereye*.exe", - "ServiceProxyLocalSys.exe" + "qq.exe", + "QQProtect.exe", + "qqpcmgr.exe" ] }, "Artifacts": { @@ -14548,7 +14521,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.server-eye.de" + "*.mdt.qq.com", + "*.desktop.qq.com", + "upload_data.qq.com", + "qq-messenger.en.softonic.com" ], "Ports": [] } @@ -14556,25 +14532,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml", - "Description": "Detects potential network activity of ServerEye RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml", + "Description": "Detects potential network activity of QQ IM-remote assistance RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml", - "Description": "Detects potential processes activity of ServerEye RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml", + "Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool" } ], "References": [ - "https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf" + "https://en.wikipedia.org/wiki/Tencent_QQ" ], "Acknowledgement": [] }, { - "Name": "Rapid7", - "Description": "Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft RDP", + "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14589,47 +14565,34 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ir_agent.exe", - "rapid7_agent_core.exe", - "rapid7_endpoint_broker.exe" + "termsrv.exe", + "mstsc.exe", + "Microsoft Remote Desktop" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.analytics.insight.rapid7.com", - "*.endpoint.ingress.rapid7.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml", - "Description": "Detects potential network activity of Rapid7 RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml", - "Description": "Detects potential processes activity of Rapid7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft RDP RMM tool" } ], "References": [ - "https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/" + "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" ], "Acknowledgement": [] }, { - "Name": "GoToAssist (GoTo Resolve)", - "Description": "GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RuDesktop", + "Description": "RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -14644,24 +14607,43 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\ProgramFiles*\\GoTo Machine Installer\\*", - "*\\GoTo Machine Installer\\*", - "*\\GoTo\\*" + "rd.exe", + "rudesktop*.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.rudesktop.ru", + "rudesktop.ru" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml", + "Description": "Detects potential network activity of RuDesktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of RuDesktop RMM tool" + } + ], + "References": [ + "https://rudesktop.ru" + ], "Acknowledgement": [] }, { - "Name": "GetScreen", - "Description": "GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeyondTrust (Bomgar)", + "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -14679,8 +14661,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "GetScreen.exe", - "getscreen.exe" + "bomgar-scc-*.exe", + "bomgar-scc.exe", + "bomgar-pac-*.exe", + "bomgar-pac.exe", + "bomgar-rdp.exe" ] }, "Artifacts": { @@ -14691,9 +14676,9 @@ { "Description": "Known remote domains", "Domains": [ - "getscreen.me", - "GetScreen.me", - "*.getscreen.me" + "*.beyondtrustcloud.com", + "*.bomgarcloud.com", + "bomgarcloud.com" ], "Ports": [] } @@ -14701,25 +14686,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml", - "Description": "Detects potential network activity of GetScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", + "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml", - "Description": "Detects potential processes activity of GetScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", + "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" } ], "References": [ - "https://docs.getscreen.me/self-hosted/system-requirements/" + "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" ], "Acknowledgement": [] }, { - "Name": "MobaXterm", - "Description": "MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TightVNC", + "Description": "TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -14734,55 +14719,108 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\MobaXterm_installer_12.1.msi", - "*\\MobaXterm_installer_*.msi", - "*\\Mobatek\\MobaXterm\\*" + "tvnviewer.exe", + "TightVNCViewerPortable*.exe", + "tvnserver.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "tightvnc.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml", + "Description": "Detects potential network activity of TightVNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TightVNC RMM tool" + } + ], + "References": [ + "https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf" + ], "Acknowledgement": [] }, { - "Name": "CrossTec Remote Control", - "Description": "CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", + "Name": "MeshCentral", + "Description": "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", + "Author": "@kostastsale", + "Created": "2024-09-20", + "LastModified": "2024-09-20", "Details": { - "Website": "", + "Website": "https://meshcentral.com/", "PEMetadata": { - "Filename": "", + "Filename": "MeshAgent.exe", "OriginalFileName": "", - "Description": "" + "Description": "MeshCentral Background Service Agent" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], + "Privileges": "SYSTEM", + "Free": "Yes", + "Verification": "N/A", + "SupportedOS": [ + "Windows", + "Linux", + "MacOS", + "FreeBSD" + ], + "Capabilities": [ + "Remote Desktop & Terminal", + "Remote File Access", + "Text and Voice Chat", + "Server File Storage", + "Real-time User interface", + "Port Forwarding" + ], + "Vulnerabilities": [ + "CVE-2024-26135" + ], "InstallationPaths": [ - "PCIVIDEO.EXE", - "supporttool.exe" + "meshcentral*.exe", + "meshagent*.exe" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe", + "Description": "Local MeshAgent service binary after installation", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh", + "Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Mesh Agent background service", + "ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"", + "Description": "Service installation event as result of MeshAgent installation." + } + ], "Network": [ { "Description": "Known remote domains", "Domains": [ "user_managed", - "crosstecsoftware.com/remotecontrol" + "meshcentral.com" ], "Ports": [] } @@ -14790,25 +14828,35 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of CrossTec Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml", + "Description": "Detects potential network activity of MeshCentral RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of CrossTec Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", + "Description": "Detects potential processes activity of MeshCentral RMM tool" + }, + { + "Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml", + "Description": "Detects MeshAgent Command Execution via MeshCentral" } ], "References": [ - "www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024" + "https://ylianst.github.io/MeshCentral/meshcentral/", + "https://github.com/Ylianst/MeshAgent" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "Absolute (Computrace)", - "Description": "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Dev Tunnels (aka Visual Studio Dev Tunnel)", + "Description": "Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "6/18/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14822,13 +14870,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "rpcnet.exe", - "ctes.exe", - "ctespersitence.exe", - "cteshostsvc.exe", - "rpcld.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -14838,8 +14880,7 @@ { "Description": "Known remote domains", "Domains": [ - "*search.namequery.com", - "*server.absolute.com" + "learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview" ], "Ports": [] } @@ -14847,22 +14888,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml", - "Description": "Detects potential network activity of Absolute (Computrace) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml", - "Description": "Detects potential processes activity of Absolute (Computrace) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml", + "Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool" } ], - "References": [ - "https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Xshell", - "Description": "Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CarotDAV", + "Description": "CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14880,9 +14915,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\NetSarang\\xShell\\*", - "*\\NetSarang\\xShell\\*", - "*\\xShell.exe" + "C:\\Program Files (x86)\\Rei Software\\CarotDAV\\*", + "*\\Rei Software\\CarotDAV\\*", + "*\\CarotDAV.exe" ] }, "Artifacts": { @@ -14893,19 +14928,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml", - "Description": "Detects potential processes activity of Xshell RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml", + "Description": "Detects potential processes activity of CarotDAV RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "MyGreenPC", - "Description": "MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Bitvise SSH Server", + "Description": "Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14920,44 +14955,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mygreenpc.exe" + "C:\\Program Files\\Bitvise SSH Server\\*", + "*\\Bitvise SSH Server\\*", + "*\\BvSshServer-Inst.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*mygreenpc.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml", - "Description": "Detects potential network activity of MyGreenPC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml", - "Description": "Detects potential processes activity of MyGreenPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Server RMM tool" } ], - "References": [ - "http://www.mygreenpc.com/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Level.io", - "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pandora RC (eHorus)", + "Description": "Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -14972,9 +14995,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "level-windows-amd64.exe", - "level.exe", - "level-remote-control-ffmpeg.exe" + "ehorus standalone.exe", + "ehorus_agent.exe" ] }, "Artifacts": { @@ -14985,8 +15007,7 @@ { "Description": "Known remote domains", "Domains": [ - "level.io", - "*.level.io" + "portal.ehorus.com" ], "Ports": [] } @@ -14994,25 +15015,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", - "Description": "Detects potential network activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml", + "Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", - "Description": "Detects potential processes activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml", + "Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool" } ], "References": [ - "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" + "https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction" ], "Acknowledgement": [] }, { - "Name": "Microsoft Quick Assist", - "Description": "Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DW Service", + "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -15027,7 +15048,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "quickassist.exe" + "dwagsvc.exe", + "dwagent.exe", + "dwagsvc.exe" ] }, "Artifacts": { @@ -15038,8 +15061,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "*.support.services.microsoft.com" + "*.dwservice.net" ], "Ports": [] } @@ -15047,22 +15069,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml", - "Description": "Detects potential network activity of Microsoft Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", + "Description": "Detects potential network activity of DW Service RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", + "Description": "Detects potential processes activity of DW Service RMM tool" } ], "References": [ - "https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca" + "https://news.dwservice.net/dwservice-security-infrastructure/" ], "Acknowledgement": [] }, { - "Name": "Manage Engine (Desktop Central)", - "Description": "Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Iperius Remote", + "Description": "Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -15080,8 +15102,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dcagentservice.exe", - "dcagentregister.exe" + "iperius.exe", + "iperiusremote.exe" ] }, "Artifacts": { @@ -15092,12 +15114,10 @@ { "Description": "Known remote domains", "Domains": [ - "desktopcentral.manageengine.com", - "desktopcentral.manageengine.com.eu", - "desktopcentral.manageengine.cn", - "*.dms.zoho.com", - "*.dms.zoho.com.eu", - "*.-dms.zoho.com.cn" + "*.iperiusremote.com", + "*.iperius.com", + "*.iperius-rs.com", + "iperiusremote.com" ], "Ports": [] } @@ -15105,15 +15125,17 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml", - "Description": "Detects potential network activity of Desktop Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml", + "Description": "Detects potential network activity of Iperius Remote RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml", - "Description": "Detects potential processes activity of Desktop Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Iperius Remote RMM tool" } ], - "References": [], + "References": [ + "https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx" + ], "Acknowledgement": [] } ] \ No newline at end of file diff --git a/website/public/rmm_tools_table.csv b/website/public/rmm_tools_table.csv index d107196c..a0e96b96 100644 --- a/website/public/rmm_tools_table.csv +++ b/website/public/rmm_tools_table.csv @@ -1,272 +1,272 @@ Name,Category,Description,Author -[LabTeach (Connectwise Automate)](/rmm_tools/labteach__connectwise_automate_),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information w..., -[Zabbix Agent](/rmm_tools/zabbix_agent),,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Senso.cloud](/rmm_tools/senso.cloud),,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[I'm InTouch](/rmm_tools/i'm_intouch),,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[RustDesk](/rmm_tools/rustdesk),,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Electric AI (Kaseya)](/rmm_tools/electric_ai__kaseya_),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be adde..., -[ZOC](/rmm_tools/zoc),,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., -[Any Support](/rmm_tools/any_support),,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[PDQ Connect](/rmm_tools/pdq_connect),,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Rapid7](/rmm_tools/rapid7),,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[SunLogin](/rmm_tools/sunlogin),,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[GoToAssist Agent Desktop Console](/rmm_tools/gotoassist_agent_desktop_console),,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information ..., +[Kaseya (VSA)](/rmm_tools/kaseya__vsa_),,Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be a...,Nasreddine Bencherchali +[PuTTY Tray](/rmm_tools/putty_tray),,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[SysAid](/rmm_tools/sysaid),,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Domotz](/rmm_tools/domotz),,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[BeyondTrust](/rmm_tools/beyondtrust),,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Netop Remote Control (aka Impero Connect)](/rmm_tools/netop_remote_control__aka_impero_connect_),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More inf..., +[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Jump Desktop](/rmm_tools/jump_desktop),,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[IntelliAdmin Remote Control](/rmm_tools/intelliadmin_remote_control),,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will ..., +[Chrome SSH Extension](/rmm_tools/chrome_ssh_extension),,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be adde..., +[ZeroTier](/rmm_tools/zerotier),,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Ericom AccessNow](/rmm_tools/ericom_accessnow),,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as..., +[RealVNC](/rmm_tools/realvnc),,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becom..., [Pcnow](/rmm_tools/pcnow),,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Seetrol](/rmm_tools/seetrol),,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[CarotDAV](/rmm_tools/carotdav),,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Goverlan](/rmm_tools/goverlan),,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[OptiTune](/rmm_tools/optitune),,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[EMCO Remote Console](/rmm_tools/emco_remote_console),,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added..., -[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., -[Tailscale](/rmm_tools/tailscale),,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Pilixo](/rmm_tools/pilixo),,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Remote Desktop Manager (Devolutions)](/rmm_tools/remote_desktop_manager__devolutions_),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More informat..., -[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., -[Alpemix](/rmm_tools/alpemix),,Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali +[DesktopNow](/rmm_tools/desktopnow),,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Pocket Controller (Soti Xsight)](/rmm_tools/pocket_controller__soti_xsight_),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information w..., +[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., +[CentraStage (Now Datto)](/rmm_tools/centrastage__now_datto_),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be a..., +[Insync](/rmm_tools/insync),,Insync is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[LogMeIn rescue](/rmm_tools/logmein_rescue),,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Electric AI (Kaseya)](/rmm_tools/electric_ai__kaseya_),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be adde..., +[Adobe Connect](/rmm_tools/adobe_connect),,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it..., +[CloudFlare Tunnel](/rmm_tools/cloudflare_tunnel),,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added a..., +[mstsc](/rmm_tools/mstsc),,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Parallels Access](/rmm_tools/parallels_access),,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as..., +[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., +[Devolutions Remote Desktop Manager](/rmm_tools/devolutions_remote_desktop_manager),,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More informatio..., +[TigerVNC](/rmm_tools/tigervnc),,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Rocket Remote Desktop](/rmm_tools/rocket_remote_desktop),,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., +[NoteOn-desktop sharing](/rmm_tools/noteon-desktop_sharing),,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., +[HelpU](/rmm_tools/helpu),,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Splashtop Remote](/rmm_tools/splashtop_remote),,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as..., +[X2Go](/rmm_tools/x2go),,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[Pocket Controller](/rmm_tools/pocket_controller),,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added a..., +[Xshell](/rmm_tools/xshell),,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Bitvise SSH Client](/rmm_tools/bitvise_ssh_client),,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added ..., +[Royal Server](/rmm_tools/royal_server),,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Remote Manipulator System](/rmm_tools/remote_manipulator_system),,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be..., +[Manage Engine (Desktop Central)](/rmm_tools/manage_engine__desktop_central_),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information w..., [Auvik](/rmm_tools/auvik),,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Tactical RMM](/rmm_tools/tactical_rmm),,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Basecamp](/rmm_tools/basecamp),,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Free Tools Launcher](/rmm_tools/free_tools_launcher),,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added..., +[AnyDesk](/rmm_tools/anydesk),RMM,AnyDesk is a popular remote desktop software that enables users to access and control a computer or ...,"Ali Alwashali, Nasreddine Bencherchali" +[AnyViewer](/rmm_tools/anyviewer),,AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it bec...,@kostastsale +[Level](/rmm_tools/level),,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[ScreenConnect](/rmm_tools/screenconnect),,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it...,"Ali Alwashali, Nasreddine Bencherchali" +[SmartFTP](/rmm_tools/smartftp),,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[SpyAnywhere](/rmm_tools/spyanywhere),,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[NinjaRMM](/rmm_tools/ninjarmm),,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[CruzControl](/rmm_tools/cruzcontrol),,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[SimpleHelp](/rmm_tools/simplehelp),,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[EMCO Remote Console](/rmm_tools/emco_remote_console),,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added..., +[ngrok](/rmm_tools/ngrok),,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Apple Remote Desktop](/rmm_tools/apple_remote_desktop),,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be adde..., +[Netviewer (GoToMeet)](/rmm_tools/netviewer__gotomeet_),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be adde..., +[NoMachine](/rmm_tools/nomachine),,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [MioNet (WD Anywhere Access)](/rmm_tools/mionet__wd_anywhere_access_),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will ..., -[Comodo RMM](/rmm_tools/comodo_rmm),,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Pocket Controller](/rmm_tools/pocket_controller),,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added a..., -[NordLocker](/rmm_tools/nordlocker),,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Splashtop](/rmm_tools/splashtop),,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it bec...,Nasreddine Bencherchali +[RAdmin](/rmm_tools/radmin),,RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it become...,Nasreddine Bencherchali +[LANDesk](/rmm_tools/landesk),,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[SuperOps](/rmm_tools/superops),,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Lite Manager](/rmm_tools/lite_manager),,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Supremo](/rmm_tools/supremo),,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Chicken (of the VNC)](/rmm_tools/chicken__of_the_vnc_),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be adde..., +[KHelpDesk](/rmm_tools/khelpdesk),,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[TurboMeeting](/rmm_tools/turbomeeting),,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[RPort](/rmm_tools/rport),,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[MioNet (Also known as WD Anywhere Access)](/rmm_tools/mionet__also_known_as_wd_anywhere_access_),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More inf..., [OCS inventory](/rmm_tools/ocs_inventory),,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it..., +[RemotePass](/rmm_tools/remotepass),,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[GoToAssist (GoTo Resolve)](/rmm_tools/gotoassist__goto_resolve_),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be..., +[Comodo RMM](/rmm_tools/comodo_rmm),,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[ShowMyPC](/rmm_tools/showmypc),,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[ToDesk](/rmm_tools/todesk),,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[RunSmart](/rmm_tools/runsmart),,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[VNC Connect](/rmm_tools/vnc_connect),,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Echoware](/rmm_tools/echoware),,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Alpemix](/rmm_tools/alpemix),,Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali +[Royal TS](/rmm_tools/royal_ts),,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[DragonDisk](/rmm_tools/dragondisk),,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Pcvisit](/rmm_tools/pcvisit),,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Connectwise Automate (LabTech)](/rmm_tools/connectwise_automate__labtech_),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information wi..., +[DameWare](/rmm_tools/dameware),,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Onionshare](/rmm_tools/onionshare),,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Tailscale](/rmm_tools/tailscale),,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Senso.cloud](/rmm_tools/senso.cloud),,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[UltraViewer](/rmm_tools/ultraviewer),,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[KickIdler](/rmm_tools/kickidler),,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Remmina](/rmm_tools/remmina),,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[eHorus](/rmm_tools/ehorus),,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Quick Assist](/rmm_tools/quick_assist),,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., +[KiTTY](/rmm_tools/kitty),,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[FleetDeck.io](/rmm_tools/fleetdeck.io),,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[TeleDesktop](/rmm_tools/teledesktop),,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Remote Utilities](/rmm_tools/remote_utilities),,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as..., +[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., [GotoHTTP](/rmm_tools/gotohttp),,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[RemoteUtilities](/rmm_tools/remoteutilities),,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as ..., +[GoToMyPC](/rmm_tools/gotomypc),,GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco...,Nasreddine Bencherchali +[SmartCode Web VNC](/rmm_tools/smartcode_web_vnc),,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added a..., +[Seetrol](/rmm_tools/seetrol),,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[RDPView](/rmm_tools/rdpview),,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Zoho Assist](/rmm_tools/zoho_assist),,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Xpra](/rmm_tools/xpra),,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[DeskNets](/rmm_tools/desknets),,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[XRDP](/rmm_tools/xrdp),,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[ManageEngine](/rmm_tools/manageengine),,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Impero Connect](/rmm_tools/impero_connect),,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Remcos](/rmm_tools/remcos),,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[PDQ Connect](/rmm_tools/pdq_connect),,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., [Terminals](/rmm_tools/terminals),,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[RPort](/rmm_tools/rport),,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[CentraStage (Now Datto)](/rmm_tools/centrastage__now_datto_),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be a..., -[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., -[CruzControl](/rmm_tools/cruzcontrol),,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Mikogo](/rmm_tools/mikogo),,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[mRemoteNG](/rmm_tools/mremoteng),,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[LabTech RMM (Now ConnectWise Automate)](/rmm_tools/labtech_rmm__now_connectwise_automate_),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More inform..., -[ScreenMeet](/rmm_tools/screenmeet),,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[RES Automation Manager](/rmm_tools/res_automation_manager),,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be ad..., -[Anyplace Control](/rmm_tools/anyplace_control),,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as..., -[TightVNC](/rmm_tools/tightvnc),,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Syncro](/rmm_tools/syncro),,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[247ithelp.com (ConnectWise)](/rmm_tools/247ithelp.com__connectwise_),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will ..., +[Netviewer](/rmm_tools/netviewer),,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Syspectr](/rmm_tools/syspectr),,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[I'm InTouch](/rmm_tools/i'm_intouch),,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[ISL Light](/rmm_tools/isl_light),,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Mocha VNC Lite](/rmm_tools/mocha_vnc_lite),,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Ericom Connect](/rmm_tools/ericom_connect),,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Yandex.Disk](/rmm_tools/yandex.disk),,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it b..., [LiteManager](/rmm_tools/litemanager),,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Sophos-Remote Management System](/rmm_tools/sophos-remote_management_system),,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information w..., -[ManageEngine](/rmm_tools/manageengine),,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Splashtop Remote](/rmm_tools/splashtop_remote),,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as..., -[rdp2tcp](/rmm_tools/rdp2tcp),,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[BeAnyWhere](/rmm_tools/beanywhere),,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., [Jump Cloud](/rmm_tools/jump_cloud),,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[RuDesktop](/rmm_tools/rudesktop),,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[LogMeIn](/rmm_tools/logmein),,LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali -[SmartFTP](/rmm_tools/smartftp),,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., -[Pocket Cloud (Wyse)](/rmm_tools/pocket_cloud__wyse_),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added..., -[Guacamole](/rmm_tools/guacamole),,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[LANDesk](/rmm_tools/landesk),,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Remote Desktop Manager (Devolutions)](/rmm_tools/remote_desktop_manager__devolutions_),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More informat..., +[AweRay](/rmm_tools/aweray),,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Remobo](/rmm_tools/remobo),,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ESET Remote Administrator](/rmm_tools/eset_remote_administrator),,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be..., +[Ultra VNC](/rmm_tools/ultra_vnc),,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [pcAnywhere](/rmm_tools/pcanywhere),,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[mstsc](/rmm_tools/mstsc),,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[FreeNX](/rmm_tools/freenx),,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[PSEXEC (Clone)](/rmm_tools/psexec__clone_),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as i..., -[SpyAnywhere](/rmm_tools/spyanywhere),,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[MultCloud](/rmm_tools/multcloud),,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Visual Studio Dev Tunnel](/rmm_tools/visual_studio_dev_tunnel),,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be ..., -[Xpra](/rmm_tools/xpra),,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[Royal Apps](/rmm_tools/royal_apps),,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[eHorus](/rmm_tools/ehorus),,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[SuperPuTTY](/rmm_tools/superputty),,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[ZeroTier](/rmm_tools/zerotier),,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Devolutions Remote Desktop Manager](/rmm_tools/devolutions_remote_desktop_manager),,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More informatio..., -[BeAnyWhere](/rmm_tools/beanywhere),,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[WebEx (Remote Access)](/rmm_tools/webex__remote_access_),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be add..., -[AnyDesk](/rmm_tools/anydesk),RMM,AnyDesk is a popular remote desktop software that enables users to access and control a computer or ...,"Ali Alwashali, Nasreddine Bencherchali" -[Free Ping Tool](/rmm_tools/free_ping_tool),,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as i..., -[S3 Browser](/rmm_tools/s3_browser),,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[NinjaOne (formerly NinjaRMM)](/rmm_tools/ninjaone__formerly_ninjarmm_),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will..., -[Adobe Connect](/rmm_tools/adobe_connect),,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it..., -[RemotePC](/rmm_tools/remotepc),,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[LogMeIn rescue](/rmm_tools/logmein_rescue),,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as i..., -[UltraViewer](/rmm_tools/ultraviewer),,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Pandora RC (eHorus)](/rmm_tools/pandora_rc__ehorus_),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added..., -[IntelliAdmin Remote Control](/rmm_tools/intelliadmin_remote_control),,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will ..., -[MEGAsync](/rmm_tools/megasync),,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Encapto](/rmm_tools/encapto),,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[ShowMyPC](/rmm_tools/showmypc),,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Lite Manager](/rmm_tools/lite_manager),,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Netop Remote Control (aka Impero Connect)](/rmm_tools/netop_remote_control__aka_impero_connect_),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More inf..., -[GoToAssist](/rmm_tools/gotoassist),,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Ericom Connect](/rmm_tools/ericom_connect),,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., -[TeamViewer](/rmm_tools/teamviewer),,"TeamViewer is a remote monitoring and management (RMM) tool. -...","Nasreddine Bencherchali, Michael Haag" +[Remote.it](/rmm_tools/remote.it),,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Guacamole](/rmm_tools/guacamole),,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Addigy](/rmm_tools/addigy),,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[AeroAdmin](/rmm_tools/aeroadmin),,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [Access Remote PC](/rmm_tools/access_remote_pc),,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as..., -[SecureCRT](/rmm_tools/securecrt),,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [Acronic Cyber Protect (Remotix)](/rmm_tools/acronic_cyber_protect__remotix_),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information w..., -[Sorillus](/rmm_tools/sorillus),,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Barracuda](/rmm_tools/barracuda),,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[DeskDay](/rmm_tools/deskday),,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[RemoteCall](/rmm_tools/remotecall),,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Splashtop](/rmm_tools/splashtop),,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it bec...,Nasreddine Bencherchali -[ManageEngine RMM Central](/rmm_tools/manageengine_rmm_central),,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be ..., -[AeroAdmin](/rmm_tools/aeroadmin),,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[NoMachine](/rmm_tools/nomachine),,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[UltraVNC](/rmm_tools/ultravnc),,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., -[NinjaRMM](/rmm_tools/ninjarmm),,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ngrok](/rmm_tools/ngrok),,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Bitvise SSH Client](/rmm_tools/bitvise_ssh_client),,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added ..., -[Chicken (of the VNC)](/rmm_tools/chicken__of_the_vnc_),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be adde..., [SkyFex](/rmm_tools/skyfex),,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Ericom AccessNow](/rmm_tools/ericom_accessnow),,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as..., -[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., -[Royal Server](/rmm_tools/royal_server),,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[PSEXEC](/rmm_tools/psexec),,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[SecureCRT](/rmm_tools/securecrt),,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[VNC](/rmm_tools/vnc),,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., +[Panorama9](/rmm_tools/panorama9),,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[FixMe.it](/rmm_tools/fixme.it),,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[RES Automation Manager](/rmm_tools/res_automation_manager),,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be ad..., +[Atera](/rmm_tools/atera),,Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransom..., +[CrossLoop](/rmm_tools/crossloop),,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Tactical RMM](/rmm_tools/tactical_rmm),,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Fortra](/rmm_tools/fortra),,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Sorillus](/rmm_tools/sorillus),,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[RemoteCall](/rmm_tools/remotecall),,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Laplink Everywhere](/rmm_tools/laplink_everywhere),,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added ..., +[MEGAsync](/rmm_tools/megasync),,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Neturo](/rmm_tools/neturo),,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Distant Desktop](/rmm_tools/distant_desktop),,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as ..., +[Anyplace Control](/rmm_tools/anyplace_control),,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as..., +[JollysFastVNC](/rmm_tools/jollysfastvnc),,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it..., +[ExtraPuTTY](/rmm_tools/extraputty),,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[rdpwrap](/rmm_tools/rdpwrap),,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[N-ABLE Remote Access Software](/rmm_tools/n-able_remote_access_software),,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information wil..., [Solar-PuTTY](/rmm_tools/solar-putty),,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Duplicati](/rmm_tools/duplicati),,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Remote Desktop Plus](/rmm_tools/remote_desktop_plus),,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added..., +[TeamViewer](/rmm_tools/teamviewer),,"TeamViewer is a remote monitoring and management (RMM) tool. +...","Nasreddine Bencherchali, Michael Haag" +[Itarian](/rmm_tools/itarian),,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Visual Studio Dev Tunnel](/rmm_tools/visual_studio_dev_tunnel),,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be ..., [ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., -[DesktopNow](/rmm_tools/desktopnow),,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Remmina](/rmm_tools/remmina),,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Distant Desktop](/rmm_tools/distant_desktop),,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as ..., -[DameWare](/rmm_tools/dameware),,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Level](/rmm_tools/level),,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Insync](/rmm_tools/insync),,Insync is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Remote.it](/rmm_tools/remote.it),,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[LogMeIn](/rmm_tools/logmein),,LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali +[PuTTY](/rmm_tools/putty),,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., [Netreo](/rmm_tools/netreo),,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[NoteOn-desktop sharing](/rmm_tools/noteon-desktop_sharing),,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., -[Royal TS](/rmm_tools/royal_ts),,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[DeskNets](/rmm_tools/desknets),,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[QQ IM-remote assistance](/rmm_tools/qq_im-remote_assistance),,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be a..., -[PuTTY Tray](/rmm_tools/putty_tray),,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[XRDP](/rmm_tools/xrdp),,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[Netop Remote Control (Impero Connect)](/rmm_tools/netop_remote_control__impero_connect_),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More informa..., +[Splashtop (Beta)](/rmm_tools/splashtop__beta_),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as..., [FastViewer](/rmm_tools/fastviewer),,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Jump Desktop](/rmm_tools/jump_desktop),,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Ivanti Remote Control](/rmm_tools/ivanti_remote_control),,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be add..., -[BeInSync](/rmm_tools/beinsync),,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[NateOn-desktop sharing](/rmm_tools/nateon-desktop_sharing),,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., -[Xeox](/rmm_tools/xeox),,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[WinSCP](/rmm_tools/winscp),,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[RustDesk](/rmm_tools/rustdesk),,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[MobaXterm](/rmm_tools/mobaxterm),,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[GoToAssist](/rmm_tools/gotoassist),,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Free Ping Tool](/rmm_tools/free_ping_tool),,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as i..., +[HelpBeam](/rmm_tools/helpbeam),,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [NTR Remote](/rmm_tools/ntr_remote),,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[TurboMeeting](/rmm_tools/turbomeeting),,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[RemoteUtilities](/rmm_tools/remoteutilities),,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as ..., -[Pulseway](/rmm_tools/pulseway),,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Panorama9](/rmm_tools/panorama9),,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Atera](/rmm_tools/atera),,Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransom..., -[JollysFastVNC](/rmm_tools/jollysfastvnc),,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it..., -[RunSmart](/rmm_tools/runsmart),,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Chrome Remote Desktop](/rmm_tools/chrome_remote_desktop),,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., -[Netviewer (GoToMeet)](/rmm_tools/netviewer__gotomeet_),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be adde..., -[Netviewer](/rmm_tools/netviewer),,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., -[ExtraPuTTY](/rmm_tools/extraputty),,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[FleetDeck.io](/rmm_tools/fleetdeck.io),,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[HelpU](/rmm_tools/helpu),,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[ToDesk](/rmm_tools/todesk),,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[RAdmin](/rmm_tools/radmin),,RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it become...,Nasreddine Bencherchali -[CrossLoop](/rmm_tools/crossloop),,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Centurion](/rmm_tools/centurion),,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[KickIdler](/rmm_tools/kickidler),,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Syncro](/rmm_tools/syncro),,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[AweRay](/rmm_tools/aweray),,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[SunLogin](/rmm_tools/sunlogin),,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Koofr](/rmm_tools/koofr),,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[SysAid](/rmm_tools/sysaid),,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Neturo](/rmm_tools/neturo),,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[SmarTTY](/rmm_tools/smartty),,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Impero Connect](/rmm_tools/impero_connect),,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., -[247ithelp.com (ConnectWise)](/rmm_tools/247ithelp.com__connectwise_),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will ..., -[Remobo](/rmm_tools/remobo),,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Free Tools Launcher](/rmm_tools/free_tools_launcher),,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added..., -[Echoware](/rmm_tools/echoware),,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Zoho Assist](/rmm_tools/zoho_assist),,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[KiTTY](/rmm_tools/kitty),,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[SimpleHelp](/rmm_tools/simplehelp),,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[CloudFlare Tunnel](/rmm_tools/cloudflare_tunnel),,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added a..., +[ServerEye](/rmm_tools/servereye),,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[WebRDP](/rmm_tools/webrdp),,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it become..., [GoTo Opener](/rmm_tools/goto_opener),,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Pcvisit](/rmm_tools/pcvisit),,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Mocha VNC Lite](/rmm_tools/mocha_vnc_lite),,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Laplink Gold](/rmm_tools/laplink_gold),,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Iperius Remote](/rmm_tools/iperius_remote),,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as i..., +[S3 Browser](/rmm_tools/s3_browser),,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Any Support](/rmm_tools/any_support),,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it b..., [BeamYourScreen](/rmm_tools/beamyourscreen),,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as i..., -[TeleDesktop](/rmm_tools/teledesktop),,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Parallels Access](/rmm_tools/parallels_access),,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as..., -[Basecamp](/rmm_tools/basecamp),,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Weezo](/rmm_tools/weezo),,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[X2Go](/rmm_tools/x2go),,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[Dev Tunnels (aka Visual Studio Dev Tunnel)](/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More in..., -[Connectwise Automate (LabTech)](/rmm_tools/connectwise_automate__labtech_),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information wi..., -[Splashtop (Beta)](/rmm_tools/splashtop__beta_),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as..., -[Netop](/rmm_tools/netop),,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Kaseya (VSA)](/rmm_tools/kaseya__vsa_),,Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be a...,Nasreddine Bencherchali -[HelpBeam](/rmm_tools/helpbeam),,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Sophos-Remote Management System](/rmm_tools/sophos-remote_management_system),,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information w..., +[PSEXEC (Clone)](/rmm_tools/psexec__clone_),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as i..., +[GetScreen](/rmm_tools/getscreen),,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[RemotePC](/rmm_tools/remotepc),,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Tanium](/rmm_tools/tanium),,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[LabTeach (Connectwise Automate)](/rmm_tools/labteach__connectwise_automate_),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information w..., +[RemoteView](/rmm_tools/remoteview),,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[UltraVNC](/rmm_tools/ultravnc),,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[SmarTTY](/rmm_tools/smartty),,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Absolute (Computrace)](/rmm_tools/absolute__computrace_),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be add..., [Quest KACE Agent (formerly Dell KACE)](/rmm_tools/quest_kace_agent__formerly_dell_kace_),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More informa..., [DeskShare](/rmm_tools/deskshare),,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[rdpwrap](/rmm_tools/rdpwrap),,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Total Software Deployment](/rmm_tools/total_software_deployment),,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be..., -[PuTTY](/rmm_tools/putty),,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[RDPView](/rmm_tools/rdpview),,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Fortra](/rmm_tools/fortra),,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[ISL Light](/rmm_tools/isl_light),,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Pocket Controller (Soti Xsight)](/rmm_tools/pocket_controller__soti_xsight_),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information w..., +[Pocket Cloud (Wyse)](/rmm_tools/pocket_cloud__wyse_),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added..., +[Pilixo](/rmm_tools/pilixo),,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Mikogo](/rmm_tools/mikogo),,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[WebEx (Remote Access)](/rmm_tools/webex__remote_access_),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be add..., +[Koofr](/rmm_tools/koofr),,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Duplicati](/rmm_tools/duplicati),,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[ManageEngine RMM Central](/rmm_tools/manageengine_rmm_central),,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be ..., +[WinSCP](/rmm_tools/winscp),,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it become..., [GatherPlace-desktop sharing](/rmm_tools/gatherplace-desktop_sharing),,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will ..., -[Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral ...,@kostastsale -[MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[ScreenConnect](/rmm_tools/screenconnect),,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it...,"Ali Alwashali, Nasreddine Bencherchali" -[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., -[Tanium](/rmm_tools/tanium),,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Ultra VNC](/rmm_tools/ultra_vnc),,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Remote Manipulator System](/rmm_tools/remote_manipulator_system),,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be..., -[Domotz](/rmm_tools/domotz),,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[FixMe.it](/rmm_tools/fixme.it),,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Tanium Deploy](/rmm_tools/tanium_deploy),,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it..., -[N-ABLE Remote Access Software](/rmm_tools/n-able_remote_access_software),,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information wil..., -[Quick Assist](/rmm_tools/quick_assist),,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[AnyViewer](/rmm_tools/anyviewer),,AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it bec...,@kostastsale -[Naverisk](/rmm_tools/naverisk),,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Addigy](/rmm_tools/addigy),,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Action1](/rmm_tools/action1),,Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute comma...,@kostastsale -[AliWangWang-remote-control](/rmm_tools/aliwangwang-remote-control),,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will b..., -[FreeRDP](/rmm_tools/freerdp),,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[MioNet (Also known as WD Anywhere Access)](/rmm_tools/mionet__also_known_as_wd_anywhere_access_),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More inf..., -[SmartCode Web VNC](/rmm_tools/smartcode_web_vnc),,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added a..., -[Onionshare](/rmm_tools/onionshare),,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Rocket Remote Desktop](/rmm_tools/rocket_remote_desktop),,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., -[WebRDP](/rmm_tools/webrdp),,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[BeyondTrust](/rmm_tools/beyondtrust),,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[SuperOps](/rmm_tools/superops),,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[RemotePass](/rmm_tools/remotepass),,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Itarian](/rmm_tools/itarian),,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[PSEXEC](/rmm_tools/psexec),,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Laplink Gold](/rmm_tools/laplink_gold),,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Centurion](/rmm_tools/centurion),,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Ivanti Remote Control](/rmm_tools/ivanti_remote_control),,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be add..., +[NordLocker](/rmm_tools/nordlocker),,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Xeox](/rmm_tools/xeox),,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., [ezHelp](/rmm_tools/ezhelp),,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Kabuto](/rmm_tools/kabuto),,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[MultCloud](/rmm_tools/multcloud),,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [Synergy](/rmm_tools/synergy),,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[OptiTune](/rmm_tools/optitune),,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Netop](/rmm_tools/netop),,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., [ConnectWise](/rmm_tools/connectwise),,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[TigerVNC](/rmm_tools/tigervnc),,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[GoToMyPC](/rmm_tools/gotomypc),,GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco...,Nasreddine Bencherchali -[Laplink Everywhere](/rmm_tools/laplink_everywhere),,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added ..., -[Syspectr](/rmm_tools/syspectr),,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Remote Utilities](/rmm_tools/remote_utilities),,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as..., -[Remcos](/rmm_tools/remcos),,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[DragonDisk](/rmm_tools/dragondisk),,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[RealVNC](/rmm_tools/realvnc),,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Supremo](/rmm_tools/supremo),,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[GoToAssist Agent Desktop Console](/rmm_tools/gotoassist_agent_desktop_console),,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information ..., -[RemoteView](/rmm_tools/remoteview),,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[VNC Connect](/rmm_tools/vnc_connect),,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Encapto](/rmm_tools/encapto),,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Action1](/rmm_tools/action1),,Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute comma...,@kostastsale +[SuperPuTTY](/rmm_tools/superputty),,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Royal Apps](/rmm_tools/royal_apps),,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Tanium Deploy](/rmm_tools/tanium_deploy),,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Zabbix Agent](/rmm_tools/zabbix_agent),,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Weezo](/rmm_tools/weezo),,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[BeInSync](/rmm_tools/beinsync),,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[ScreenMeet](/rmm_tools/screenmeet),,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[MyIVO](/rmm_tools/myivo),,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[LabTech RMM (Now ConnectWise Automate)](/rmm_tools/labtech_rmm__now_connectwise_automate_),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More inform..., +[Kabuto](/rmm_tools/kabuto),,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[FreeRDP](/rmm_tools/freerdp),,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[ZOC](/rmm_tools/zoc),,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., +[AliWangWang-remote-control](/rmm_tools/aliwangwang-remote-control),,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will b..., +[Goverlan](/rmm_tools/goverlan),,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Microsoft Quick Assist](/rmm_tools/microsoft_quick_assist),,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be ad..., +[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., +[MyGreenPC](/rmm_tools/mygreenpc),,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [Syncthing](/rmm_tools/syncthing),,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[KHelpDesk](/rmm_tools/khelpdesk),,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Netop Remote Control (Impero Connect)](/rmm_tools/netop_remote_control__impero_connect_),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More informa..., -[Bitvise SSH Server](/rmm_tools/bitvise_ssh_server),,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added ..., -[Apple Remote Desktop](/rmm_tools/apple_remote_desktop),,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be adde..., -[Chrome SSH Extension](/rmm_tools/chrome_ssh_extension),,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be adde..., +[Chrome Remote Desktop](/rmm_tools/chrome_remote_desktop),,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., +[Remote Desktop Plus](/rmm_tools/remote_desktop_plus),,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added..., +[NateOn-desktop sharing](/rmm_tools/nateon-desktop_sharing),,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., +[Barracuda](/rmm_tools/barracuda),,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[CrossTec Remote Control](/rmm_tools/crosstec_remote_control),,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be a..., +[DeskDay](/rmm_tools/deskday),,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[mRemoteNG](/rmm_tools/mremoteng),,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[FreeNX](/rmm_tools/freenx),,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it become..., [NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., -[ESET Remote Administrator](/rmm_tools/eset_remote_administrator),,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be..., -[Yandex.Disk](/rmm_tools/yandex.disk),,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., -[MyIVO](/rmm_tools/myivo),,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[rdp2tcp](/rmm_tools/rdp2tcp),,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becom..., [ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., -[VNC](/rmm_tools/vnc),,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., -[ServerEye](/rmm_tools/servereye),,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Rapid7](/rmm_tools/rapid7),,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[GoToAssist (GoTo Resolve)](/rmm_tools/gotoassist__goto_resolve_),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be..., -[GetScreen](/rmm_tools/getscreen),,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[MobaXterm](/rmm_tools/mobaxterm),,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[CrossTec Remote Control](/rmm_tools/crosstec_remote_control),,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be a..., -[Absolute (Computrace)](/rmm_tools/absolute__computrace_),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be add..., -[Xshell](/rmm_tools/xshell),,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[MyGreenPC](/rmm_tools/mygreenpc),,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Microsoft Quick Assist](/rmm_tools/microsoft_quick_assist),,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be ad..., -[Manage Engine (Desktop Central)](/rmm_tools/manage_engine__desktop_central_),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information w..., +[Pulseway](/rmm_tools/pulseway),,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Naverisk](/rmm_tools/naverisk),,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Total Software Deployment](/rmm_tools/total_software_deployment),,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be..., +[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[NinjaOne (formerly NinjaRMM)](/rmm_tools/ninjaone__formerly_ninjarmm_),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will..., +[QQ IM-remote assistance](/rmm_tools/qq_im-remote_assistance),,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be a..., +[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., +[RuDesktop](/rmm_tools/rudesktop),,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., +[TightVNC](/rmm_tools/tightvnc),,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral ...,@kostastsale +[Dev Tunnels (aka Visual Studio Dev Tunnel)](/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More in..., +[CarotDAV](/rmm_tools/carotdav),,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Bitvise SSH Server](/rmm_tools/bitvise_ssh_server),,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added ..., +[Pandora RC (eHorus)](/rmm_tools/pandora_rc__ehorus_),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added..., +[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Iperius Remote](/rmm_tools/iperius_remote),,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as i..., diff --git a/yaml/screenconnect.yaml b/yaml/screenconnect.yaml index 9d27ba16..a846aadf 100644 --- a/yaml/screenconnect.yaml +++ b/yaml/screenconnect.yaml @@ -3,7 +3,7 @@ Description: ScreenConnect is a remote monitoring and management (RMM) tool. Mor information will be added as it becomes available. Author: Ali Alwashali, Nasreddine Bencherchali Created: '2023-10-01' -LastModified: '2024-08-03' +LastModified: '2024-10-08' Details: Website: https://www.connectwise.com PEMetadata: @@ -56,7 +56,17 @@ Artifacts: - File: C:\ProgramData\ScreenConnect Client*\user.config Description: ScreenConnect client user configuration OS: Windows - EventLog: [] + EventLog: + - EventID: 7045 + ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + LogFile: Application.evtx + ServiceName: ScreenConnect Client () + Description: Service installation event as a result of ScreenConnect installation. + - EventID: 20 + ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + LogFile: Application.evtx + ServiceName: ScreenConnect Client () + Description: Logs events such as successful or failed connections, and user logins. Registry: [] Network: - Description: Known remote domains @@ -74,4 +84,5 @@ Detections: Description: Detects potential processes activity of ScreenConnect RMM tool References: - https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/ +- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling Acknowledgement: [] From d6c6525ae7e663aee0bf57864172d7bcc734b644 Mon Sep 17 00:00:00 2001 From: Aaron Date: Tue, 8 Oct 2024 09:19:42 -0500 Subject: [PATCH 2/6] removed unchanged tools --- website/pages/tools/instant_housecall.mdx | 4 ++-- website/pages/tools/itsupport247__connectwise_.mdx | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/website/pages/tools/instant_housecall.mdx b/website/pages/tools/instant_housecall.mdx index acda126f..b1262f56 100644 --- a/website/pages/tools/instant_housecall.mdx +++ b/website/pages/tools/instant_housecall.mdx @@ -23,7 +23,7 @@ Instant Housecall is a remote monitoring and management (RMM) tool. More informa /> #### Installation Paths - + @@ -36,7 +36,7 @@ Instant Housecall is a remote monitoring and management (RMM) tool. More informa #### Network Artifacts - + diff --git a/website/pages/tools/itsupport247__connectwise_.mdx b/website/pages/tools/itsupport247__connectwise_.mdx index 407424dd..75a7e65a 100644 --- a/website/pages/tools/itsupport247__connectwise_.mdx +++ b/website/pages/tools/itsupport247__connectwise_.mdx @@ -36,7 +36,7 @@ ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. Mor #### Network Artifacts - + From 2be0f8b77eef441cf6368fe2abed623d14394ba8 Mon Sep 17 00:00:00 2001 From: Aaron Date: Tue, 8 Oct 2024 10:32:56 -0500 Subject: [PATCH 3/6] removed more unneeded files for PR --- website/pages/tools/screenconnect.mdx | 6 +- website/public/api/rmm_tools.csv | 508 +- website/public/api/rmm_tools.json | 11872 ++++++++++++------------ website/public/rmm_tools_table.csv | 484 +- 4 files changed, 6422 insertions(+), 6448 deletions(-) diff --git a/website/pages/tools/screenconnect.mdx b/website/pages/tools/screenconnect.mdx index a9d30b8b..a94e4455 100644 --- a/website/pages/tools/screenconnect.mdx +++ b/website/pages/tools/screenconnect.mdx @@ -16,7 +16,7 @@ ScreenConnect is a remote monitoring and management (RMM) tool. More information category={""} created={"2023-10-01"} website={"https://www.connectwise.com"} - lastModified={"2024-10-08"} + lastModified={"2024-08-03"} privileges={""} free={ "14-Days Free Trial" } verification={""} @@ -39,9 +39,6 @@ ScreenConnect is a remote monitoring and management (RMM) tool. More information -#### Event Log Artifacts - -)"], "LogFile": "Application.evtx", "ServiceName": "ScreenConnect Client ()", "Description": "Service installation event as a result of ScreenConnect installation."}, {"EventID": 20, "ProviderName": ["ScreenConnect", "ScreenConnect Client ()"], "LogFile": "Application.evtx", "ServiceName": "ScreenConnect Client ()", "Description": "Logs events such as successful or failed connections, and user logins."}] }/> #### Network Artifacts @@ -61,5 +58,4 @@ ScreenConnect is a remote monitoring and management (RMM) tool. More information ### References - [https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/](https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/) -- [https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling](https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling) diff --git a/website/public/api/rmm_tools.csv b/website/public/api/rmm_tools.csv index 2df91e6f..a0874d4d 100644 --- a/website/public/api/rmm_tools.csv +++ b/website/public/api/rmm_tools.csv @@ -1,284 +1,284 @@ Name,Category,Description,Author,Created,LastModified,Website,Filename,OriginalFileName,PEDescription,Product,Privileges,Free,Verification,SupportedOS,Capabilities,Vulnerabilities,InstallationPaths,Artifacts,Detections,References,Acknowledgement -Rapid7,,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"ir_agent.exe, rapid7_agent_core.exe, rapid7_endpoint_broker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.analytics.insight.rapid7.com"", ""*.endpoint.ingress.rapid7.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Rapid7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rapid7 RMM tool""}]",https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,[] -SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml"", ""Description"": ""Detects potential network activity of SunLogin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SunLogin RMM tool""}]",https://sunlogin.oray.com/en/embed/software.html,[] -GoToAssist Agent Desktop Console,,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\G2RDesktopConsole-x64.msi, *\G2RDesktopConsole-x64.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Kaseya (VSA),,"Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml"", ""Description"": ""Detects potential network activity of Kaseya (VSA) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml"", ""Description"": ""Detects potential files activity of Kaseya (VSA) RMM tool""}]","https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] -PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PuTTY Tray RMM tool""}]",,[] -SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SysAid RMM tool""}]",,[] -Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Domotz RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Domotz RMM tool""}]",https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] -BeyondTrust,,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Netop Remote Control (aka Impero Connect),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com/impero-connect/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool""}]",,[] -Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] -Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Jump Desktop RMM tool""}]",https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] -IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of IntelliAdmin Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of IntelliAdmin Remote Control RMM tool""}]",intelliadmin.com/remote-control,[] -Chrome SSH Extension,,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*, *Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml"", ""Description"": ""Detects potential network activity of ZeroTier RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZeroTier RMM tool""}]",https://my.zerotier.com/,[] -Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom AccessNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom AccessNow RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] -RealVNC,,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool""}]",,[] +Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zabbix Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zabbix Agent RMM tool""}]",https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] +Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Senso.cloud RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Senso.cloud RMM tool""}]",https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] +I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml"", ""Description"": ""Detects potential network activity of I'm InTouch RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of I'm InTouch RMM tool""}]",https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] +RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of RustDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RustDesk RMM tool""}]",https://rustdesk.com/docs/en/,[] +Electric AI (Kaseya),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,[] +ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZOC RMM tool""}]",,[] +Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml"", ""Description"": ""Detects potential network activity of Any Support RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Any Support RMM tool""}]",https://www.anysupport.net/introduce_howto.php,[] +PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of PDQ Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PDQ Connect RMM tool""}]",https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] Pcnow,,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mwcliun.exe, pcnmgr.exe, webexpcnow.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""au.pcmag.com/utilities/21470/webex-pcnow""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcnow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcnow RMM tool""}]",http://pcnow.webex.com/ - DOA as of 2024,[] -DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of DesktopNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DesktopNow RMM tool""}]",https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] -Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool""}]",https://pulse.soti.net/support/soti-xsight/help/,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Seetrol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Seetrol RMM tool""}]",http://www.seetrol.com/en/features/features3.php,[] +CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CarotDAV RMM tool""}]",,[] +Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml"", ""Description"": ""Detects potential network activity of Goverlan RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Goverlan RMM tool""}]",https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] +OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml"", ""Description"": ""Detects potential network activity of OptiTune RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OptiTune RMM tool""}]",https://www.bravurasoftware.com/optitune/support/faq.aspx,[] +EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml"", ""Description"": ""Detects potential network activity of EMCO Remote Console RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of EMCO Remote Console RMM tool""}]",,[] +N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tailscale RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tailscale RMM tool""}]",https://tailscale.com/kb/1023/troubleshooting,[] +Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pilixo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pilixo RMM tool""}]",https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] +Remote Desktop Manager (Devolutions),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] +Alpemix,,"Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml"", ""Description"": ""Detects potential network activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml"", ""Description"": ""Detects potential files activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Alpemix RMM tool""}]",https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml"", ""Description"": ""Detects potential network activity of Auvik RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Auvik RMM tool""}]",https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] +Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tactical RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tactical RMM RMM tool""}]",docs.tacticalrmm.com,[] +MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool""}]",https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] +Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Comodo RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Comodo RMM RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller RMM tool""}]",,[] +NordLocker,,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml"", ""Description"": ""Detects potential network activity of OCS inventory RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OCS inventory RMM tool""}]",https://ocsinventory-ng.org/?page_id=878&lang=en,[] +GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml"", ""Description"": ""Detects potential network activity of GotoHTTP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GotoHTTP RMM tool""}]",https://gotohttp.com/goto/help.12x,[] +Terminals,,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml"", ""Description"": ""Detects potential network activity of RPort RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RPort RMM tool""}]",https://kb.rport.io/using-the-remote-access,[] CentraStage (Now Datto),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"CagService.exe, AEMAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rmm.datto.com"", ""*cc.centrastage.net"", ""datto.com/au/products/rmm/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml"", ""Description"": ""Detects potential network activity of CentraStage (Now Datto) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CentraStage (Now Datto) RMM tool""}]",https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm,[] -Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Insync RMM tool""}]",,[] -LogMeIn rescue,,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.logmeinrescue.com"", ""*.logmeinrescue.eu"", ""logmeinrescue.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn rescue RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LogMeIn rescue RMM tool""}]",https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,[] -Electric AI (Kaseya),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""electric.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml"", ""Description"": ""Detects potential network activity of Electric RMM tool""}]",https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf,[] -Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Adobe Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Adobe Connect RMM tool""}]",https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] -CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of CloudFlare Tunnel RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudFlare Tunnel RMM tool""}]",cloudflare.com/products/tunnel/,[] +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] +CruzControl,,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://resources.doradosoftware.com/cruz-rmm,[] +Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Mikogo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Mikogo RMM tool""}]",https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] +mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml"", ""Description"": ""Detects potential network activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml"", ""Description"": ""Detects potential files activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mRemoteNG RMM tool""}]",https://github.com/mRemoteNG/mRemoteNG,[] +LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml"", ""Description"": ""Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}]",,[] +ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenMeet RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenMeet RMM tool""}]",https://docs.screenmeet.com/docs/firewall-white-list,[] +RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of RES Automation Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RES Automation Manager RMM tool""}]",https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] +Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Anyplace Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Anyplace Control RMM tool""}]",http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] +TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TightVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TightVNC RMM tool""}]",https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] +LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml"", ""Description"": ""Detects potential network activity of LiteManager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LiteManager RMM tool""}]",https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] +Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sophos-Remote Management System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sophos-Remote Management System RMM tool""}]",community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] +ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ManageEngine RMM tool""}]",,[] +Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop Remote RMM tool""}]",https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] +rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdp2tcp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdp2tcp RMM tool""}]",github.com/V-E-O/rdp2tcp,[] +Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Cloud RMM tool""}]",https://jumpcloud.com/support/understand-remote-assist-agent,[] +RuDesktop,,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rd.exe, rudesktop*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rudesktop.ru"", ""rudesktop.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of RuDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RuDesktop RMM tool""}]",https://rudesktop.ru,[] +LogMeIn,,"LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn RMM tool""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +SmartFTP,,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\SmartFTP Client\en-US\, *\SmartFTP Client\*, *\SfShellTools.dll.mui","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +Pocket Cloud (Wyse),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcloud*.exe, pocketcloudservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Cloud (Wyse) RMM tool""}]",https://wyse-pocketcloud.informer.com/2.1/,[] +Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml"", ""Description"": ""Detects potential network activity of Guacamole RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Guacamole RMM tool""}]",guacamole.apache.org,[] +LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of LANDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LANDesk RMM tool""}]",https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] +pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of pcAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pcAnywhere RMM tool""}]",https://en.wikipedia.org/wiki/PcAnywhere,[] mstsc,,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Windows\System32\mstsc.exe, *Windows\System32\mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mstsc RMM tool""}]",,[] -Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml"", ""Description"": ""Detects potential network activity of Parallels Access RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Parallels Access RMM tool""}]",https://kb.parallels.com/en/129097,[] -ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] +FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeNX RMM tool""}]",,[] +PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC (Clone) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC (Clone) RMM tool""}]",https://www.poweradmin.com/paexec/,[] +SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of SpyAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SpyAnywhere RMM tool""}]",https://www.spyanywhere.com/support.shtml,[] +MultCloud,,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"requires sign up, requires sign up","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of Visual Studio Dev Tunnel RMM tool""}]",https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] +Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xpra RMM tool""}]",,[] +Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Apps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal Apps RMM tool""}]",https://www.royalapps.com/ts/win/download,[] +eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml"", ""Description"": ""Detects potential network activity of eHorus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of eHorus RMM tool""}]",,[] +SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperPuTTY RMM tool""}]",,[] +ZeroTier,,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zerotier*.msi, zerotier*.exe, zero-powershell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""zerotier.com"", ""*.zerotier.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml"", ""Description"": ""Detects potential network activity of ZeroTier RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZeroTier RMM tool""}]",https://my.zerotier.com/,[] Devolutions Remote Desktop Manager,,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -TigerVNC,,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"tigervnc*.exe, winvnc4.exe, C:\Program Files\TightVNC\*, *\TightVNC\*, *\tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TigerVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TigerVNC RMM tool""}]",https://github.com/TigerVNC/tigervnc/releases,[] -Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rocket Remote Desktop RMM tool""}]",,[] -NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoteOn-desktop sharing RMM tool""}]",,[] -HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpU RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpU RMM tool""}]",https://helpu.co.kr/,[] -Splashtop Remote,,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"strwinclt.exe, Splashtop_Streamer_Windows*.exe, SplashtopSOS.exe, sragent.exe, srmanager.exe, srserver.exe, srservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com"", ""*.api.splashtop.com"", ""*.relay.splashtop.com"", ""*.api.splashtop.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop Remote RMM tool""}]",https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services,[] -X2Go,,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://wiki.x2go.org/doku.php,[] -Pocket Controller,,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"pocketcontroller.exe, pocketcloudservice.exe, wysebrowser.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""soti.net/products/soti-pocket-controller""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller RMM tool""}]",,[] -Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xshell RMM tool""}]",,[] -Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Client RMM tool""}]",,[] -Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Server RMM tool""}]",https://royalapps.com/server/main/features,[] -Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Manipulator System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Manipulator System RMM tool""}]",https://rmansys.ru/files/,[] -Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of Desktop Central RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Desktop Central RMM tool""}]",,[] -Auvik,,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"auvik.engine.exe, auvik.agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.my.auvik.com"", ""*.auvik.com"", ""auvik.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml"", ""Description"": ""Detects potential network activity of Auvik RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Auvik RMM tool""}]",https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use,[] -Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml"", ""Description"": ""Detects potential network activity of Basecamp RMM tool""}]",basecamp.com - No specific RMM tool listed,[] -Free Tools Launcher,,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\*, *\ManageEngine\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeAnyWhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeAnyWhere RMM tool""}]",https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] +WebEx (Remote Access),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,[] AnyDesk,RMM,"AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams. ","Ali Alwashali, Nasreddine Bencherchali",2023-09-29,2024-10-06,https://anydesk.com/en,anydesk.exe,AnyDesk.exe,AnyDesk,AnyDesk,User,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows","File Transfer, File System Access, Remote Control, GUI Support, Command line Support",https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html,"C:\Program Files (x86)\AnyDesk\*, C:\Program Files\AnyDesk\*","{""Disk"": [{""File"": ""%programdata%\\AnyDesk\\ad_svc.trace"", ""Description"": ""AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established."", ""OS"": ""Windows"", ""Example"": [""info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798""]}, {""File"": ""%programdata%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\connection_trace.txt"", ""Description"": ""Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)"", ""OS"": ""Windows"", ""Example"": [""Incoming 2022-08-23, 10:23 Passwd 547911884 547911884"", ""Incoming 2022-09-28, 12:39 User 442226597 442226597""]}, {""File"": ""%APPDATA%\\AnyDesk\\ad.trace"", ""Description"": ""AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant."", ""OS"": ""Windows"", ""Example"": [""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30)."", ""info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0.""]}, {""File"": ""%APPDATA%\\AnyDesk\\chat\\*.txt"", ""Description"": ""If the chat functionality is used, its entries will be printed in a text file in this folder."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\user.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\service.conf"", ""Description"": ""Password can be set to auto-validate the session. The password will be saved in a salted hash format."", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\service.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\AnyDesk\\system.conf"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""~/Library/Application Support/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Mac""}, {""File"": ""~/.config/AnyDesk/Logs/"", ""Description"": ""N/A"", ""OS"": ""Linux""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""ServiceName"": ""AnyDesk Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\"" --service"", ""Description"": ""Service installation event as result of AnyDesk installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""During setup the boot.net.anydesk.com domain is request over port 443"", ""Domains"": [""boot.net.anydesk.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""relay-[a-f0-9]{8}.net.anydesk.com:443""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.anydesk.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""User-Agent"", ""Value"": ""AnyDesk/*""}, {""Type"": ""NamedPipe"", ""Value"": ""adprinterpipe""}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml"", ""Description"": ""Anydesk Remote Access Software Service Installation""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml"", ""Description"": ""N/A""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml"", ""Description"": ""Remote Access Tool - AnyDesk Silent Installation""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml"", ""Description"": ""Detects potential files activity of AnyDesk RMM tool""}]","https://support.anydesk.com/knowledge/firewall, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk, https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Ali Alwashali"", ""Handle"": ""@ali_alwashali""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -AnyViewer,,"AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyViewer RMM tool""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level RMM tool""}]",,[] -Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] -ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-10-08,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": [""ScreenConnect"", ""ScreenConnect Client ()""], ""LogFile"": ""Application.evtx"", ""ServiceName"": ""ScreenConnect Client ()"", ""Description"": ""Service installation event as a result of ScreenConnect installation.""}, {""EventID"": 20, ""ProviderName"": [""ScreenConnect"", ""ScreenConnect Client ()""], ""LogFile"": ""Application.evtx"", ""ServiceName"": ""ScreenConnect Client ()"", ""Description"": ""Logs events such as successful or failed connections, and user logins.""}], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]","https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/, https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling",[] -SmartFTP,,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\SmartFTP Client\en-US\, *\SmartFTP Client\*, *\SfShellTools.dll.mui","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -SpyAnywhere,,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,sysdiag.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.spytech-web.com"", ""spyanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of SpyAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SpyAnywhere RMM tool""}]",https://www.spyanywhere.com/support.shtml,[] +Free Ping Tool,,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"can't find this one, can't find this one","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of S3 Browser RMM tool""}]",,[] +NinjaOne (formerly NinjaRMM),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,*ProgramData\NinjaRMMAgent\*,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Adobe Connect,,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,"ConnectAppSetup*.exe, ConnectShellSetup*.exe, Connect.exe, ConnectDetector.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.adobeconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Adobe Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Adobe Connect RMM tool""}]",https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html,[] +RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePC RMM tool""}]",https://www.remotedesktop.com/helpdesk/faq-firewall,[] +LogMeIn rescue,,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"support-logmeinrescue*.exe, support-logmeinrescue.exe, lmi_rescue.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.logmeinrescue.com"", ""*.logmeinrescue.eu"", ""logmeinrescue.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn rescue RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LogMeIn rescue RMM tool""}]",https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue,[] +UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraViewer RMM tool""}]",https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] +Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pandora RC (eHorus) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pandora RC (eHorus) RMM tool""}]",https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] +IntelliAdmin Remote Control,,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iadmin.exe, intelliadmin.exe, agent32.exe, agent64.exe, agent_setup_5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.intelliadmin.com"", ""intelliadmin.com/remote-control""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of IntelliAdmin Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of IntelliAdmin Remote Control RMM tool""}]",intelliadmin.com/remote-control,[] +MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MEGAsync RMM tool""}]",,[] +Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Encapto RMM tool""}]",https://www.encapto.com - used to manage Cisco services,[] +ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of ShowMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ShowMyPC RMM tool""}]",https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] +Lite Manager,,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\LiteManager Pro – Viewer\*, *\LiteManager Pro – Viewer\*, *\LMNoIpServer.exe.","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Netop Remote Control (aka Impero Connect),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, nldrw32.exe, rmserverconsolemediator.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com/impero-connect/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool""}]",,[] +GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToAssist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoToAssist RMM tool""}]",https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] +Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom Connect RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] +TeamViewer,,"TeamViewer is a remote monitoring and management (RMM) tool. +","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml"", ""Description"": ""Detects potential files activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeamViewer RMM tool""}]","https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +Access Remote PC,,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"rpcgrab.exe, rpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Access Remote PC RMM tool""}]",,[] +SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SecureCRT RMM tool""}]",,[] +Acronic Cyber Protect (Remotix),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml"", ""Description"": ""Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool""}]",https://kb.acronis.com/content/47189,[] +Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sorillus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sorillus RMM tool""}]",https://sorillus.com/,[] +Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml"", ""Description"": ""Detects potential network activity of Barracuda RMM tool""}]",https://help.islonline.com/19799/166125,[] +DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskDay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskDay RMM tool""}]",https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] +RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteCall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteCall RMM tool""}]",https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] +Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml"", ""Description"": ""Detects potential files activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop RMM tool""}]",https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" +ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of ManageEngine RMM Central RMM tool""}]",,[] +AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of AeroAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AeroAdmin RMM tool""}]",https://support.aeroadmin.com/kb/faq.php?id=58,[] +NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml"", ""Description"": ""Detects potential network activity of NoMachine RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoMachine RMM tool""}]",https://kb.nomachine.com/AR04S01122,[] +UltraVNC,,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,UltraVNC*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ultravnc.com"", ""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraVNC RMM tool""}]",https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,[] +Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, ihcserver.exe, instanthousecall.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com"", ""secure.instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] NinjaRMM,,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ninjarmmagent.exe, NinjaRMMAgent.exe, NinjaRMMAgenPatcher.exe, ninjarmm-cli.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ninjarmm.com"", ""*.ninjaone.com"", ""resources.ninjarmm.com"", ""ninjaone.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of NinjaRMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NinjaRMM RMM tool""}]",https://www.ninjaone.com/faq/,[] -CruzControl,,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://resources.doradosoftware.com/cruz-rmm,[] -SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of SimpleHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SimpleHelp RMM tool""}]",https://simple-help.com/remote-support,[] -EMCO Remote Console,,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,remoteconsole.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""emcosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml"", ""Description"": ""Detects potential network activity of EMCO Remote Console RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of EMCO Remote Console RMM tool""}]",,[] ngrok,,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ngrok.exe, C:\*\ngrok.zip, *\ngrok*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ngrok.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml"", ""Description"": ""Detects potential network activity of ngrok RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ngrok RMM tool""}]",https://ngrok.com/docs/guides/running-behind-firewalls/,[] -Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Apple Remote Desktop RMM tool""}]",https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] -Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer (GoToMeet) RMM tool""}]",Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] -NoMachine,,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nomachine*.exe, nxservice*.ese, nxd.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""nomachine.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml"", ""Description"": ""Detects potential network activity of NoMachine RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoMachine RMM tool""}]",https://kb.nomachine.com/AR04S01122,[] -MioNet (WD Anywhere Access),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool""}]",https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016,[] -Splashtop,,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,Nasreddine Bencherchali,,,,,,,,,,,,,,"C:\Program Files (x86)\Splashtop\*, *\Splashtop\Splashtop Remote\Client for RMM\*, strwinclt.exe","{""Disk"": [{""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"", ""Description"": ""Splashtop Remote Service"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe"", ""Description"": ""SplashTop Remote Agent"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe"", ""Description"": ""Splashtop Updater"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop Software Updater Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Software Updater Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Splashtop\u00ae Remote Service"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""SplashtopRemoteService"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"""", ""Description"": ""Service installation event as result of Splashtop Remote Service installation.""}], ""Registry"": [{""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*"", ""Description"": ""Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": ""Splashtop Software Updater uninstall key""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational"", ""Description"": ""Splashtop Streamer Remote Session event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational"", ""Description"": ""Splashtop Streamer Status event log channel""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount"", ""Description"": ""Splashtop Software Updater install reference count""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService"", ""Description"": ""Splashtop Remote Service safe boot configuration""}, {""Path"": ""HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*"", ""Description"": ""Default user Splashtop Inc. registry key""}, {""Path"": ""HKU\\SID\\Software\\Splashtop Inc.\\*"", ""Description"": ""User-specific Splashtop Inc. registry key""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer"", ""Description"": ""Splashtop PDF Remote Printer configuration""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*"", ""Description"": ""Splashtop Remote Server client information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.splashtop.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml"", ""Description"": ""Detects potential files activity of Splashtop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop RMM tool""}]",https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html,"[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" -RAdmin,,"RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml"", ""Description"": ""Detects potential files activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RAdmin RMM tool""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -LANDesk,,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"issuser.exe, landeskagentbootstrap.exe, LANDeskPortalManager.exe, ldinv32.exe, ldsensors.exe, C:\Program Files (x86)\LANDesk\*, *\LANDesk\*, *\issuser.exe, *\softmon.exe, *\tmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com"", ""*.ivanti.com"", ""ivanti.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of LANDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LANDesk RMM tool""}]",https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US,[] -SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml"", ""Description"": ""Detects potential network activity of SuperOps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperOps RMM tool""}]",https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] -Lite Manager,,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\LiteManager Pro – Viewer\*, *\LiteManager Pro – Viewer\*, *\LMNoIpServer.exe.","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Supremo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Supremo RMM tool""}]",https://www.supremocontrol.com/frequently-asked-questions/,[] +Bitvise SSH Client,,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Bitvise SSH Client\*, *\Bitvise SSH Client\*, *\BvSshClient-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Client RMM tool""}]",,[] Chicken (of the VNC),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://github.com/flit/cotvnc,[] -KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of KHelpDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KHelpDesk RMM tool""}]",https://www.khelpdesk.com.br/en-us,[] -TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml"", ""Description"": ""Detects potential network activity of TurboMeeting RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TurboMeeting RMM tool""}]",http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] -RPort,,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rport.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""rport.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml"", ""Description"": ""Detects potential network activity of RPort RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RPort RMM tool""}]",https://kb.rport.io/using-the-remote-access,[] -MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool""}]",,[] -OCS inventory,,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"ocsinventory.exe, ocsservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ocsinventory-ng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml"", ""Description"": ""Detects potential network activity of OCS inventory RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OCS inventory RMM tool""}]",https://ocsinventory-ng.org/?page_id=878&lang=en,[] -RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePass RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePass RMM tool""}]",https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] -GoToAssist (GoTo Resolve),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramFiles*\GoTo Machine Installer\*, *\GoTo Machine Installer\*, *\GoTo\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Comodo RMM,,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"itsmagent.exe, rviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsm-us1.comodo.com"", ""*mdmsupport.comodo.com"", ""one.comodo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Comodo RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Comodo RMM RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -ShowMyPC,,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SMPCSetup.exe, showmypc*.exe, showmypc.exe, smpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.showmypc.com"", ""showmypc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of ShowMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ShowMyPC RMM tool""}]",https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf,[] -ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of ToDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ToDesk RMM tool""}]",https://www.todesk.com/,[] -RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml"", ""Description"": ""Detects potential network activity of RunSmart RMM tool""}]",,[] -VNC Connect,,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\RealVNC\VNC Server\*, *\RealVNC\VNC Server\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Echoware RMM tool""}]",,[] -Alpemix,,"Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.alpemix.com/en/Home,Alpemix.exe,Alpemix,Alpemix,Alpemix,,,,"Windows, Linux, Android, Mac, IOS","5 Different Solutions for Remote Support, Access to Unattended Computers, Access to User Account Control (UAC) Screens, Add Your Own Logo, Auto Sizing, Automatic Update, Clipboard Transfer, Computer Independent Licensing, Contact List and Groups, Encrypted Communication, External Communication Barrier, File Transfer, Instant Messaging, Multi-Platform Support, Multiple Chat, Multiple Connections, No Port Forwarding Required, Peer to Peer Connection (p2p), Receiving Offline Message, Remote Restart, ReportingRestricting The Authority, Screen Sharing, Sending Announcement Message, Sharing a certain part of the screen, Video Recording, Voice Communication, Who is currently supporting?, Working in Black Screen Mode",,"C:\AlpemixService.exe, C:\AlpemixSrvc\","{""Disk"": [{""File"": ""%localappdata%\\Alpemix\\Alpemix.ini"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AlpemixSrvc"", ""ImagePath"": ""*\\Alpemix.exe servicestartxxx"", ""Description"": ""Service installation event as result of Alpemix installation.""}], ""Registry"": [{""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.alpemix.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.teknopars.com""], ""Ports"": [80]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml"", ""Description"": ""Detects potential network activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml"", ""Description"": ""Detects potential files activity of Alpemix RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Alpemix RMM tool""}]",https://www.alpemix.com/en/remote-access,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal TS RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal TS RMM tool""}]",,[] -DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DragonDisk RMM tool""}]",,[] -Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcvisit RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcvisit RMM tool""}]",https://www.pcvisit.de/,[] -Connectwise Automate (LabTech),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.hostedrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml"", ""Description"": ""Detects potential network activity of Connectwise Automate (LabTech) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Connectwise Automate (LabTech) RMM tool""}]",https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,[] +SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml"", ""Description"": ""Detects potential network activity of SkyFex RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SkyFex RMM tool""}]",https://skyfex.com/,[] +Ericom AccessNow,,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"accessserver*.exe, accessserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom AccessNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom AccessNow RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] +Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] +Royal Server,,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Server RMM tool""}]",https://royalapps.com/server/main/features,[] +Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Solar-PuTTY RMM tool""}]",,[] +Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Duplicati RMM tool""}]",,[] +Remote Desktop Plus,,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""donkz.nl""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Desktop Plus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Desktop Plus RMM tool""}]",https://www.donkz.nl/,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +DesktopNow,,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,desktopnow.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nchuser.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml"", ""Description"": ""Detects potential network activity of DesktopNow RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DesktopNow RMM tool""}]",https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US,[] +Remmina,,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ddsystem.exe, dd.exe, distant-desktop.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] DameWare,,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"SolarWinds-Dameware-DRS*.exe, DameWare Mini Remote Control*.exe, C:\Windows\dwrcs\* c:\Program File\SolarWinds\Dameware Mini Remote Control\*, dntus*.exe, dwrcs.exe, *\dwrcs\*, *\dwrcst.exe, DameWare Remote Support.exe, SolarWinds-Dameware-MRC*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""dameware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Dameware-mini remote control Protocol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DameWare RMM tool""}]",https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm,[] -Onionshare,,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\OnionShare\*, *\OnionShare\*, *\onionshare*.exe, OnionShare-win*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Onionshare RMM tool""}]",,[] -Tailscale,,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tailscale-*.exe, tailscaled.exe, tailscale-ipn.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.tailscale.com"", ""*.tailscale.io"", ""tailscale.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tailscale RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tailscale RMM tool""}]",https://tailscale.com/kb/1023/troubleshooting,[] -Senso.cloud,,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"SensoClient.exe, SensoService.exe, aadg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.senso.cloud"", ""senso.cloud""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Senso.cloud RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Senso.cloud RMM tool""}]",https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration,[] -UltraViewer,,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"UltraViewer_Service.exe, UltraViewer_setup*, UltraViewer_Desktop.exe, ultraviewer.exe, C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe, *\UltraViewer\, *\UltraViewer_Desktop.exe, ultraviewer_desktop.exe, ultraviewer_service.exe, UltraViewer_Desktop.exe, UltraViewer_setup*, UltraViewer_Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""* .ultraviewer.net"", ""ultraviewer.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraViewer RMM tool""}]",https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html,[] -KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml"", ""Description"": ""Detects potential network activity of KickIdler RMM tool""}]",https://www.kickidler.com/for-it/faq/,[] -Remmina,,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -eHorus,,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ehorus standalone.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml"", ""Description"": ""Detects potential network activity of eHorus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of eHorus RMM tool""}]",,[] -Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] -N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Agent_*_RW.exe, BASEClient.exe, BASupApp.exe, BASupSrvc.exe, BASupSrvcCnfg.exe, BASupTSHelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remote.management"", ""*.logicnow.com"", ""*systemmonitor.us"", ""*systemmonitor.eu.com"", ""*system-monitor.com"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""*systemmonitor.co.uk"", ""*.n-able.com"", ""*.beanywhere.com "", ""*.swi-tc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] -KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KiTTY RMM tool""}]",,[] -FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDesk.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDesk.io RMM tool""}]",https://fleetdeck.io/faq/,[] -TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeleDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeleDesktop RMM tool""}]",http://potomacsoft.com/ - DOA as of 2024,[] -Remote Utilities,,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rutview.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Utilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Utilities RMM tool""}]",https://www.remoteutilities.com/download/,[] -NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, pcicfgui.exe, client32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.netsupportmanager.com"", ""netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] -GotoHTTP,,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"GotoHTTP_x64.exe, gotohttp.exe, GotoHTTP*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gotohttp.com"", ""gotohttp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml"", ""Description"": ""Detects potential network activity of GotoHTTP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GotoHTTP RMM tool""}]",https://gotohttp.com/goto/help.12x,[] -RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteUtilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteUtilities RMM tool""}]",,[] -GoToMyPC,,"GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml"", ""Description"": ""Detects potential files activity of GoToMyPC RMM tool""}]","https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" -SmartCode Web VNC,,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\TightVNC\*, *\TightVNC\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Seetrol,,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"seetrolcenter.exe, seetrolclient.exe, seetrolmyservice.exe, seetrolremote.exe, seetrolsetting.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""seetrol.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml"", ""Description"": ""Detects potential network activity of Seetrol RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Seetrol RMM tool""}]",http://www.seetrol.com/en/features/features3.php,[] -RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RDPView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RDPView RMM tool""}]",systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] -Zoho Assist,,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zaservice.exe, ZMAgent.exe, C:\*\ZA_Access.exe, ZohoMeeting.exe, Zohours.exe, zohotray.exe, ZohoURSService.exe, *\ZA_Access.exe, Zaservice.exe, za_connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.zoho.com.au"", ""*.zohoassist.jp"", ""assist.zoho.com"", ""zoho.com/assist/"", ""*.zoho.in"", ""downloads.zohodl.com.cn"", ""*.zohoassist.com"", ""downloads.zohocdn.com"", ""gateway.zohoassist.com"", ""*.zohoassist.com.cn"", ""*.zoho.com.cn"", ""*.zoho.com"", ""*.zoho.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zoho Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zoho Assist RMM tool""}]",https://www.zoho.com/assist/kb/firewall-configuration.html,[] -Xpra,,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Xpra\*, *\Xpra\*, *\Xpra-Launcher.exe, *\Xpra-x86_64_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xpra RMM tool""}]",,[] +Level,,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level RMM tool""}]",,[] +Insync,,Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\USERNAME\AppData\Roaming\Insync\App\Insync.exe, *Users\*\AppData\Roaming\Insync\App\Insync.exe, *\Insync.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Insync RMM tool""}]",,[] +ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] +Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote.it RMM tool""}]",https://docs.remote.it/introduction/get-started,[] +Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netreo RMM tool""}]",https://solutions.netreo.com/docs/firewall-requirements,[] +NoteOn-desktop sharing,,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NoteOn-desktop sharing RMM tool""}]",,[] +Royal TS,,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,royalts.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""royalapps.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal TS RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal TS RMM tool""}]",,[] DeskNets,,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://www.desknets.com/en/download.html,[] +QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml"", ""Description"": ""Detects potential network activity of QQ IM-remote assistance RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of QQ IM-remote assistance RMM tool""}]",https://en.wikipedia.org/wiki/Tencent_QQ,[] +PuTTY Tray,,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\puttytray.exe, *\puttytray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PuTTY Tray RMM tool""}]",,[] XRDP,,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ManageEngine,,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"InstallShield Setup.exe, ManageEngine_Remote_Access_Plus.exe, *\dcagentservice.exe, C:\Program Files (x86)\DesktopCentral_Agent\bin\*, *\DesktopCentral_Agent\bin\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ManageEngine RMM tool""}]",,[] -Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Impero Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Impero Connect RMM tool""}]",,[] -Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remcos RMM tool""}]",,[] -PDQ Connect,,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,pdq-connect*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""app.pdq.com"", ""cfcdn.pdq.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of PDQ Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PDQ Connect RMM tool""}]",https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements,[] -Terminals,,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syncro RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncro RMM tool""}]",https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] -247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool""}]",Similar / replaced by ScreenConnect,[] -Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netviewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer RMM tool""}]",,[] -Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syspectr RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syspectr RMM tool""}]",https://www.syspectr.com/en/installation-in-a-network,[] -I'm InTouch,,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iit.exe, intouch.exe, I'm InTouch Go Installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.01com.com"", ""01com.com/imintouch-remote-pc-desktop""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml"", ""Description"": ""Detects potential network activity of I'm InTouch RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of I'm InTouch RMM tool""}]",https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/,[] -ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Light RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Light RMM tool""}]",,[] -Mocha VNC Lite,,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"This installs a modified VNC and cannot be blocked by path separate from VNC, This installs a modified VNC and cannot be blocked by path separate from VNC, *\RealVNC\VNC4\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Ericom Connect,,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"EricomConnectRemoteHost*.exe, ericomconnnectconfigurationtool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ericom.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ericom Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ericom Connect RMM tool""}]",https://www.ericom.com/connect-accessnow/,[] -Yandex.Disk,,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Yandex\*, *\Yandex\*, *\YandexDisk2.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Yandex.Disk RMM tool""}]",,[] -LiteManager,,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"lmnoipserver.exe, ROMFUSClient.exe, romfusclient.exe, romviewer.exe, romserver.exe, ROMServer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.litemanager.ru"", ""*.litemanager.com"", ""litemanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml"", ""Description"": ""Detects potential network activity of LiteManager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LiteManager RMM tool""}]",https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/,[] -BeAnyWhere,,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"basuptshelper.exe, basupsrvcupdate.exe, BASupApp.exe, BASupSysInf.exe, BASupAppSrvc.exe, TakeControl.exe, BASupAppElev.exe, basupsrvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beanywhere.en.uptodown.com/windows"", ""beanywhere.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeAnyWhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeAnyWhere RMM tool""}]",https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx,[] -Jump Cloud,,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,JumpCloud*.exe ,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.api.jumpcloud.com"", ""*.assist.jumpcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Cloud RMM tool""}]",https://jumpcloud.com/support/understand-remote-assist-agent,[] -Remote Desktop Manager (Devolutions),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay RMM tool""}]",https://sun.aweray.com/help,[] -Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remobo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remobo RMM tool""}]",https://www.remobo.com - DOA as of 2024,[] -ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"era.exe, einstaller.exe, ezhelp*.exe, eratool.exe, ERAAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] -Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ultra VNC RMM tool""}]",,[] -pcAnywhere,,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"awhost32.exe, awrem32.exe, pcaquickconnect.exe, winaw32.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of pcAnywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of pcAnywhere RMM tool""}]",https://en.wikipedia.org/wiki/PcAnywhere,[] -Remote.it,,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remote-it-installer.exe, remote.it.exe, remoteit.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth.api.remote.it"", ""api.remote.it"", ""remote.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote.it RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote.it RMM tool""}]",https://docs.remote.it/introduction/get-started,[] -Guacamole,,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,guacd.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""guacamole.apache.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml"", ""Description"": ""Detects potential network activity of Guacamole RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Guacamole RMM tool""}]",guacamole.apache.org,[] -Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Addigy RMM tool""}]",https://addigy.com/,[] -AeroAdmin,,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aeroadmin.exe, AeroAdmin.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""auth*.aeroadmin.com"", ""aeroadmin.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of AeroAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AeroAdmin RMM tool""}]",https://support.aeroadmin.com/kb/faq.php?id=58,[] -Access Remote PC,,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"rpcgrab.exe, rpcsetup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Access Remote PC RMM tool""}]",,[] -Acronic Cyber Protect (Remotix),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"AcronisCyberProtectConnectQuickAssist*.exe, AcronisCyberProtectConnectAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.acronis.com"", ""agents*-cloud.acronis.com"", ""gw.remotix.com"", ""connect.acronis.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml"", ""Description"": ""Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool""}]",https://kb.acronis.com/content/47189,[] -Instant Housecall,,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"hsloader.exe, InstantHousecall.exe, ihcserver.exe, instanthousecall.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.instanthousecall.com"", ""secure.instanthousecall.com"", ""*.instanthousecall.net"", ""instanthousecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of Instant Housecall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Instant Housecall RMM tool""}]",https://instanthousecall.com/features/,[] -SkyFex,,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Deskroll.exe, DeskRollUA.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""skyfex.com"", ""deskroll.com"", ""*.deskroll.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml"", ""Description"": ""Detects potential network activity of SkyFex RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SkyFex RMM tool""}]",https://skyfex.com/,[] -PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC RMM tool""}]",https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] -MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] -SecureCRT,,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\SecureCRT.EXE, *\SecureCRT.EXE, *\VanDyke Software\ClientPack\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SecureCRT RMM tool""}]",,[] -VNC,,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"winvnc*.exe, vncserver.exe, winwvc.exe, winvncsc.exe, vncserverui.exe, vncviewer.exe, winvnc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""realvnc.com/en/connect/download/vnc""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of VNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of VNC RMM tool""}]",https://realvnc.com/en/connect/download/vnc,[] +FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of FastViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FastViewer RMM tool""}]",https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] +Jump Desktop,,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"jumpclient.exe, jumpdesktop.exe, jumpservice.exe, jumpconnect.exe, jumpupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.jumpdesktop.com"", ""jumpdesktop.com"", ""jumpto.me"", ""*.jumpto.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Jump Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Jump Desktop RMM tool""}]",https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect,[] +Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ivanti Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ivanti Remote Control RMM tool""}]",https://rc1.ivanticloud.com/,[] +BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeInSync RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeInSync RMM tool""}]",https://en.wikipedia.org/wiki/Phoenix_Technologies,[] +NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of NateOn-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NateOn-desktop sharing RMM tool""}]",http://rsupport.nate.com/rview/r8/main/index.aspx,[] +Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml"", ""Description"": ""Detects potential network activity of Xeox RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xeox RMM tool""}]",https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] +WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WinSCP RMM tool""}]",,[] +DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] +NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of NTR Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NTR Remote RMM tool""}]",DOA as of 2024,[] +TurboMeeting,,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pcstarter.exe, turbomeeting.exe, turbomeetingstarter.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""acceo.com/turbomeeting/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml"", ""Description"": ""Detects potential network activity of TurboMeeting RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TurboMeeting RMM tool""}]",http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv,[] +RemoteUtilities,,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"rutview.exe, *\Remote Manipulator System - Server\*, C:\Program Files\Remote Utilities\*, *\Remote Utilities\*, rutserv.exe, *\rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remoteutilities.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteUtilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteUtilities RMM tool""}]",,[] +Pulseway,,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"PCMonitorManager.exe, pcmonitorsrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pulseway.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pulseway RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pulseway RMM tool""}]",https://intercom.help/pulseway/en/,[] Panorama9,,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,p9agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""trusted.panorama9.com"", ""changes.panorama9.com"", ""panorama9.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml"", ""Description"": ""Detects potential network activity of Panorama9 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Panorama9 RMM tool""}]",https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with,[] -FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe RMM tool""}]",,[] -ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"*\ISLLight.exe, isllight.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, ISLLight.exe, isllightservice.exe, islalwaysonmonitor.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] -RES Automation Manager,,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"wisshell*.exe, wmc.exe, wmc_deployer.exe, wmcsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""ivanti.com/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of RES Automation Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RES Automation Manager RMM tool""}]",https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1,[] Atera,,"Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransomware or facilitate command execution and lateral movement. ",,2024-08-03,2024-10-06,https://www.atera.com/,AteraAgent.exe,AteraAgent.exe,AteraAgent,,SYSTEM,30 day trial,None,"Windows, MacOS, Linux","Integrated remote access with Splashtop and AnyDesk, Remote monitoring and management, Patch management, Network discovery, Backup and disaster recovery, Helpdesk and ticketing, Reporting and analytics, Billing and invoicing, Customer portal, Mobile app","CVE-2023-26078, CVE-2023-26077","*\AgentPackageNetworkDiscovery.exe, *\AgentPackageTaskScheduler.exe, *\ATERA Networks\AteraAgent\*, *\AteraAgent.exe, atera_agent.exe, atera_agent.exe, ateraagent.exe, C:\Program Files\ATERA Networks\AteraAgent\*, C:\Program Files\Atera Networks, C:\Program Files (x86)\Atera Networks, syncrosetup.exe","{""Disk"": [{""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\log.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\*"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\AteraAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Atera Networks\\AlphaAgent.exe"", ""Description"": ""Atera service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageSTRemote\\AgentPackageSTRemote.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\AgentPackageMonitoring.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageHeartbeat\\AgentPackageHeartbeat.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageRunCommandInteractive\\AgentPackageRunCommandInteractive.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""AteraAgent"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\AteraAgent.exe\"""", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""WinRing0_1_2_0"", ""ImagePath"": ""\""C:\\\\Program Files (x86)\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageMonitoring\\\\OpenHardwareMonitorLib.sys\"""", ""Description"": ""Service installation event as result of Atera pakcage manager installation.""}, {""EventID"": 11707, ""ProviderName"": ""MsiInstaller"", ""LogFile"": ""Application.evtx"", ""Data"": ""Product: AteraAgent -- Installation completed successfully."", ""Description"": ""Service installation event as result of AteraAgent installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\\\Program Files\\\\ATERA Networks\\\\AteraAgent\\\\Packages\\\\AgentPackageFileExplorer\\\\AgentPackageFileExplorer.exe XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX agent-api.atera.com/Production 443 [BASE64BLOB]"", ""Description"": ""Service installation event as result of AteraAgent installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\AteraAgent"", ""Description"": null}, {""Path"": ""KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc."", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AlphaAgent"", ""Description"": null}, {""Path"": ""HKLM\\SYSTEM\\ControlSet\\Services\\EventLog\\Application\\AteraAgent"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASAPI32"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Tracing\\AteraAgent_RASMANCS"", ""Description"": null}, {""Path"": ""HKLM\\SOFTWARE\\ATERA Networks\\*"", ""Description"": null}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""pubsub.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""pubsub.pubnub.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreporting.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""getalphacontrol.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""app.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agenthb.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""packagesstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.pndsn.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agent-api.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""cacerts.thawte.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""agentreportingstore.blob.core.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera-agent-heartbeat.servicebus.windows.net""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""ps.atera.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""atera.pubnubapi.com""], ""Ports"": [""N/A""]}, {""Description"": ""N/A"", ""Domains"": [""appcdn.atera.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml"", ""Name"": ""AteraAgent malicious installations"", ""Description"": ""Detects AteraAgent installations with suspicious command line arguments.""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml"", ""Name"": ""Atera Agent Installation"", ""Description"": ""Detects Atera Agent installation.""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml"", ""Description"": ""Detects potential network activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml"", ""Description"": ""Detects potential files activity of Atera RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Atera RMM tool""}]","https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations, https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent, https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018, https://thedfirreport.com/?s=ateraagent","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}, {""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}, {""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -CrossLoop,,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"crossloopservice.exe, CrossLoopConnect.exe, WinVNCStub.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.crossloop.com"", ""crossloop.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossLoop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossLoop RMM tool""}]",www.CrossLoop.com -> redirects to avast.com,[] -Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] -Tactical RMM,,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tacticalrmm.exe, tacticalrmm.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""login.tailscale.com"", ""login.tailscale.com"", ""docs.tacticalrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tactical RMM RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tactical RMM RMM tool""}]",docs.tacticalrmm.com,[] -Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml"", ""Description"": ""Detects potential network activity of Fortra RMM tool""}]",https://www.fortra.com - No free/cloud RMM softwars listed,[] -Sorillus,,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Sorillus-Launcher*.exe, Sorillus Launcher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sorillus.com"", ""sorillus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sorillus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sorillus RMM tool""}]",https://sorillus.com/,[] -RemoteCall,,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rcengmgru.exe, rcmgrsvc.exe, rxstartsupport.exe, rcstartsupport.exe, raautoup.exe, agentu.exe, remotesupportplayeru.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotecall.com"", ""*.startsupport.com"", ""remotecall.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteCall RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteCall RMM tool""}]",https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall,[] -Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Everywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Everywhere RMM tool""}]",https://everywhere.laplink.com/docs,[] -MEGAsync,,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Local\MEGAsync\*, *Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*, *ProgramData\MEGAsync\*, *\MEGAsyncSetup64.exe, *\MEGAupdater.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MEGAsync RMM tool""}]",,[] -Neturo,,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"neturo*.exe, ntrntservice.exe, neturo.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""neturo.uplus.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Neturo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Neturo RMM tool""}]","Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",[] -Distant Desktop,,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ddsystem.exe, dd.exe, distant-desktop.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.distantdesktop.com"", ""*signalserver.xyz""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Distant Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Distant Desktop RMM tool""}]",https://www.distantdesktop.com/manual/first-start.htm,[] -Anyplace Control,,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,apc_host.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""anyplace-control.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Anyplace Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Anyplace Control RMM tool""}]",http://www.anyplace-control.com/anyplace-control/help/faq.htm,[] JollysFastVNC,,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +RunSmart,,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""runsmart.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml"", ""Description"": ""Detects potential network activity of RunSmart RMM tool""}]",,[] +Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] +Netviewer (GoToMeet),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nvClient.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer (GoToMeet) RMM tool""}]",Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html,[] +Netviewer,,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"netviewer*.exe, netviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""download.cnet.com/Net-Viewer/3000-2370_4-10034828.html""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netviewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netviewer RMM tool""}]",,[] +ConnectWise Control,,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"connectwisechat-customer.exe, connectwisecontrol.client.exe, screenconnect.windowsclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""live.screenconnect.com"", ""control.connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of ConnectWise Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ConnectWise Control RMM tool""}]",,[] ExtraPuTTY,,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *Users\*\ExtraPuTTY-0.30-2016-01-28-installer.exe, *\ExtraPuTTY-0.30-2016-01-28-installer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ExtraPuTTY RMM tool""}]",,[] -rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdpwrap RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdpwrap RMM tool""}]",github.com/stascorp/rdpwrap,[] -N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-ABLE Remote Access Software RMM tool""}]",,[] -Solar-PuTTY,,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Solar-Putty-v4\*, *\Solar-Putty-v4\*, *\Solar-PuTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Solar-PuTTY RMM tool""}]",,[] -TeamViewer,,"TeamViewer is a remote monitoring and management (RMM) tool. -","Nasreddine Bencherchali, Michael Haag",2024-08-02,2024-08-02,https://www.teamviewer.com/en,TeamViewer.exe,,,TeamViewer,user,True,False,"Android, ChromeOS, IOS, Linux, Mac, Windows",,https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html,"C:\Program Files\TeamViewer\, teamviewer_desktop.exe, teamviewer_service.exe, teamviewerhost","{""Disk"": [{""File"": ""C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""C:\\Program Files\\TeamViewer\\Connections_incoming.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\TeamViewer\\TVNetwork.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log"", ""Description"": ""N/A"", ""OS"": ""Windows"", ""Type"": ""Regex""}, {""File"": ""teamviewerqs.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w32.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_w64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""tv_x64.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""teamviewer_service.exe"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db"", ""Description"": ""SQlite 3 database storing cache about TeamViewer chat"", ""OS"": ""Windows""}, {""File"": ""%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db"", ""Description"": ""SQlite 3 database storing TeamViewer print jobs"", ""OS"": ""Windows""}, {""File"": ""%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\TeamViewer\\connections*.txt"", ""Description"": ""N/A"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""TeamViewer"", ""ImagePath"": ""\""C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"""", ""Description"": ""Service installation event as result of TeamViewer installation.""}], ""Registry"": [{""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\\\SOFTWARE\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint"", ""Description"": ""N/A""}, {""Path"": ""HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode"", ""Description"": ""N/A""}, {""Path"": ""HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.teamviewer.com""], ""Ports"": []}, {""Description"": ""N/A"", ""Domains"": [""router15.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""client.teamviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""taf.teamviewer.com""], ""Ports"": [443]}], ""Other"": [{""Type"": ""Mutex"", ""Value"": ""TeamViewer_LogMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewerHooks_DynamicMemMutex""}, {""Type"": ""Mutex"", ""Value"": ""TeamViewer3_Win32_Instance_Mutex""}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml"", ""Description"": ""Detects potential files activity of TeamViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeamViewer RMM tool""}]","https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer, https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#, https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/, https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html, https://github.com/Purp1eW0lf/Blue-Team-Notes","[{""Person"": ""Th\u00e9o Letailleur"", ""Handle"": ""in/theosyn""}]" -Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml"", ""Description"": ""Detects potential network activity of Itarian RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Itarian RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] -Visual Studio Dev Tunnel,,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""global.rel.tunnels.api.visualstudio.com"", ""*.rel.tunnels.api.visualstudio.com"", ""*.devtunnels.ms""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of Visual Studio Dev Tunnel RMM tool""}]",https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] -LogMeIn,,"LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. -",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.logmein.com/,lmiguardiansvc.exe,,,,,,,,,,None,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""logmein-gateway.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmein.eu""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""logmeinrescue.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.logmeininc.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml"", ""Description"": ""DNS Query To Remote Access Software Domain From Non-Browser App""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml"", ""Description"": ""Remote Access Tool - LogMeIn Execution""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml"", ""Description"": ""Detects potential network activity of LogMeIn RMM tool""}]",https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration,"[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" -PuTTY,,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Netreo,,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""charon.netreo.net"", ""activation.netreo.net"", ""*.api.netreo.com"", ""netreo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Netreo RMM tool""}]",https://solutions.netreo.com/docs/firewall-requirements,[] -Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool""}]",https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] -Splashtop (Beta),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"SRServer.exe, SplashtopSOS.exe, Splashtop_Streamer_Windows*.exe, SRManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop (Beta) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop (Beta) RMM tool""}]",,[] -FastViewer,,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"fastclient.exe, fastmaster.exe, FastViewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fastviewer.com"", ""fastviewer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of FastViewer RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FastViewer RMM tool""}]",https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf,[] -RustDesk,,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rustdesk*.exe, rustdesk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""rustdesk.com"", ""user_managed"", ""web.rustdesk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of RustDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RustDesk RMM tool""}]",https://rustdesk.com/docs/en/,[] -MobaXterm,,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\MobaXterm_installer_12.1.msi, *\MobaXterm_installer_*.msi, *\Mobatek\MobaXterm\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -GoToAssist,,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gotoassist.exe, g2a*.exe, GoTo Assist Opener.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""goto.com"", ""*.getgo.com"", ""*.fastsupport.com"", ""*.gotoassist.com"", ""helpme.net"", ""*.gotoassist.me"", ""*.gotoassist.at"", ""*.desktopstreaming.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToAssist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GoToAssist RMM tool""}]",https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5,[] -Free Ping Tool,,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"can't find this one, can't find this one","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -HelpBeam,,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,helpbeam*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpbeam.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpBeam RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpBeam RMM tool""}]",https://www.helpbeam.com domain for sale in 2024,[] -NTR Remote,,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,NTRsupportPro_EN.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ntrsupport.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of NTR Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NTR Remote RMM tool""}]",DOA as of 2024,[] -ServerEye,,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"servereye*.exe, ServiceProxyLocalSys.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.server-eye.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml"", ""Description"": ""Detects potential network activity of ServerEye RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ServerEye RMM tool""}]",https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,[] -WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml"", ""Description"": ""Detects potential network activity of WebRDP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WebRDP RMM tool""}]",github.com/Mikej81/WebRDP,[] +FleetDeck.io,,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"fleetdeck_agent_svc.exe, fleetdeck_commander_svc.exe, fleetdeck_installer.exe, fleetdeck_commander_launcher.exe, fleetdeck_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fleetdeck.io"", ""cognito-idp.us-west-2.amazonaws.com"", ""fleetdeck.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of FleetDesk.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FleetDesk.io RMM tool""}]",https://fleetdeck.io/faq/,[] +HelpU,,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"helpu_install.exe, HelpuUpdater.exe, HelpuManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpu.co.kr"", ""*.helpu.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpU RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpU RMM tool""}]",https://helpu.co.kr/,[] +ToDesk,,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"todesk.exe, ToDesk_Service.exe, ToDesk_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""todesk.com"", ""*.todesk.com"", ""*.todesk.com"", ""todesktop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of ToDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ToDesk RMM tool""}]",https://www.todesk.com/,[] +RAdmin,,"RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,https://www.radmin.com/,RServer3.exe,RServer3.exe,Radmin Server,Radmin Server,,,,Windows,,,"C:\Program Files (x86)\Radmin Viewer 3\Radmin.exe, C:\Windows\SysWOW64\rserver30\rserver3.exe, C:\Windows\SysWOW64\rserver30\FamItrfc, C:\Windows\SysWOW64\rserver30\FamItrf2","{""Disk"": [{""File"": ""C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (32-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\Radm_log.htm"", ""Description"": ""RAdmin log file (64-bit)"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm"", ""Description"": ""RAdmin chat logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm"", ""Description"": ""RAdmin user chat logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security"", ""Description"": ""N/A""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""radmin.com""], ""Ports"": [443]}]}","[{""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml"", ""Description"": ""PUA - Radmin Viewer Utility Execution""}, {""Sigma"": ""https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml"", ""Description"": ""Enumeration for 3rd Party Creds From CLI""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml"", ""Description"": ""Detects potential network activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml"", ""Description"": ""Detects potential files activity of RAdmin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RAdmin RMM tool""}]","https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/, https://helpdesk.radmin.com/radmin3help/, https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm, https://helpdesk.radmin.com/radmin3help/files/cmd.htm","[{""Person"": ""Nasreddine Bencherchali"", ""Handle"": ""@nas_bench""}]" +CrossLoop,,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"crossloopservice.exe, CrossLoopConnect.exe, WinVNCStub.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.crossloop.com"", ""crossloop.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossLoop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossLoop RMM tool""}]",www.CrossLoop.com -> redirects to avast.com,[] +Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml"", ""Description"": ""Detects potential network activity of Centurion RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Centurion RMM tool""}]",https://data443.atlassian.net/servicedesk/customer/portal/20,[] +KickIdler,,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"grabberEM.*msi, grabberTT*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kickidler.com"", ""my.kickidler.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml"", ""Description"": ""Detects potential network activity of KickIdler RMM tool""}]",https://www.kickidler.com/for-it/faq/,[] +Syncro,,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"Syncro.Installer.exe, Kabuto.App.Runner.exe, Syncro.Overmind.Service.exe, Kabuto.Installer.exe, KabutoSetup.exe, Syncro.Service.exe, Kabuto.Service.Runner.exe, Syncro.App.Runner.exe, SyncroLive.Service.exe, SyncroLive.Agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""kabuto.io"", ""*.syncromsp.com"", ""*.syncroapi.com"", ""syncromsp.com"", ""servably.com"", ""ld.aurelius.host"", ""app.kabuto.io "", ""*.kabutoservices.com"", ""repairshopr.com"", ""kabutoservices.com"", ""attachments.servably.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syncro RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncro RMM tool""}]",https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004,[] +AweRay,,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"aweray_remote*.exe, AweSun.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""asapi*.aweray.net"", ""client-api.aweray.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml"", ""Description"": ""Detects potential network activity of AweRay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AweRay RMM tool""}]",https://sun.aweray.com/help,[] +SunLogin,,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OrayRemoteShell.exe, OrayRemoteService.exe, sunlogin*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""sunlogin.oray.com"", ""client.oray.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml"", ""Description"": ""Detects potential network activity of SunLogin RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SunLogin RMM tool""}]",https://sunlogin.oray.com/en/embed/software.html,[] +Koofr,,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SysAid,,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\SysAidServer\*, *\SysAidServer\*, *\SysAid\*, *\IliAS.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SysAid RMM tool""}]",,[] +Neturo,,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"neturo*.exe, ntrntservice.exe, neturo.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""neturo.uplus.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Neturo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Neturo RMM tool""}]","Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2",[] +SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SmarTTY RMM tool""}]",,[] +Impero Connect,,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ImperoClientSVC.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""imperosoftware.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml"", ""Description"": ""Detects potential network activity of Impero Connect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Impero Connect RMM tool""}]",,[] +247ithelp.com (ConnectWise),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Remote Workforce Client.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.247ithelp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool""}]",Similar / replaced by ScreenConnect,[] +Remobo,,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remobo.exe, remobo_client.exe, remobo_tracker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""remobo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remobo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remobo RMM tool""}]",https://www.remobo.com - DOA as of 2024,[] +Free Tools Launcher,,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ManageEngine\ManageEngine Free Tools\Launcher\*, *\ManageEngine\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Echoware,,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"echoserver*.exe, echoware.dll","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Echoware RMM tool""}]",,[] +Zoho Assist,,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"zaservice.exe, ZMAgent.exe, C:\*\ZA_Access.exe, ZohoMeeting.exe, Zohours.exe, zohotray.exe, ZohoURSService.exe, *\ZA_Access.exe, Zaservice.exe, za_connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.zoho.com.au"", ""*.zohoassist.jp"", ""assist.zoho.com"", ""zoho.com/assist/"", ""*.zoho.in"", ""downloads.zohodl.com.cn"", ""*.zohoassist.com"", ""downloads.zohocdn.com"", ""gateway.zohoassist.com"", ""*.zohoassist.com.cn"", ""*.zoho.com.cn"", ""*.zoho.com"", ""*.zoho.eu""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zoho Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zoho Assist RMM tool""}]",https://www.zoho.com/assist/kb/firewall-configuration.html,[] +KiTTY,,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\kitty.exe, *\kitty.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KiTTY RMM tool""}]",,[] +SimpleHelp,,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"simplehelpcustomer.exe, simpleservice.exe, simplegatewayservice.exe, remote access.exe, windowslauncher.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""simple-help.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of SimpleHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SimpleHelp RMM tool""}]",https://simple-help.com/remote-support,[] +CloudFlare Tunnel,,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,cloudflared.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloudflare.com/products/tunnel/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml"", ""Description"": ""Detects potential network activity of CloudFlare Tunnel RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CloudFlare Tunnel RMM tool""}]",cloudflare.com/products/tunnel/,[] GoTo Opener,,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\GoTo Opener, *\GoTo Opener","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -S3 Browser,,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\S3 Browser\*, *\S3 Browser\*, *\s3browser*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of S3 Browser RMM tool""}]",,[] -Any Support,,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,ManualLauncher.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.anysupport.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml"", ""Description"": ""Detects potential network activity of Any Support RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Any Support RMM tool""}]",https://www.anysupport.net/introduce_howto.php,[] +Pcvisit,,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcvisit.exe, pcvisit_client.exe, pcvisit-easysupport.exe, pcvisit_service_client.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.pcvisit.de"", ""pcvisit.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pcvisit RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pcvisit RMM tool""}]",https://www.pcvisit.de/,[] +Mocha VNC Lite,,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"This installs a modified VNC and cannot be blocked by path separate from VNC, This installs a modified VNC and cannot be blocked by path separate from VNC, *\RealVNC\VNC4\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Gold RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Gold RMM tool""}]",wen.laplink.com/product/laplink-gold,[] +Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Iperius Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Iperius Remote RMM tool""}]",https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] BeamYourScreen,,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"beamyourscreen.exe, beamyourscreen-host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""beamyourscreen.com"", ""*.beamyourscreen.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeamYourScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeamYourScreen RMM tool""}]",beamyourscreen redirects to https://www.mikogo.com/,[] -Sophos-Remote Management System,,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"clientmrinit.exe, mgntsvc.exe, routernt.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.sophos.com"", ""*.sophosupd.com"", ""*.sophosupd.net"", ""community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Sophos-Remote Management System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Sophos-Remote Management System RMM tool""}]",community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system,[] -PSEXEC (Clone),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"paexec.exe, PAExec-*.exe, csexec.exe , remcom.exe, remcomsvc.exe, xcmd.exe, xcmdsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC (Clone) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC (Clone) RMM tool""}]",https://www.poweradmin.com/paexec/,[] -GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of GetScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GetScreen RMM tool""}]",https://docs.getscreen.me/self-hosted/system-requirements/,[] -RemotePC,,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"C:\Program Files (x86)\RemotePC\*, Idrive.File-Transfer, *\RemotePC\*, remotepcservice.exe, RemotePC.exe, remotepchost.exe, idrive.RemotePCAgent, rpcsuite.exe, *\RemotePCService.exe, RemotePCService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.remotedesktop.com"", ""*.remotepc.com"", ""www.remotepc.com"", ""remotepc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePC RMM tool""}]",https://www.remotedesktop.com/helpdesk/faq-firewall,[] -Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tanium RMM tool""}]",https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] -LabTeach (Connectwise Automate),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,ltsvc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool""}]",,[] -RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteView RMM tool""}]",https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] -UltraVNC,,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,UltraVNC*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""ultravnc.com"", ""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of UltraVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of UltraVNC RMM tool""}]",https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html,[] -SmarTTY,,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files (x86)\Sysprogs\SmarTTY\*, *\Sysprogs\SmarTTY\*, *\SmarTTY.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SmarTTY RMM tool""}]",,[] -Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Absolute (Computrace) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Absolute (Computrace) RMM tool""}]",https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] +TeleDesktop,,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"pstlaunch.exe, ptdskclient.exe, ptdskhost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tele-desk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of TeleDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TeleDesktop RMM tool""}]",http://potomacsoft.com/ - DOA as of 2024,[] +Parallels Access,,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"parallelsaccess-*.exe, TSClient.exe, prl_deskctl_agent.exe, prl_deskctl_wizard.exe, prl_pm_service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.parallels.com"", ""parallels.com/products/ras/try""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml"", ""Description"": ""Detects potential network activity of Parallels Access RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Parallels Access RMM tool""}]",https://kb.parallels.com/en/129097,[] +Basecamp,,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""basecamp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml"", ""Description"": ""Detects potential network activity of Basecamp RMM tool""}]",basecamp.com - No specific RMM tool listed,[] +Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Weezo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Weezo RMM tool""}]",weezo.en.softonic.com,[] +X2Go,,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://wiki.x2go.org/doku.php,[] +Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml"", ""Description"": ""Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool""}]",,[] +Connectwise Automate (LabTech),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.hostedrmm.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml"", ""Description"": ""Detects potential network activity of Connectwise Automate (LabTech) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Connectwise Automate (LabTech) RMM tool""}]",https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate,[] +Splashtop (Beta),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"SRServer.exe, SplashtopSOS.exe, Splashtop_Streamer_Windows*.exe, SRManager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""splashtop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml"", ""Description"": ""Detects potential network activity of Splashtop (Beta) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Splashtop (Beta) RMM tool""}]",,[] +Netop,,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Danware Data\NetOp Packn Deploy\*, *\Danware Data\NetOp Packn Deploy\*, *\Netop Remote Control\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Kaseya (VSA),,"Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,agentmon.exe,,,,,,,,,,"C:\Program Files (x86)\Kaseya\, C:\ProgramData\Kaseya\","{""Disk"": [{""File"": ""%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""Windows""}, {""File"": ""~/Library/Logs/com.kaseya/KaseyaLiveConnect/*"", ""Description"": ""Kaseya Live Connect logs"", ""OS"": ""MacOS""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*"", ""Description"": ""Kaseya Endpoint logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\Kaseya\\*\\agentmon.log"", ""Description"": ""Kaseya Agent Monitor log""}, {""File"": ""/var/log/system.log"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 32bit""}, {""File"": "" ~/opt/kaseya/*/logs*"", ""Description"": ""Kaseya Agent Monitor log"", ""OS"": ""MacOS 64bit""}, {""File"": ""C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in user temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Temp\\KASetup.log"", ""Description"": ""Kaseya Setup log in Windows temp directory"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*"", ""Description"": ""Kaseya Edge Services logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.0\\logs\\"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoint\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\api\\v1.5\\endpoints\\logs"", ""Description"": ""Kaseya API logs"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\Kaseya\\WebPages\\install\\makecert.txt"", ""Description"": ""Certificate creation"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*"", ""Description"": ""Endpoint service logs"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*"", ""Description"": ""Session logs"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deploy01.kaseya.com"", ""*managedsupport.kaseya.net"", ""*.kaseya.net"", ""kaseya.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml"", ""Description"": ""Detects potential network activity of Kaseya (VSA) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml"", ""Description"": ""Detects potential files activity of Kaseya (VSA) RMM tool""}]","https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations, https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/, https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations",[] +HelpBeam,,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,helpbeam*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""helpbeam.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml"", ""Description"": ""Detects potential network activity of HelpBeam RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of HelpBeam RMM tool""}]",https://www.helpbeam.com domain for sale in 2024,[] Quest KACE Agent (formerly Dell KACE),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,konea.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kace.com"", ""www.quest.com/kace/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool""}]",https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function,[] DeskShare,,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"TeamTaskManager.exe, DSGuest.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskShare RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskShare RMM tool""}]",https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx,[] -Pocket Cloud (Wyse),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcloud*.exe, pocketcloudservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Cloud (Wyse) RMM tool""}]",https://wyse-pocketcloud.informer.com/2.1/,[] -Pilixo,,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rdp.exe, Pilixo_Installer*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pilixo.com"", ""download.pilixo.com"", ""*.pilixo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pilixo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pilixo RMM tool""}]",https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls,[] -Mikogo,,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"mikogo.exe, mikogo-starter.exe, mikogo-service.exe, mikogolauncher.exe, C:\Users\*\AppData\Roaming\Mikogo\*, *Users\*\AppData\Roaming\Mikogo\*, *\Mikogo-Service.exe, *\Mikogo-Screen-Service.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.real-time-collaboration.com"", ""*.mikogo4.com"", ""*.mikogo.com"", ""mikogo.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Mikogo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Mikogo RMM tool""}]",https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services,[] -WebEx (Remote Access),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access,[] -Koofr,,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Duplicati,,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"c:\Program Files\*\Duplicati.Server.exe, *\*\Duplicati.Server.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Duplicati RMM tool""}]",,[] -ManageEngine RMM Central,,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""manageengine.com/remote-monitoring-management/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of ManageEngine RMM Central RMM tool""}]",,[] -WinSCP,,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\IEUser\Downloads\WinSCP-5.21.6-Portable\*, *\WinSCP*Portable\*, *\WinSCP.exe, *\WinSCP\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WinSCP RMM tool""}]",,[] +rdpwrap,,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"RDPWInst.exe, RDPCheck.exe, RDPConf.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/stascorp/rdpwrap""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdpwrap RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdpwrap RMM tool""}]",github.com/stascorp/rdpwrap,[] +Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Total Software Deployment RMM tool""}]",,[] +PuTTY,,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +RDPView,,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,dwrcs.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""systemmanager.ru/dntu.en/rdp_view.htm""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RDPView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RDPView RMM tool""}]",systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware,[] +Fortra,,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""fortra.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml"", ""Description"": ""Detects potential network activity of Fortra RMM tool""}]",https://www.fortra.com - No free/cloud RMM softwars listed,[] +ISL Light,,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""islonline.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Light RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Light RMM tool""}]",,[] +Pocket Controller (Soti Xsight),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pocketcontroller.exe, wysebrowser.exe, XSightService.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*soti.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool""}]",https://pulse.soti.net/support/soti-xsight/help/,[] GatherPlace-desktop sharing,,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"gp3.exe, gp4.exe, gp5.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.gatherplace.com"", ""*.gatherplace.net"", ""gatherplace.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of GatherPlace-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GatherPlace-desktop sharing RMM tool""}]",https://www.gatherplace.com/kb?id=136377,[] -Laplink Gold,,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"tsircusr.exe, laplink.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""wen.laplink.com/product/laplink-gold""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Gold RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Gold RMM tool""}]",wen.laplink.com/product/laplink-gold,[] -Centurion,,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ctiserv.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""centuriontech.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml"", ""Description"": ""Detects potential network activity of Centurion RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Centurion RMM tool""}]",https://data443.atlassian.net/servicedesk/customer/portal/20,[] -Ivanti Remote Control,,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"IvantiRemoteControl.exe, ArcUI.exe, AgentlessRC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ivanticloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of Ivanti Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ivanti Remote Control RMM tool""}]",https://rc1.ivanticloud.com/,[] -NordLocker,,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Xeox,,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"xeox-agent_x64.exe, xeox_service_windows.exe, xeox-agent_*.exe, xeox-agent_x86.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.xeox.com"", ""xeox.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml"", ""Description"": ""Detects potential network activity of Xeox RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xeox RMM tool""}]",https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW,[] -ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of ezHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ezHelp RMM tool""}]",https://www.exhelp.co.kr,[] -Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] -MultCloud,,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"requires sign up, requires sign up","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Synergy RMM tool""}]",https://symless.com/synergy,[] -OptiTune,,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"OTService.exe, OTPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.optitune.us"", ""*.opti-tune.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml"", ""Description"": ""Detects potential network activity of OptiTune RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of OptiTune RMM tool""}]",https://www.bravurasoftware.com/optitune/support/faq.aspx,[] -Netop,,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Danware Data\NetOp Packn Deploy\*, *\Danware Data\NetOp Packn Deploy\*, *\Netop Remote Control\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ConnectWise,,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect*Client*\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -Encapto,,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""encapto.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Encapto RMM tool""}]",https://www.encapto.com - used to manage Cisco services,[] +Site24x7,,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"MEAgentHelper.exe, MonitoringAgent.exe, Site24x7WindowsAgentTrayIcon.exe, Site24x7PluginAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""plus*.site24x7.com"", ""plus*.site24x7.eu"", ""plus*.site24x7.in"", ""plus*.site24x7.cn"", ""plus*.site24x7.net.au"", ""site24x7.com/msp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Site24x7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Site24x7 RMM tool""}]",https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent,[] +MeshCentral,,"MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. +",@kostastsale,2024-09-20,2024-09-20,https://meshcentral.com/,MeshAgent.exe,,MeshCentral Background Service Agent,,SYSTEM,Yes,N/A,"Windows, Linux, MacOS, FreeBSD","Remote Desktop & Terminal, Remote File Access, Text and Voice Chat, Server File Storage, Real-time User interface, Port Forwarding",CVE-2024-26135,"meshcentral*.exe, meshagent*.exe","{""Disk"": [{""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.exe"", ""Description"": ""Local MeshAgent service binary after installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.msh"", ""Description"": ""Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Mesh Agent background service"", ""ImagePath"": ""\""C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"""", ""Description"": ""Service installation event as result of MeshAgent installation.""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml"", ""Description"": ""Detects MeshAgent Command Execution via MeshCentral""}]","https://ylianst.github.io/MeshCentral/meshcentral/, https://github.com/Ylianst/MeshAgent","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +MSP360,,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"Online Backup.exe, CBBackupPlan.exe, Cloud.Backup.Scheduler.exe, Cloud.Backup.RM.Service.exe, cbb.exe, CloudRaService.exe, CloudRaSd.exe, CloudRaCmd.exe, CloudRaUtilities.exe, Remote Desktop.exe, Connect.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.cloudberrylab.com"", ""*.msp360.com"", ""*.mspbackups.com"", ""msp360.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml"", ""Description"": ""Detects potential network activity of MSP360 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MSP360 RMM tool""}]",https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#,[] +ScreenConnect,,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,"Ali Alwashali, Nasreddine Bencherchali",2023-10-01,2024-08-03,https://www.connectwise.com,,,,,,14-Days Free Trial,,"Android, IOS, Linux, Mac, Windows","Command Line Support, File Transfer, Install Windows updates, Receive notification when user performs a predefined event, Remote Command Line, Remote Control, Sound Capture, Start / Stop services, View event logs",,"C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe, Remote Workforce Client.exe, *\*\ScreenConnect.ClientService.exe, C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect Client*\*, *\*\ScreenConnect.WindowsClient.exe, screenconnect*.exe, screenconnect.windowsclient.exe, Remote Workforce Client.exe, screenconnect*.exe, ConnectWiseControl*.exe, connectwise*.exe, screenconnect.windowsclient.exe, screenconnect.clientservice.exe","{""Disk"": [{""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db"", ""Description"": ""ScreenConnect session database"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml"", ""Description"": ""ScreenConnect user configuration"", ""OS"": ""Windows""}, {""File"": ""C:\\ProgramData\\ScreenConnect Client*\\user.config"", ""Description"": ""ScreenConnect client user configuration"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""control.connectwise.com"", ""*.connectwise.com"", ""*.screenconnect.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml"", ""Description"": ""Detects potential files activity of ScreenConnect RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenConnect RMM tool""}]",https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/,[] +Microsoft TSC,,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft TSC RMM tool""}]",https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application,[] +Tanium,,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"TaniumClient.exe, TaniumCX.exe, TaniumExecWrapper.exe, TaniumFileInfo.exe, TPowerShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""cloud.tanium.com"", ""*.cloud.tanium.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Tanium RMM tool""}]",https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html,[] +Ultra VNC,,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\uvnc bvba\UltraVNC\*, *\uvnc bvba\UltraVNC\*, *\UVNC_Launch.exe, *\winvnc.exe, *\vncviewer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Ultra VNC RMM tool""}]",,[] +Remote Manipulator System,,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rfusclient.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru"", ""rmansys.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Manipulator System RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Manipulator System RMM tool""}]",https://rmansys.ru/files/,[] +Domotz,,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"domotz.exe, Domotz Pro Desktop App.exe, domotz_bash.exe, domotz*.exe, Domotz Pro Desktop App Setup*.exe, domotz-windows*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.domotz.co"", ""domotz.com"", ""*cell-1.domotz.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml"", ""Description"": ""Detects potential network activity of Domotz RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Domotz RMM tool""}]",https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/,[] +FixMe.it,,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"FixMeit Client.exe, TiExpertStandalone.exe, FixMeitClient*.exe, TiExpertCore.exe, FixMeit Unattended Access Setup.exe, FixMeit Expert Setup.exe, TiExpertCore.exe, fixmeitclient.exe, TiClientCore.exe, TiClientHelper*.exe, 9380CC75B872221A7425D7503565B67580407F60","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.fixme.it"", ""*.techinline.net"", ""fixme.it"", ""*set.me"", ""*setme.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml"", ""Description"": ""Detects potential network activity of FixMe RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FixMe RMM tool""}]",,[] +Tanium Deploy,,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""tanium.com/products/tanium-deploy""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium Deploy RMM tool""}]",,[] +N-ABLE Remote Access Software,,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-ABLE Remote Access Software RMM tool""}]",,[] +Quick Assist,,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Quick Assist RMM tool""}]",,[] +AnyViewer,,"AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",@kostastsale,2024-08-03,2024-08-03,https://www.anyviewer.com/,AnyViewer.exe,AnyViewer,Splash Window,,System,up to 10 devices,None,Windows,"Remote desktop, Remote file transfer, Remote monitoring and management, Remote shell open",,C:\Program Files (x86)\AnyViewer\*,"{""Disk"": [], ""EventLog"": [{""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""\""C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\"" -d"", ""Description"": ""Taking actions on the remote machine such as opening a command prompt.""}, {""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""RCService"", ""ImagePath"": ""C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe"", ""Description"": ""AnyViewer service installation service.""}], ""Registry"": [], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.anyviewer.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""*.aomeisoftware.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml"", ""Description"": ""Detects potential network activity of AnyViewer RMM tool""}]","https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html, https://www.anyviewer.com/help/remote-technical-support.html","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" +Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml"", ""Description"": ""Detects potential network activity of Naverisk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Naverisk RMM tool""}]",http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] +Addigy,,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/27/2024,,,,,,,,,,,,addigy-*.pkg,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""prod.addigy.com"", ""grtmprod.addigy.com"", ""agents.addigy.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Addigy RMM tool""}]",https://addigy.com/,[] Action1,,"Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. ",@kostastsale,2024-08-03,2024-10-06,https://www.action1.com/,action1_connector.exe,,,,SYSTEM,Yes,Corporate email required although temporary email services are accepted,Windows,"Backup and disaster recovery, Billing and invoicing, Customer portal, HelpDesk and ticketing, Mobile app, Network discovery, Patch management, Remote monitoring and management, Reporting and analytics",,C:\Windows\Action1\*,"{""Disk"": [{""File"": ""C:\\Windows\\Action1\\action1_agent.exe"", ""Description"": ""Action1 service binary"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\*"", ""Description"": ""Multiple files and binaries related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\scripts\\*"", ""Description"": ""Multiple scripts related to Action1 installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\rule_data\\*"", ""Description"": ""Files related to Action1 rules"", ""OS"": ""Windows""}, {""File"": ""C:\\Windows\\Action1\\action1_log_*.log"", ""Description"": ""Contains history, errors, system notifications. Incoming and outgoing connections."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""A1Agent"", ""ImagePath"": ""\""C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"""", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4697, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""ServiceName"": ""A1Agent"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe service"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""EventID"": 4688, ""ProviderName"": ""Microsoft-Security-Auditing"", ""LogFile"": ""Security.evtx"", ""CommandLine"": ""C:\\Windows\\Action1\\action1_agent.exe loggedonuser"", ""Description"": ""Executing command to get logged on user.""}], ""Registry"": [{""Path"": ""HKLM\\System\\CurrentControlSet\\Services\\A1Agent"", ""Description"": ""Service installation event as result of Action1 installation.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe"", ""Description"": ""Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software.""}, {""Path"": ""HKLM\\SOFTWARE\\WOW6432Node\\Action1"", ""Description"": ""Storing its configuration settings and other relevant information""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.action1.com""], ""Ports"": [443]}, {""Description"": ""N/A"", ""Domains"": [""a1-backend-packages.s3.amazonaws.com""], ""Ports"": [443]}]}","[{""Name"": ""Arbitrary code execution and remote sessions via Action1 RMM"", ""Description"": ""Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM"", ""author"": ""@kostastsale"", ""Link"": ""https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml"", ""Description"": ""Detects potential network activity of Action1 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml"", ""Description"": ""Detects potential files activity of Action1 RMM tool""}]","https://www.action1.com/documentation/firewall-configuration/, https://www.action1.com/documentation/, https://twitter.com/Kostastsale/status/1646256901506605063?s=20, https://ruler-project.github.io/ruler-project/RULER/remote/Action1/","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -SuperPuTTY,,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Downloads\SuperPuTTY\*, *Downloads\SuperPuTTY\*, *\superputty.exe, *\SuperPuTTY\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperPuTTY RMM tool""}]",,[] -Royal Apps,,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"royalserver.exe, royalts.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml"", ""Description"": ""Detects potential network activity of Royal Apps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Royal Apps RMM tool""}]",https://www.royalapps.com/ts/win/download,[] -Tanium Deploy,,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""tanium.com/products/tanium-deploy""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Tanium Deploy RMM tool""}]",,[] -Zabbix Agent,,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,zabbix_agent*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""zabbix.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of Zabbix Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Zabbix Agent RMM tool""}]",https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent,[] -Weezo,,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"weezohttpd.exe, weezo.exe, weezo setup*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.weezo.me"", ""weezo.net"", ""*.weezo.net"", ""weezo.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Weezo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Weezo RMM tool""}]",weezo.en.softonic.com,[] -BeInSync,,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,Beinsync*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beinsync.net"", ""*.beinsync.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml"", ""Description"": ""Detects potential network activity of BeInSync RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeInSync RMM tool""}]",https://en.wikipedia.org/wiki/Phoenix_Technologies,[] -ScreenMeet,,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ScreenMeetSupport.exe, ScreenMeet.Support.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.screenmeet.com"", ""*.scrn.mt""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml"", ""Description"": ""Detects potential network activity of ScreenMeet RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ScreenMeet RMM tool""}]",https://docs.screenmeet.com/docs/firewall-white-list,[] -MyIVO,,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"myivomgr.exe, myivomanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""myivo-server.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyIVO RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyIVO RMM tool""}]",myivo.com - DOA as of 2024,[] -LabTech RMM (Now ConnectWise Automate),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"ltsvc.exe, ltsvcmon.exe, lttray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""connectwise.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml"", ""Description"": ""Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool""}]",,[] -Kabuto,,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Kabuto.App.Runner.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kabuto.io"", ""repairtechsolutions.com/kabuto/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Kabuto RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Kabuto RMM tool""}]",https://www.repairtechsolutions.com/documentation/kabuto/,[] -FreeRDP,,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -ZOC,,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\ZOC8\*, *\ZOC?\*, *\zoc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ZOC RMM tool""}]",,[] AliWangWang-remote-control,,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,alitask.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""wangwang.taobao.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml"", ""Description"": ""Detects potential network activity of AliWangWang-remote-control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of AliWangWang-remote-control RMM tool""}]",https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale,[] -Goverlan,,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"goverrmc.exe, govsrv*.exe, GovAgentInstallHelper.exe, GovAgentx64.exe, GovReachClient.exe, C:\Program Files (x86)\PJ Technologies\GOVsrv\*, *\PJ Technologies\GOVsrv\*, *\GovSrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""goverlan.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml"", ""Description"": ""Detects potential network activity of Goverlan RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Goverlan RMM tool""}]",https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf,[] -Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Microsoft Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft Quick Assist RMM tool""}]",https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] -N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"BASupSrvc.exe, winagent.exe, BASupApp.exe, BASupTSHelper.exe, Agent_*_RW.exe, BASEClient.exe, BASupSrvcCnfg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beanywhere.com "", ""systemmonitor.co.uk"", ""*system-monitor.com"", ""cloudbackup.management"", ""*systemmonitor.co.uk"", ""n-able.com"", ""systemmonitor.us"", ""*systemmonitor.eu.com"", ""*.logicnow.com"", ""*.swi-tc.com"", ""*remote.management"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""remote.management"", ""logicnow.com"", ""system-monitor.com"", ""*systemmonitor.us"", ""systemmonitor.eu.com"", ""*.n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] -MyGreenPC,,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,mygreenpc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*mygreenpc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyGreenPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyGreenPC RMM tool""}]",http://www.mygreenpc.com/,[] -Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncthing RMM tool""}]",,[] -Chrome Remote Desktop,,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"remote_host.exe, remoting_host.exe, C:\Program Files (x86)\Google\Chrome Remote Desktop\*, *\Google\Chrome Remote Desktop\*, *\remoting_host.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*remotedesktop.google.com"", ""*remotedesktop-pa.googleapis.com"", ""remotedesktop.google.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Chrome Remote Desktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Chrome Remote Desktop RMM tool""}]",https://support.google.com/chrome/a/answer/2799701?hl=en,[] -Remote Desktop Plus,,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,rdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""donkz.nl""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Desktop Plus RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Desktop Plus RMM tool""}]",https://www.donkz.nl/,[] -NateOn-desktop sharing,,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nateon*.exe, nateon.exe, nateonmain.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.nate.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml"", ""Description"": ""Detects potential network activity of NateOn-desktop sharing RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NateOn-desktop sharing RMM tool""}]",http://rsupport.nate.com/rview/r8/main/index.aspx,[] -Barracuda,,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.net"", ""rmm.barracudamsp.com"", ""barracudamsp.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml"", ""Description"": ""Detects potential network activity of Barracuda RMM tool""}]",https://help.islonline.com/19799/166125,[] -CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossTec Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossTec Remote Control RMM tool""}]",www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] -DeskDay,,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,ultimate_*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""deskday.ai"", ""app.deskday.ai""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml"", ""Description"": ""Detects potential network activity of DeskDay RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DeskDay RMM tool""}]",https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate,[] -mRemoteNG,,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"mRemoteNG.exe, C:\Program Files (x86)\mRemoteNG\*, *\mRemoteNG\*, *\mRemoteNG.exe, c:\Program Files (x86)%\mRemoteNG, *%\mRemoteNG, mRemoteNG-Installer-*.msi, *\mRemoteNG.exe","{""Disk"": [{""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log"", ""Description"": ""mRemoteNG log file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml"", ""Description"": ""mRemoteNG configuration file"", ""OS"": ""Windows""}, {""File"": ""C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config"", ""Description"": ""mRemoteNG user configuration file"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""mremoteng.org""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml"", ""Description"": ""Detects potential network activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml"", ""Description"": ""Detects potential files activity of mRemoteNG RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of mRemoteNG RMM tool""}]",https://github.com/mRemoteNG/mRemoteNG,[] -FreeNX,,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\nxplayer.exe, *\nxplayer.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of FreeNX RMM tool""}]",,[] -NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, client32.exe, pcicfgui.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""geo.netsupportsoftware.com"", ""netsupportmanager.com"", ""*.netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] -rdp2tcp,,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"tdp2tcp.exe, rdp2tcp.py","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/V-E-O/rdp2tcp""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml"", ""Description"": ""Detects potential network activity of rdp2tcp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of rdp2tcp RMM tool""}]",github.com/V-E-O/rdp2tcp,[] -ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net"", ""itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] -Pulseway,,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"PCMonitorManager.exe, pcmonitorsrv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""pulseway.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml"", ""Description"": ""Detects potential network activity of Pulseway RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pulseway RMM tool""}]",https://intercom.help/pulseway/en/,[] -Naverisk,,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,AgentSetup-*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""naverisk.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml"", ""Description"": ""Detects potential network activity of Naverisk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Naverisk RMM tool""}]",http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents,[] -Total Software Deployment,,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramData\Total Software Deployment\*, *\Total Software Deployment\*, *\tniwinagent.exe, *\Tsdservice.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Total Software Deployment RMM tool""}]",,[] +FreeRDP,,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +MioNet (Also known as WD Anywhere Access),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"mionet.exe, mionetmanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool""}]",,[] +SmartCode Web VNC,,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\TightVNC\*, *\TightVNC\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Onionshare,,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\OnionShare\*, *\OnionShare\*, *\onionshare*.exe, OnionShare-win*.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Onionshare RMM tool""}]",,[] +Rocket Remote Desktop,,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"RDConsole.exe, RocketRemoteDesktop_Setup.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rocket Remote Desktop RMM tool""}]",,[] +WebRDP,,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,webrdp.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""github.com/Mikej81/WebRDP""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml"", ""Description"": ""Detects potential network activity of WebRDP RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of WebRDP RMM tool""}]",github.com/Mikej81/WebRDP,[] +BeyondTrust,,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +SuperOps,,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"superopsticket.exe, superops.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.superopsbeta.com"", ""superops.ai"", ""serv.superopsalpha.com"", ""*.superops.ai"", ""*.superopsalpha.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml"", ""Description"": ""Detects potential network activity of SuperOps RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of SuperOps RMM tool""}]",https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent,[] +RemotePass,,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"remotepass-access.exe, rpaccess.exe, rpwhostscr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""remotepass.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemotePass RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemotePass RMM tool""}]",https://www.remotepass.com/rpaccess.html - DOA as of 2024,[] +Itarian,,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"ITSMAgent.exe, RViewer.exe, ItsmRsp.exe, RAccess.exe, RmmService.exe, ITarianRemoteAccessSetup.exe, RDesktop.exe, ComodoRemoteControl.exe, ITSMService.exe, RHost.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""mdmsupport.comodo.com"", ""*.itsm-us1.comodo.com"", ""*.cmdm.comodo.com"", ""remoteaccess.itarian.com"", ""servicedesk.itarian.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml"", ""Description"": ""Detects potential network activity of Itarian RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Itarian RMM tool""}]","https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html",[] +PSEXEC,,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"psexec.exe, psexecsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml"", ""Description"": ""Detects potential network activity of PSEXEC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of PSEXEC RMM tool""}]",https://learn.microsoft.com/en-us/sysinternals/downloads/psexec,[] +Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] +ezHelp,,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ezhelpclientmanager.exe, ezHelpManager.exe, ezhelpclient.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.ezhelp.co.kr"", ""ezhelp.co.kr""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml"", ""Description"": ""Detects potential network activity of ezHelp RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ezHelp RMM tool""}]",https://www.exhelp.co.kr,[] +Kabuto,,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,Kabuto.App.Runner.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.kabuto.io"", ""repairtechsolutions.com/kabuto/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml"", ""Description"": ""Detects potential network activity of Kabuto RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Kabuto RMM tool""}]",https://www.repairtechsolutions.com/documentation/kabuto/,[] +Synergy,,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml"", ""Description"": ""Detects potential network activity of Synergy RMM tool""}]",https://symless.com/synergy,[] +ConnectWise,,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\ScreenConnect Client ()\*, *\ScreenConnect*Client*\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +TigerVNC,,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"tigervnc*.exe, winvnc4.exe, C:\Program Files\TightVNC\*, *\TightVNC\*, *\tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TigerVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TigerVNC RMM tool""}]",https://github.com/TigerVNC/tigervnc/releases,[] +GoToMyPC,,"GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available. +",Nasreddine Bencherchali,2024-08-05,2024-08-05,,AppCore.exe,,,,,,,,,,C:\Program Files (x86)\GoToMyPC\*,"{""Disk"": [{""File"": ""%AppData%\\GoTo\\Logs\\goto.log"", ""Description"": ""N/A"", ""OS"": ""Windows""}], ""EventLog"": [], ""Registry"": [{""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc"", ""Description"": ""Configuration settings including registration email""}, {""Path"": ""HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite"", ""Description"": ""Guest invites send to connect""}, {""Path"": ""HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}, {""Path"": ""HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history"", ""Description"": ""hostname of the computer making connections and location of transferred files""}], ""Network"": [{""Description"": ""N/A"", ""Domains"": [""*.GoToMyPC.com""], ""Ports"": [""N/A""]}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml"", ""Description"": ""Detects potential registry activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml"", ""Description"": ""Detects potential network activity of GoToMyPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml"", ""Description"": ""Detects potential files activity of GoToMyPC RMM tool""}]","https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#, https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls, https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/","[{""Person"": ""Phill Moore"", ""Handle"": ""@phillmoore""}]" +Laplink Everywhere,,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"laplink.exe, laplink-everywhere-setup*.exe, laplinkeverywhere.exe, llrcservice.exe, serverproxyservice.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""everywhere.laplink.com"", ""le.laplink.com"", ""atled.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml"", ""Description"": ""Detects potential network activity of Laplink Everywhere RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Laplink Everywhere RMM tool""}]",https://everywhere.laplink.com/docs,[] +Syspectr,,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,"oo-syspectr*.exe, OOSysAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""atled.syspectr.com"", ""app.syspectr.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml"", ""Description"": ""Detects potential network activity of Syspectr RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syspectr RMM tool""}]",https://www.syspectr.com/en/installation-in-a-network,[] +Remote Utilities,,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rutview.exe, rutserv.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.internetid.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml"", ""Description"": ""Detects potential network activity of Remote Utilities RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remote Utilities RMM tool""}]",https://www.remoteutilities.com/download/,[] +Remcos,,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,remcos*.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Remcos RMM tool""}]",,[] ISL Online,,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"islalwaysonmonitor.exe, isllight.exe, isllightservice.exe, ISLLightClient.exe, C:\Program Files (x86)\ISL Online\ISL Light*, *\ISL Online\ISL Light*, *\ISLLight.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.islonline.com"", ""*.islonline.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml"", ""Description"": ""Detects potential network activity of ISL Online RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ISL Online RMM tool""}]",https://help.islonline.com/19818/165940,[] -NinjaOne (formerly NinjaRMM),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,*ProgramData\NinjaRMMAgent\*,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] -QQ IM-remote assistance,,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"qq.exe, QQProtect.exe, qqpcmgr.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.mdt.qq.com"", ""*.desktop.qq.com"", ""upload_data.qq.com"", ""qq-messenger.en.softonic.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml"", ""Description"": ""Detects potential network activity of QQ IM-remote assistance RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of QQ IM-remote assistance RMM tool""}]",https://en.wikipedia.org/wiki/Tencent_QQ,[] -Microsoft RDP,,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"termsrv.exe, mstsc.exe, Microsoft Remote Desktop","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft RDP RMM tool""}]",https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows,[] -RuDesktop,,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"rd.exe, rudesktop*.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.rudesktop.ru"", ""rudesktop.ru""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of RuDesktop RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RuDesktop RMM tool""}]",https://rudesktop.ru,[] -BeyondTrust (Bomgar),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"bomgar-scc-*.exe, bomgar-scc.exe, bomgar-pac-*.exe, bomgar-pac.exe, bomgar-rdp.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beyondtrustcloud.com"", ""*.bomgarcloud.com"", ""bomgarcloud.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml"", ""Description"": ""Detects potential network activity of BeyondTrust (Bomgar) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of BeyondTrust (Bomgar) RMM tool""}]",https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm,[] -TightVNC,,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"tvnviewer.exe, TightVNCViewerPortable*.exe, tvnserver.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""tightvnc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of TightVNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of TightVNC RMM tool""}]",https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf,[] -MeshCentral,,"MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. -",@kostastsale,2024-09-20,2024-09-20,https://meshcentral.com/,MeshAgent.exe,,MeshCentral Background Service Agent,,SYSTEM,Yes,N/A,"Windows, Linux, MacOS, FreeBSD","Remote Desktop & Terminal, Remote File Access, Text and Voice Chat, Server File Storage, Real-time User interface, Port Forwarding",CVE-2024-26135,"meshcentral*.exe, meshagent*.exe","{""Disk"": [{""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.exe"", ""Description"": ""Local MeshAgent service binary after installation"", ""OS"": ""Windows""}, {""File"": ""C:\\Program Files\\Mesh Agent\\MeshAgent.msh"", ""Description"": ""Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary."", ""OS"": ""Windows""}], ""EventLog"": [{""EventID"": 7045, ""ProviderName"": ""Service Control Manager"", ""LogFile"": ""System.evtx"", ""ServiceName"": ""Mesh Agent background service"", ""ImagePath"": ""\""C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"""", ""Description"": ""Service installation event as result of MeshAgent installation.""}], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""meshcentral.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml"", ""Description"": ""Detects potential network activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MeshCentral RMM tool""}, {""Sigma"": ""https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml"", ""Description"": ""Detects MeshAgent Command Execution via MeshCentral""}]","https://ylianst.github.io/MeshCentral/meshcentral/, https://github.com/Ylianst/MeshAgent","[{""Person"": ""Kostas"", ""Handle"": ""@kostastsale""}]" -Dev Tunnels (aka Visual Studio Dev Tunnel),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml"", ""Description"": ""Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool""}]",,[] -CarotDAV,,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Rei Software\CarotDAV\*, *\Rei Software\CarotDAV\*, *\CarotDAV.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CarotDAV RMM tool""}]",,[] +DragonDisk,,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Almageste\DragonDisk\*, *\Almageste\DragonDisk\*, *\DragonDisk.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DragonDisk RMM tool""}]",,[] +RealVNC,,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Supremo,,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/13/2024,,,,,,,,,,,,"supremo.exe, supremoservice.exe, supremosystem.exe, supremohelper.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""supremocontrol.com"", ""*.supremocontrol.com"", ""* .nanosystems.it""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml"", ""Description"": ""Detects potential network activity of Supremo RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Supremo RMM tool""}]",https://www.supremocontrol.com/frequently-asked-questions/,[] +GoToAssist Agent Desktop Console,,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\G2RDesktopConsole-x64.msi, *\G2RDesktopConsole-x64.msi","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +RemoteView,,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"remoteview.exe, rv.exe, rvagent.exe, rvagtray.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*content.rview.com"", ""*.rview.com"", ""content.rview.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml"", ""Description"": ""Detects potential network activity of RemoteView RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of RemoteView RMM tool""}]",https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall,[] +VNC Connect,,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\RealVNC\VNC Server\*, *\RealVNC\VNC Server\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +Syncthing,,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Roaming\SyncTrayzor\*, *Users\*\AppData\Roaming\SyncTrayzor\*, *\Syncthing.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Syncthing RMM tool""}]",,[] +KHelpDesk,,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,KHelpDesk.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.khelpdesk.com.br""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml"", ""Description"": ""Detects potential network activity of KHelpDesk RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of KHelpDesk RMM tool""}]",https://www.khelpdesk.com.br/en-us,[] +Netop Remote Control (Impero Connect),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"nhostsvc.exe, nhstw32.exe, ngstw32.exe, Netop Ondemand.exe, nldrw32.exe, rmserverconsolemediator.exe, ImperoInit.exe, Connect.Backdrop.cloud*.exe, ImperoClientSVC.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.connect.backdrop.cloud"", ""*.netop.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml"", ""Description"": ""Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool""}]",https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html,[] Bitvise SSH Server,,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files\Bitvise SSH Server\*, *\Bitvise SSH Server\*, *\BvSshServer-Inst.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Bitvise SSH Server RMM tool""}]",,[] -Pandora RC (eHorus),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"ehorus standalone.exe, ehorus_agent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""portal.ehorus.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml"", ""Description"": ""Detects potential network activity of Pandora RC (eHorus) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Pandora RC (eHorus) RMM tool""}]",https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction,[] -DW Service,,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"dwagsvc.exe, dwagent.exe, dwagsvc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.dwservice.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml"", ""Description"": ""Detects potential network activity of DW Service RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of DW Service RMM tool""}]",https://news.dwservice.net/dwservice-security-infrastructure/,[] -Iperius Remote,,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"iperius.exe, iperiusremote.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.iperiusremote.com"", ""*.iperius.com"", ""*.iperius-rs.com"", ""iperiusremote.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml"", ""Description"": ""Detects potential network activity of Iperius Remote RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Iperius Remote RMM tool""}]",https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx,[] +Apple Remote Desktop,,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/24/2024,,,,,,,,,,,,ARDAgent.app,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml"", ""Description"": ""Detects potential network activity of Apple Remote Desktop RMM tool""}]",https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac,[] +Chrome SSH Extension,,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*, *Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodihamcpbpeioajjeobimgagajmlibd*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +NetSupport Manager,,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"pcictlui.exe, client32.exe, pcicfgui.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""geo.netsupportsoftware.com"", ""netsupportmanager.com"", ""*.netsupportmanager.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml"", ""Description"": ""Detects potential network activity of NetSupport Manager RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of NetSupport Manager RMM tool""}]",https://www.netsupportmanager.com/resources/,[] +ESET Remote Administrator,,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"era.exe, einstaller.exe, ezhelp*.exe, eratool.exe, ERAAgent.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""eset.com/me/business/remote-management/remote-administrator/""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml"", ""Description"": ""Detects potential network activity of ESET Remote Administrator RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ESET Remote Administrator RMM tool""}]",eset.com/me/business/remote-management/remote-administrator/,[] +Yandex.Disk,,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\Yandex\*, *\Yandex\*, *\YandexDisk2.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Yandex.Disk RMM tool""}]",,[] +N-Able Advanced Monitoring Agent,,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"BASupSrvc.exe, winagent.exe, BASupApp.exe, BASupTSHelper.exe, Agent_*_RW.exe, BASEClient.exe, BASupSrvcCnfg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.beanywhere.com "", ""systemmonitor.co.uk"", ""*system-monitor.com"", ""cloudbackup.management"", ""*systemmonitor.co.uk"", ""n-able.com"", ""systemmonitor.us"", ""*systemmonitor.eu.com"", ""*.logicnow.com"", ""*.swi-tc.com"", ""*remote.management"", ""systemmonitor.us.cdn.cloudflare.net"", ""*cloudbackup.management"", ""remote.management"", ""logicnow.com"", ""system-monitor.com"", ""*systemmonitor.us"", ""systemmonitor.eu.com"", ""*.n-able.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml"", ""Description"": ""Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool""}]",https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm,[] +MyIVO,,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"myivomgr.exe, myivomanager.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""myivo-server.software.informer.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyIVO RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyIVO RMM tool""}]",myivo.com - DOA as of 2024,[] +ITSupport247 (ConnectWise),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,saazapsc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.itsupport247.net""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml"", ""Description"": ""Detects potential network activity of ITSupport247 (ConnectWise) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool""}]",https://control.itsupport247.net/,[] +VNC,,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"winvnc*.exe, vncserver.exe, winwvc.exe, winvncsc.exe, vncserverui.exe, vncviewer.exe, winvnc.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""realvnc.com/en/connect/download/vnc""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml"", ""Description"": ""Detects potential network activity of VNC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of VNC RMM tool""}]",https://realvnc.com/en/connect/download/vnc,[] +ServerEye,,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/9/2024,,,,,,,,,,,,"servereye*.exe, ServiceProxyLocalSys.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.server-eye.de""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml"", ""Description"": ""Detects potential network activity of ServerEye RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of ServerEye RMM tool""}]",https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf,[] +Rapid7,,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/14/2024,,,,,,,,,,,,"ir_agent.exe, rapid7_agent_core.exe, rapid7_endpoint_broker.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*.analytics.insight.rapid7.com"", ""*.endpoint.ingress.rapid7.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml"", ""Description"": ""Detects potential network activity of Rapid7 RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Rapid7 RMM tool""}]",https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/,[] +GoToAssist (GoTo Resolve),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\ProgramFiles*\GoTo Machine Installer\*, *\GoTo Machine Installer\*, *\GoTo\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +GetScreen,,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"GetScreen.exe, getscreen.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""getscreen.me"", ""GetScreen.me"", ""*.getscreen.me""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml"", ""Description"": ""Detects potential network activity of GetScreen RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of GetScreen RMM tool""}]",https://docs.getscreen.me/self-hosted/system-requirements/,[] +MobaXterm,,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\*\MobaXterm_installer_12.1.msi, *\MobaXterm_installer_*.msi, *\Mobatek\MobaXterm\*","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}",[],,[] +CrossTec Remote Control,,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/7/2024,,,,,,,,,,,,"PCIVIDEO.EXE, supporttool.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""crosstecsoftware.com/remotecontrol""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml"", ""Description"": ""Detects potential network activity of CrossTec Remote Control RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of CrossTec Remote Control RMM tool""}]",www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024,[] +Absolute (Computrace),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,6/18/2024,,,,,,,,,,,,"rpcnet.exe, ctes.exe, ctespersitence.exe, cteshostsvc.exe, rpcld.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*search.namequery.com"", ""*server.absolute.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml"", ""Description"": ""Detects potential network activity of Absolute (Computrace) RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Absolute (Computrace) RMM tool""}]",https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com,[] +Xshell,,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,"C:\Program Files (x86)\NetSarang\xShell\*, *\NetSarang\xShell\*, *\xShell.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": []}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Xshell RMM tool""}]",,[] +MyGreenPC,,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/26/2024,,,,,,,,,,,,mygreenpc.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""*mygreenpc.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml"", ""Description"": ""Detects potential network activity of MyGreenPC RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of MyGreenPC RMM tool""}]",http://www.mygreenpc.com/,[] +Level.io,,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"level-windows-amd64.exe, level.exe, level-remote-control-ffmpeg.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""level.io"", ""*.level.io""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml"", ""Description"": ""Detects potential network activity of Level.io RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Level.io RMM tool""}]",https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues,[] +Microsoft Quick Assist,,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,,,,,,,,,,,,,quickassist.exe,"{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""user_managed"", ""*.support.services.microsoft.com""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml"", ""Description"": ""Detects potential network activity of Microsoft Quick Assist RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Microsoft Quick Assist RMM tool""}]",https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca,[] +Manage Engine (Desktop Central),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.,,,2/8/2024,,,,,,,,,,,,"dcagentservice.exe, dcagentregister.exe","{""Disk"": [], ""EventLog"": [], ""Registry"": [], ""Network"": [{""Description"": ""Known remote domains"", ""Domains"": [""desktopcentral.manageengine.com"", ""desktopcentral.manageengine.com.eu"", ""desktopcentral.manageengine.cn"", ""*.dms.zoho.com"", ""*.dms.zoho.com.eu"", ""*.-dms.zoho.com.cn""], ""Ports"": []}]}","[{""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml"", ""Description"": ""Detects potential network activity of Desktop Central RMM tool""}, {""Sigma"": ""https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml"", ""Description"": ""Detects potential processes activity of Desktop Central RMM tool""}]",,[] diff --git a/website/public/api/rmm_tools.json b/website/public/api/rmm_tools.json index c1ad1d79..a3aa4e46 100644 --- a/website/public/api/rmm_tools.json +++ b/website/public/api/rmm_tools.json @@ -1,10 +1,10 @@ [ { - "Name": "Rapid7", - "Description": "Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LabTeach (Connectwise Automate)", + "Description": "LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -19,47 +19,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ir_agent.exe", - "rapid7_agent_core.exe", - "rapid7_endpoint_broker.exe" + "ltsvc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.analytics.insight.rapid7.com", - "*.endpoint.ingress.rapid7.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml", - "Description": "Detects potential network activity of Rapid7 RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml", - "Description": "Detects potential processes activity of Rapid7 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool" } ], - "References": [ - "https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "SunLogin", - "Description": "SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Zabbix Agent", + "Description": "Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -74,9 +57,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "OrayRemoteShell.exe", - "OrayRemoteService.exe", - "sunlogin*.exe" + "zabbix_agent*.exe" ] }, "Artifacts": { @@ -87,8 +68,8 @@ { "Description": "Known remote domains", "Domains": [ - "sunlogin.oray.com", - "client.oray.net" + "user_managed", + "zabbix.com" ], "Ports": [] } @@ -96,25 +77,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml", - "Description": "Detects potential network activity of SunLogin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml", + "Description": "Detects potential network activity of Zabbix Agent RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml", - "Description": "Detects potential processes activity of SunLogin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of Zabbix Agent RMM tool" } ], "References": [ - "https://sunlogin.oray.com/en/embed/software.html" + "https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent" ], "Acknowledgement": [] }, { - "Name": "GoToAssist Agent Desktop Console", - "Description": "GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Senso.cloud", + "Description": "Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -129,144 +110,21 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\G2RDesktopConsole-x64.msi", - "*\\G2RDesktopConsole-x64.msi" + "SensoClient.exe", + "SensoService.exe", + "aadg.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Kaseya (VSA)", - "Description": "Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", - "Details": { - "Website": "", - "PEMetadata": [ - { - "Filename": "agentmon.exe" - }, - { - "Filename": "KaUpdHlp.exe" - }, - { - "Filename": "KaUsrTsk.exe", - "OriginalFileName": "", - "Description": "" - } - ], - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\Kaseya\\", - "C:\\ProgramData\\Kaseya\\" - ] - }, - "Artifacts": { - "Disk": [ - { - "File": "%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*", - "Description": "Kaseya Live Connect logs", - "OS": "Windows" - }, - { - "File": "~/Library/Logs/com.kaseya/KaseyaLiveConnect/*", - "Description": "Kaseya Live Connect logs", - "OS": "MacOS" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*", - "Description": "Kaseya Endpoint logs", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\Kaseya\\*\\agentmon.log", - "Description": "Kaseya Agent Monitor log" - }, - { - "File": "/var/log/system.log", - "Description": "Kaseya Agent Monitor log", - "OS": "MacOS 32bit" - }, - { - "File": " ~/opt/kaseya/*/logs*", - "Description": "Kaseya Agent Monitor log", - "OS": "MacOS 64bit" - }, - { - "File": "C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log", - "Description": "Kaseya Setup log in user temp directory", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Temp\\KASetup.log", - "Description": "Kaseya Setup log in Windows temp directory", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*", - "Description": "Kaseya Edge Services logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.0\\logs\\", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.5\\endpoint\\logs", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\api\\v1.5\\endpoints\\logs", - "Description": "Kaseya API logs", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\", - "Description": "Certificate creation", - "OS": "Windows" - }, - { - "File": "C:\\Kaseya\\WebPages\\install\\makecert.txt", - "Description": "Certificate creation", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*", - "Description": "Endpoint service logs", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*", - "Description": "Session logs", - "OS": "Windows" - } - ], - "EventLog": [], - "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "deploy01.kaseya.com", - "*managedsupport.kaseya.net", - "*.kaseya.net", - "kaseya.com" + "*.senso.cloud", + "senso.cloud" ], "Ports": [] } @@ -274,28 +132,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml", - "Description": "Detects potential network activity of Kaseya (VSA) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml", + "Description": "Detects potential network activity of Senso.cloud RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml", - "Description": "Detects potential files activity of Kaseya (VSA) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml", + "Description": "Detects potential processes activity of Senso.cloud RMM tool" } ], "References": [ - "https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements", - "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations", - "https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/", - "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations" + "https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration" ], "Acknowledgement": [] }, { - "Name": "PuTTY Tray", - "Description": "PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "I'm InTouch", + "Description": "I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -310,31 +165,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\puttytray.exe", - "*\\puttytray.exe" + "iit.exe", + "intouch.exe", + "I'm InTouch Go Installer.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.01com.com", + "01com.com/imintouch-remote-pc-desktop" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml", - "Description": "Detects potential processes activity of PuTTY Tray RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml", + "Description": "Detects potential network activity of I'm InTouch RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml", + "Description": "Detects potential processes activity of I'm InTouch RMM tool" } ], - "References": [], + "References": [ + "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" + ], "Acknowledgement": [] }, { - "Name": "SysAid", - "Description": "SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RustDesk", + "Description": "RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -349,30 +220,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\SysAidServer\\*", - "*\\SysAidServer\\*", - "*\\SysAid\\*", - "*\\IliAS.exe" + "rustdesk*.exe", + "rustdesk.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "rustdesk.com", + "user_managed", + "web.rustdesk.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml", - "Description": "Detects potential processes activity of SysAid RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml", + "Description": "Detects potential network activity of RustDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of RustDesk RMM tool" } ], - "References": [], + "References": [ + "https://rustdesk.com/docs/en/" + ], "Acknowledgement": [] }, { - "Name": "Domotz", - "Description": "Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Electric AI (Kaseya)", + "Description": "Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -389,14 +274,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "domotz.exe", - "Domotz Pro Desktop App.exe", - "domotz_bash.exe", - "domotz*.exe", - "Domotz Pro Desktop App Setup*.exe", - "domotz-windows*.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -406,9 +284,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.domotz.co", - "domotz.com", - "*cell-1.domotz.com" + "electric.ai" ], "Ports": [] } @@ -416,22 +292,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml", - "Description": "Detects potential network activity of Domotz RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml", - "Description": "Detects potential processes activity of Domotz RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml", + "Description": "Detects potential network activity of Electric RMM tool" } ], "References": [ - "https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/" + "https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf" ], "Acknowledgement": [] }, { - "Name": "BeyondTrust", - "Description": "BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ZOC", + "Description": "ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -448,7 +320,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files\\ZOC8\\*", + "*\\ZOC?\\*", + "*\\zoc.exe" + ] }, "Artifacts": { "Disk": [], @@ -456,16 +332,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml", + "Description": "Detects potential processes activity of ZOC RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Netop Remote Control (aka Impero Connect)", - "Description": "Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Any Support", + "Description": "Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -480,10 +361,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nhostsvc.exe", - "nhstw32.exe", - "nldrw32.exe", - "rmserverconsolemediator.exe" + "ManualLauncher.exe" ] }, "Artifacts": { @@ -494,7 +372,7 @@ { "Description": "Known remote domains", "Domains": [ - "imperosoftware.com/impero-connect/" + "*.anysupport.net" ], "Ports": [] } @@ -502,23 +380,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml", - "Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml", + "Description": "Detects potential network activity of Any Support RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml", - "Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml", + "Description": "Detects potential processes activity of Any Support RMM tool" } ], - "References": [], + "References": [ + "https://www.anysupport.net/introduce_howto.php" + ], "Acknowledgement": [] }, { - "Name": "Microsoft TSC", - "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PDQ Connect", + "Description": "PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -533,30 +413,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "termsrv.exe", - "mstsc.exe" + "pdq-connect*.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "app.pdq.com", + "cfcdn.pdq.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft TSC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml", + "Description": "Detects potential network activity of PDQ Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of PDQ Connect RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" + "https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements" ], "Acknowledgement": [] }, { - "Name": "Jump Desktop", - "Description": "Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pcnow", + "Description": "Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -574,11 +466,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "jumpclient.exe", - "jumpdesktop.exe", - "jumpservice.exe", - "jumpconnect.exe", - "jumpupdater.exe" + "mwcliun.exe", + "pcnmgr.exe", + "webexpcnow.exe" ] }, "Artifacts": { @@ -589,10 +479,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.jumpdesktop.com", - "jumpdesktop.com", - "jumpto.me", - "*.jumpto.me" + "au.pcmag.com/utilities/21470/webex-pcnow" ], "Ports": [] } @@ -600,25 +487,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Jump Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml", + "Description": "Detects potential network activity of Pcnow RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Jump Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcnow RMM tool" } ], "References": [ - "https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect" + "http://pcnow.webex.com/ - DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "IntelliAdmin Remote Control", - "Description": "IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Seetrol", + "Description": "Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -633,11 +520,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iadmin.exe", - "intelliadmin.exe", - "agent32.exe", - "agent64.exe", - "agent_setup_5.exe" + "seetrolcenter.exe", + "seetrolclient.exe", + "seetrolmyservice.exe", + "seetrolremote.exe", + "seetrolsetting.exe" ] }, "Artifacts": { @@ -648,9 +535,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "*.intelliadmin.com", - "intelliadmin.com/remote-control" + "seetrol.co.kr" ], "Ports": [] } @@ -658,22 +543,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml", + "Description": "Detects potential network activity of Seetrol RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml", + "Description": "Detects potential processes activity of Seetrol RMM tool" } ], "References": [ - "intelliadmin.com/remote-control" + "http://www.seetrol.com/en/features/features3.php" ], "Acknowledgement": [] }, { - "Name": "Chrome SSH Extension", - "Description": "Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CarotDAV", + "Description": "CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -691,8 +576,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*", - "*Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*" + "C:\\Program Files (x86)\\Rei Software\\CarotDAV\\*", + "*\\Rei Software\\CarotDAV\\*", + "*\\CarotDAV.exe" ] }, "Artifacts": { @@ -701,16 +587,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml", + "Description": "Detects potential processes activity of CarotDAV RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "ZeroTier", - "Description": "ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Goverlan", + "Description": "Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -725,9 +616,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zerotier*.msi", - "zerotier*.exe", - "zero-powershell.exe" + "goverrmc.exe", + "govsrv*.exe", + "GovAgentInstallHelper.exe", + "GovAgentx64.exe", + "GovReachClient.exe", + "C:\\Program Files (x86)\\PJ Technologies\\GOVsrv\\*", + "*\\PJ Technologies\\GOVsrv\\*", + "*\\GovSrv.exe" ] }, "Artifacts": { @@ -738,8 +634,8 @@ { "Description": "Known remote domains", "Domains": [ - "zerotier.com", - "*.zerotier.com" + "user_managed", + "goverlan.com" ], "Ports": [] } @@ -747,25 +643,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml", - "Description": "Detects potential network activity of ZeroTier RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml", + "Description": "Detects potential network activity of Goverlan RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml", - "Description": "Detects potential processes activity of ZeroTier RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml", + "Description": "Detects potential processes activity of Goverlan RMM tool" } ], "References": [ - "https://my.zerotier.com/" + "https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf" ], "Acknowledgement": [] }, { - "Name": "Ericom AccessNow", - "Description": "Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "OptiTune", + "Description": "OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -780,8 +676,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "accessserver*.exe", - "accessserver.exe" + "OTService.exe", + "OTPowerShell.exe" ] }, "Artifacts": { @@ -792,8 +688,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ericom.com" + "*.optitune.us", + "*.opti-tune.com" ], "Ports": [] } @@ -801,110 +697,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml", - "Description": "Detects potential network activity of Ericom AccessNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml", + "Description": "Detects potential network activity of OptiTune RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml", - "Description": "Detects potential processes activity of Ericom AccessNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml", + "Description": "Detects potential processes activity of OptiTune RMM tool" } ], "References": [ - "https://www.ericom.com/connect-accessnow/" + "https://www.bravurasoftware.com/optitune/support/faq.aspx" ], "Acknowledgement": [] }, { - "Name": "RealVNC", - "Description": "RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "EMCO Remote Console", + "Description": "EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Pcnow", - "Description": "Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "mwcliun.exe", - "pcnmgr.exe", - "webexpcnow.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "au.pcmag.com/utilities/21470/webex-pcnow" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_network_sigma.yml", - "Description": "Detects potential network activity of Pcnow RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcnow_processes_sigma.yml", - "Description": "Detects potential processes activity of Pcnow RMM tool" - } - ], - "References": [ - "http://pcnow.webex.com/ - DOA as of 2024" - ], - "Acknowledgement": [] - }, - { - "Name": "DesktopNow", - "Description": "DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -919,7 +730,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "desktopnow.exe" + "remoteconsole.exe" ] }, "Artifacts": { @@ -930,7 +741,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.nchuser.com" + "user_managed", + "emcosoftware.com" ], "Ports": [] } @@ -938,22 +750,20 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml", - "Description": "Detects potential network activity of DesktopNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml", + "Description": "Detects potential network activity of EMCO Remote Console RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml", - "Description": "Detects potential processes activity of DesktopNow RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml", + "Description": "Detects potential processes activity of EMCO Remote Console RMM tool" } ], - "References": [ - "https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Pocket Controller (Soti Xsight)", - "Description": "Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-Able Advanced Monitoring Agent", + "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -971,9 +781,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcontroller.exe", - "wysebrowser.exe", - "XSightService.exe" + "Agent_*_RW.exe", + "BASEClient.exe", + "BASupApp.exe", + "BASupSrvc.exe", + "BASupSrvcCnfg.exe", + "BASupTSHelper.exe" ] }, "Artifacts": { @@ -984,7 +797,17 @@ { "Description": "Known remote domains", "Domains": [ - "*soti.net" + "*remote.management", + "*.logicnow.com", + "*systemmonitor.us", + "*systemmonitor.eu.com", + "*system-monitor.com", + "systemmonitor.us.cdn.cloudflare.net", + "*cloudbackup.management", + "*systemmonitor.co.uk", + "*.n-able.com", + "*.beanywhere.com ", + "*.swi-tc.com" ], "Ports": [] } @@ -992,25 +815,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml", - "Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" } ], "References": [ - "https://pulse.soti.net/support/soti-xsight/help/" + "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" ], "Acknowledgement": [] }, { - "Name": "Instant Housecall", - "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tailscale", + "Description": "Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -1025,10 +848,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "hsloader.exe", - "ihcserver.exe", - "instanthousecall.exe", - "instanthousecall.exe" + "tailscale-*.exe", + "tailscaled.exe", + "tailscale-ipn.exe" ] }, "Artifacts": { @@ -1039,10 +861,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.instanthousecall.com", - "*.instanthousecall.net", - "instanthousecall.com", - "secure.instanthousecall.com" + "*.tailscale.com", + "*.tailscale.io", + "tailscale.com" ], "Ports": [] } @@ -1050,25 +871,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", - "Description": "Detects potential network activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml", + "Description": "Detects potential network activity of Tailscale RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", - "Description": "Detects potential processes activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml", + "Description": "Detects potential processes activity of Tailscale RMM tool" } ], "References": [ - "https://instanthousecall.com/features/" + "https://tailscale.com/kb/1023/troubleshooting" ], "Acknowledgement": [] }, { - "Name": "CentraStage (Now Datto)", - "Description": "CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pilixo", + "Description": "Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1083,8 +904,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "CagService.exe", - "AEMAgent.exe" + "rdp.exe", + "Pilixo_Installer*.exe" ] }, "Artifacts": { @@ -1095,9 +916,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.rmm.datto.com", - "*cc.centrastage.net", - "datto.com/au/products/rmm/" + "pilixo.com", + "download.pilixo.com", + "*.pilixo.com" ], "Ports": [] } @@ -1105,22 +926,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml", - "Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml", + "Description": "Detects potential network activity of Pilixo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml", - "Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml", + "Description": "Detects potential processes activity of Pilixo RMM tool" } ], "References": [ - "https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm" + "https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls" ], "Acknowledgement": [] }, { - "Name": "Insync", - "Description": "Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Desktop Manager (Devolutions)", + "Description": "Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1137,11 +958,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\USERNAME\\AppData\\Roaming\\Insync\\App\\Insync.exe", - "*Users\\*\\AppData\\Roaming\\Insync\\App\\Insync.exe", - "*\\Insync.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -1149,21 +966,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml", - "Description": "Detects potential processes activity of Insync RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "LogMeIn rescue", - "Description": "LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeyondTrust (Bomgar)", + "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1178,9 +990,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "support-logmeinrescue*.exe", - "support-logmeinrescue.exe", - "lmi_rescue.exe" + "bomgar-scc-*.exe", + "bomgar-scc.exe", + "bomgar-pac-*.exe", + "bomgar-pac.exe", + "bomgar-rdp.exe" ] }, "Artifacts": { @@ -1191,9 +1005,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.logmeinrescue.com", - "*.logmeinrescue.eu", - "logmeinrescue.com" + "*.beyondtrustcloud.com", + "*.bomgarcloud.com", + "bomgarcloud.com" ], "Ports": [] } @@ -1201,71 +1015,161 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml", - "Description": "Detects potential network activity of LogMeIn rescue RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", + "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml", - "Description": "Detects potential processes activity of LogMeIn rescue RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", + "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" } ], "References": [ - "https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue" + "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" ], "Acknowledgement": [] }, { - "Name": "Electric AI (Kaseya)", - "Description": "Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", + "Name": "Alpemix", + "Description": "Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Website": "https://www.alpemix.com/en/Home", + "PEMetadata": [ + { + "Filename": "Alpemix.exe", + "OriginalFileName": "Alpemix", + "Description": "Alpemix", + "Product": "Alpemix", + "InternalName": "Alpemix" + } + ], "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "SupportedOS": [ + "Windows", + "Linux", + "Android", + "Mac", + "IOS" + ], + "Capabilities": [ + "5 Different Solutions for Remote Support", + "Access to Unattended Computers", + "Access to User Account Control (UAC) Screens", + "Add Your Own Logo", + "Auto Sizing", + "Automatic Update", + "Clipboard Transfer", + "Computer Independent Licensing", + "Contact List and Groups", + "Encrypted Communication", + "External Communication Barrier", + "File Transfer", + "Instant Messaging", + "Multi-Platform Support", + "Multiple Chat", + "Multiple Connections", + "No Port Forwarding Required", + "Peer to Peer Connection (p2p)", + "Receiving Offline Message", + "Remote Restart", + "ReportingRestricting The Authority", + "Screen Sharing", + "Sending Announcement Message", + "Sharing a certain part of the screen", + "Video Recording", + "Voice Communication", + "Who is currently supporting?", + "Working in Black Screen Mode" + ], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\AlpemixService.exe", + "C:\\AlpemixSrvc\\" + ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "%localappdata%\\Alpemix\\Alpemix.ini", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "AlpemixSrvc", + "ImagePath": "*\\Alpemix.exe servicestartxxx", + "Description": "Service installation event as result of Alpemix installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx", + "Description": "N/A" + } + ], "Network": [ { - "Description": "Known remote domains", "Domains": [ - "electric.ai" + "*.alpemix.com" ], - "Ports": [] + "Ports": [ + 443 + ], + "Description": "N/A" + }, + { + "Domains": [ + "*.teknopars.com" + ], + "Ports": [ + 80 + ], + "Description": "N/A" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/electric_network_sigma.yml", - "Description": "Detects potential network activity of Electric RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml", + "Description": "Detects potential registry activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml", + "Description": "Detects potential network activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml", + "Description": "Detects potential files activity of Alpemix RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml", + "Description": "Detects potential processes activity of Alpemix RMM tool" } ], "References": [ - "https://www.electric.ai/product/device-management-solutions - Usess Kaseya/jamf" + "https://www.alpemix.com/en/remote-access" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, { - "Name": "Adobe Connect", - "Description": "Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Auvik", + "Description": "Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/27/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1280,10 +1184,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ConnectAppSetup*.exe", - "ConnectShellSetup*.exe", - "Connect.exe", - "ConnectDetector.exe" + "auvik.engine.exe", + "auvik.agent.exe" ] }, "Artifacts": { @@ -1294,7 +1196,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.adobeconnect.com" + "*.my.auvik.com", + "*.auvik.com", + "auvik.com" ], "Ports": [] } @@ -1302,25 +1206,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml", - "Description": "Detects potential network activity of Adobe Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml", + "Description": "Detects potential network activity of Auvik RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Adobe Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml", + "Description": "Detects potential processes activity of Auvik RMM tool" } ], "References": [ - "https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html" + "https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use" ], "Acknowledgement": [] }, { - "Name": "CloudFlare Tunnel", - "Description": "CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tactical RMM", + "Description": "Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -1335,7 +1239,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "cloudflared.exe" + "tacticalrmm.exe", + "tacticalrmm.exe" ] }, "Artifacts": { @@ -1346,7 +1251,9 @@ { "Description": "Known remote domains", "Domains": [ - "cloudflare.com/products/tunnel/" + "login.tailscale.com", + "login.tailscale.com", + "docs.tacticalrmm.com" ], "Ports": [] } @@ -1354,25 +1261,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml", - "Description": "Detects potential network activity of CloudFlare Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Tactical RMM RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml", - "Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Tactical RMM RMM tool" } ], "References": [ - "cloudflare.com/products/tunnel/" + "docs.tacticalrmm.com" ], "Acknowledgement": [] }, { - "Name": "mstsc", - "Description": "mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MioNet (WD Anywhere Access)", + "Description": "MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1387,8 +1294,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Windows\\System32\\mstsc.exe", - "*Windows\\System32\\mstsc.exe" + "mionet.exe", + "mionetmanager.exe" ] }, "Artifacts": { @@ -1399,19 +1306,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml", - "Description": "Detects potential processes activity of mstsc RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool" } ], - "References": [], + "References": [ + "https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016" + ], "Acknowledgement": [] }, { - "Name": "Parallels Access", - "Description": "Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Comodo RMM", + "Description": "Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1426,11 +1335,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "parallelsaccess-*.exe", - "TSClient.exe", - "prl_deskctl_agent.exe", - "prl_deskctl_wizard.exe", - "prl_pm_service.exe" + "itsmagent.exe", + "rviewer.exe" ] }, "Artifacts": { @@ -1441,8 +1347,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.parallels.com", - "parallels.com/products/ras/try" + "*.itsm-us1.comodo.com", + "*mdmsupport.comodo.com", + "one.comodo.com" ], "Ports": [] } @@ -1450,22 +1357,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml", - "Description": "Detects potential network activity of Parallels Access RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml", + "Description": "Detects potential network activity of Comodo RMM RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml", - "Description": "Detects potential processes activity of Parallels Access RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml", + "Description": "Detects potential processes activity of Comodo RMM RMM tool" } ], "References": [ - "https://kb.parallels.com/en/129097" + "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" ], "Acknowledgement": [] }, { - "Name": "ConnectWise Control", - "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Controller", + "Description": "Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1483,9 +1390,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "connectwisechat-customer.exe", - "connectwisecontrol.client.exe", - "screenconnect.windowsclient.exe" + "pocketcontroller.exe", + "pocketcloudservice.exe", + "wysebrowser.exe" ] }, "Artifacts": { @@ -1496,8 +1403,7 @@ { "Description": "Known remote domains", "Domains": [ - "live.screenconnect.com", - "control.connectwise.com" + "soti.net/products/soti-pocket-controller" ], "Ports": [] } @@ -1505,20 +1411,20 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", - "Description": "Detects potential network activity of ConnectWise Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", - "Description": "Detects potential processes activity of ConnectWise Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Devolutions Remote Desktop Manager", - "Description": "Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NordLocker", + "Description": "NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1548,11 +1454,11 @@ "Acknowledgement": [] }, { - "Name": "TigerVNC", - "Description": "TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "OCS inventory", + "Description": "OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1567,11 +1473,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tigervnc*.exe", - "winvnc4.exe", - "C:\\Program Files\\TightVNC\\*", - "*\\TightVNC\\*", - "*\\tvnserver.exe" + "ocsinventory.exe", + "ocsservice.exe" ] }, "Artifacts": { @@ -1582,7 +1485,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "user_managed", + "ocsinventory-ng.org" ], "Ports": [] } @@ -1590,25 +1494,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml", - "Description": "Detects potential network activity of TigerVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml", + "Description": "Detects potential network activity of OCS inventory RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml", - "Description": "Detects potential processes activity of TigerVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml", + "Description": "Detects potential processes activity of OCS inventory RMM tool" } ], "References": [ - "https://github.com/TigerVNC/tigervnc/releases" + "https://ocsinventory-ng.org/?page_id=878&lang=en" ], "Acknowledgement": [] }, { - "Name": "Rocket Remote Desktop", - "Description": "Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GotoHTTP", + "Description": "GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -1623,28 +1527,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "RDConsole.exe", - "RocketRemoteDesktop_Setup.exe" + "GotoHTTP_x64.exe", + "gotohttp.exe", + "GotoHTTP*.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.gotohttp.com", + "gotohttp.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml", + "Description": "Detects potential network activity of GotoHTTP RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml", + "Description": "Detects potential processes activity of GotoHTTP RMM tool" } ], - "References": [], + "References": [ + "https://gotohttp.com/goto/help.12x" + ], "Acknowledgement": [] }, { - "Name": "NoteOn-desktop sharing", - "Description": "NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Terminals", + "Description": "Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -1661,11 +1581,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "nateon*.exe", - "nateon.exe", - "nateonmain.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -1673,21 +1589,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "HelpU", - "Description": "HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RPort", + "Description": "RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1702,9 +1613,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "helpu_install.exe", - "HelpuUpdater.exe", - "HelpuManager.exe" + "rport.exe" ] }, "Artifacts": { @@ -1715,8 +1624,8 @@ { "Description": "Known remote domains", "Domains": [ - "helpu.co.kr", - "*.helpu.co.kr" + "user_managed", + "rport.io" ], "Ports": [] } @@ -1724,25 +1633,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml", - "Description": "Detects potential network activity of HelpU RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml", + "Description": "Detects potential network activity of RPort RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml", - "Description": "Detects potential processes activity of HelpU RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml", + "Description": "Detects potential processes activity of RPort RMM tool" } ], "References": [ - "https://helpu.co.kr/" + "https://kb.rport.io/using-the-remote-access" ], "Acknowledgement": [] }, { - "Name": "Splashtop Remote", - "Description": "Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CentraStage (Now Datto)", + "Description": "CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1757,13 +1666,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "strwinclt.exe", - "Splashtop_Streamer_Windows*.exe", - "SplashtopSOS.exe", - "sragent.exe", - "srmanager.exe", - "srserver.exe", - "srservice.exe" + "CagService.exe", + "AEMAgent.exe" ] }, "Artifacts": { @@ -1774,10 +1678,9 @@ { "Description": "Known remote domains", "Domains": [ - "splashtop.com", - "*.api.splashtop.com", - "*.relay.splashtop.com", - "*.api.splashtop.eu" + "*.rmm.datto.com", + "*cc.centrastage.net", + "datto.com/au/products/rmm/" ], "Ports": [] } @@ -1785,58 +1688,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml", - "Description": "Detects potential network activity of Splashtop Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__network_sigma.yml", + "Description": "Detects potential network activity of CentraStage (Now Datto) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centrastage__now_datto__processes_sigma.yml", + "Description": "Detects potential processes activity of CentraStage (Now Datto) RMM tool" } ], "References": [ - "https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services" - ], - "Acknowledgement": [] - }, - { - "Name": "X2Go", - "Description": "X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [ - "https://wiki.x2go.org/doku.php" + "https://rmm.datto.com/help/de/Content/1INTRODUCTION/Requirements/AllowListRequirements.htm" ], "Acknowledgement": [] }, { - "Name": "Pocket Controller", - "Description": "Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Instant Housecall", + "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -1851,9 +1721,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pocketcontroller.exe", - "pocketcloudservice.exe", - "wysebrowser.exe" + "hsloader.exe", + "InstantHousecall.exe", + "ihcserver.exe", + "instanthousecall.exe" ] }, "Artifacts": { @@ -1864,7 +1735,10 @@ { "Description": "Known remote domains", "Domains": [ - "soti.net/products/soti-pocket-controller" + "*.instanthousecall.com", + "secure.instanthousecall.com", + "*.instanthousecall.net", + "instanthousecall.com" ], "Ports": [] } @@ -1872,23 +1746,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_network_sigma.yml", - "Description": "Detects potential network activity of Pocket Controller RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller_processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Controller RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" } ], - "References": [], + "References": [ + "https://instanthousecall.com/features/" + ], "Acknowledgement": [] }, { - "Name": "Xshell", - "Description": "Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CruzControl", + "Description": "CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1902,11 +1778,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\NetSarang\\xShell\\*", - "*\\NetSarang\\xShell\\*", - "*\\xShell.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -1914,21 +1786,18 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml", - "Description": "Detects potential processes activity of Xshell RMM tool" - } + "Detections": [], + "References": [ + "https://resources.doradosoftware.com/cruz-rmm" ], - "References": [], "Acknowledgement": [] }, { - "Name": "Bitvise SSH Client", - "Description": "Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Mikogo", + "Description": "Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -1943,32 +1812,54 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Bitvise SSH Client\\*", - "*\\Bitvise SSH Client\\*", - "*\\BvSshClient-Inst.exe" + "mikogo.exe", + "mikogo-starter.exe", + "mikogo-service.exe", + "mikogolauncher.exe", + "C:\\Users\\*\\AppData\\Roaming\\Mikogo\\*", + "*Users\\*\\AppData\\Roaming\\Mikogo\\*", + "*\\Mikogo-Service.exe", + "*\\Mikogo-Screen-Service.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.real-time-collaboration.com", + "*.mikogo4.com", + "*.mikogo.com", + "mikogo.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml", - "Description": "Detects potential processes activity of Bitvise SSH Client RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml", + "Description": "Detects potential network activity of Mikogo RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml", + "Description": "Detects potential processes activity of Mikogo RMM tool" } ], - "References": [], + "References": [ + "https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services" + ], "Acknowledgement": [] }, { - "Name": "Royal Server", - "Description": "Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "mRemoteNG", + "Description": "mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -1982,17 +1873,43 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], + "InstallationPaths": [ + "mRemoteNG.exe", + "C:\\Program Files (x86)\\mRemoteNG\\*", + "*\\mRemoteNG\\*", + "*\\mRemoteNG.exe", + "c:\\Program Files (x86)%\\mRemoteNG", + "*%\\mRemoteNG", + "mRemoteNG-Installer-*.msi", + "*\\mRemoteNG.exe" + ] + }, + "Artifacts": { + "Disk": [ + { + "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log", + "Description": "mRemoteNG log file", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml", + "Description": "mRemoteNG configuration file", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config", + "Description": "mRemoteNG user configuration file", + "OS": "Windows" + } + ], + "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "royalapps.com" + "user_managed", + "mremoteng.org" ], "Ports": [] } @@ -2000,21 +1917,29 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml", - "Description": "Detects potential network activity of Royal Server RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml", + "Description": "Detects potential network activity of mRemoteNG RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml", + "Description": "Detects potential files activity of mRemoteNG RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml", + "Description": "Detects potential processes activity of mRemoteNG RMM tool" } ], "References": [ - "https://royalapps.com/server/main/features" + "https://github.com/mRemoteNG/mRemoteNG" ], "Acknowledgement": [] }, { - "Name": "Remote Manipulator System", - "Description": "Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LabTech RMM (Now ConnectWise Automate)", + "Description": "LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -2029,8 +1954,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rfusclient.exe", - "rutserv.exe" + "ltsvc.exe", + "ltsvcmon.exe", + "lttray.exe" ] }, "Artifacts": { @@ -2041,8 +1967,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.internetid.ru", - "rmansys.ru" + "connectwise.com" ], "Ports": [] } @@ -2050,25 +1975,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml", - "Description": "Detects potential network activity of Remote Manipulator System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml", + "Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Manipulator System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml", + "Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool" } ], - "References": [ - "https://rmansys.ru/files/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Manage Engine (Desktop Central)", - "Description": "Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ScreenMeet", + "Description": "ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -2083,8 +2006,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dcagentservice.exe", - "dcagentregister.exe" + "ScreenMeetSupport.exe", + "ScreenMeet.Support.exe" ] }, "Artifacts": { @@ -2095,12 +2018,8 @@ { "Description": "Known remote domains", "Domains": [ - "desktopcentral.manageengine.com", - "desktopcentral.manageengine.com.eu", - "desktopcentral.manageengine.cn", - "*.dms.zoho.com", - "*.dms.zoho.com.eu", - "*.-dms.zoho.com.cn" + "*.screenmeet.com", + "*.scrn.mt" ], "Ports": [] } @@ -2108,23 +2027,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml", - "Description": "Detects potential network activity of Desktop Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml", + "Description": "Detects potential network activity of ScreenMeet RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml", - "Description": "Detects potential processes activity of Desktop Central RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenMeet RMM tool" } ], - "References": [], + "References": [ + "https://docs.screenmeet.com/docs/firewall-white-list" + ], "Acknowledgement": [] }, { - "Name": "Auvik", - "Description": "Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RES Automation Manager", + "Description": "RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -2139,8 +2060,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "auvik.engine.exe", - "auvik.agent.exe" + "wisshell*.exe", + "wmc.exe", + "wmc_deployer.exe", + "wmcsvc.exe" ] }, "Artifacts": { @@ -2151,9 +2074,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.my.auvik.com", - "*.auvik.com", - "auvik.com" + "user_managed", + "ivanti.com/" ], "Ports": [] } @@ -2161,22 +2083,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_network_sigma.yml", - "Description": "Detects potential network activity of Auvik RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml", + "Description": "Detects potential network activity of RES Automation Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/auvik_processes_sigma.yml", - "Description": "Detects potential processes activity of Auvik RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of RES Automation Manager RMM tool" } ], "References": [ - "https://support.auvik.com/hc/en-us/articles/204315700-What-protocols-and-ports-does-the-Auvik-collector-use" + "https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1" ], "Acknowledgement": [] }, { - "Name": "Basecamp", - "Description": "Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Anyplace Control", + "Description": "Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -2193,7 +2115,9 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "apc_host.exe" + ] }, "Artifacts": { "Disk": [], @@ -2203,7 +2127,7 @@ { "Description": "Known remote domains", "Domains": [ - "basecamp.com" + "anyplace-control.com" ], "Ports": [] } @@ -2211,21 +2135,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml", - "Description": "Detects potential network activity of Basecamp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml", + "Description": "Detects potential network activity of Anyplace Control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Anyplace Control RMM tool" } ], "References": [ - "basecamp.com - No specific RMM tool listed" + "http://www.anyplace-control.com/anyplace-control/help/faq.htm" ], "Acknowledgement": [] }, { - "Name": "Free Tools Launcher", - "Description": "Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TightVNC", + "Description": "TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -2240,684 +2168,103 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\ManageEngine\\ManageEngine Free Tools\\Launcher\\*", - "*\\ManageEngine\\*" + "tvnviewer.exe", + "TightVNCViewerPortable*.exe", + "tvnserver.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "tightvnc.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml", + "Description": "Detects potential network activity of TightVNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TightVNC RMM tool" + } + ], + "References": [ + "https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf" + ], "Acknowledgement": [] }, { - "Name": "AnyDesk", - "Category": "RMM", - "Description": "AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams.\n", - "Author": "Ali Alwashali, Nasreddine Bencherchali", - "Created": "2023-09-29", - "LastModified": "2024-10-06", + "Name": "LiteManager", + "Description": "LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/8/2024", "Details": { - "Website": "https://anydesk.com/en", - "PEMetadata": [ - { - "Filename": "anydesk.exe", - "OriginalFileName": "AnyDesk.exe", - "Description": "AnyDesk", - "Product": "AnyDesk" - } - ], - "Privileges": "User", - "Free": true, - "Verification": false, - "SupportedOS": [ - "Android", - "ChromeOS", - "IOS", - "Linux", - "Mac", - "Windows" - ], - "Capabilities": [ - "File Transfer", - "File System Access", - "Remote Control", - "GUI Support", - "Command line Support" - ], - "Vulnerabilities": [ - "https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\AnyDesk\\*", - "C:\\Program Files\\AnyDesk\\*" + "lmnoipserver.exe", + "ROMFUSClient.exe", + "romfusclient.exe", + "romviewer.exe", + "romserver.exe", + "ROMServer.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "%programdata%\\AnyDesk\\ad_svc.trace", - "Description": "AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.", - "OS": "Windows", - "Example": [ - "info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798" - ] - }, - { - "File": "%programdata%\\AnyDesk\\connection_trace.txt", - "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", - "OS": "Windows", - "Example": [ - "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", - "Incoming 2022-09-28, 12:39 User 442226597 442226597" - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\connection_trace.txt", - "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", - "OS": "Windows", - "Example": [ - "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", - "Incoming 2022-09-28, 12:39 User 442226597 442226597" - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\ad.trace", - "Description": "AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.", - "OS": "Windows", - "Example": [ - "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).", - "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0." - ] - }, - { - "File": "%APPDATA%\\AnyDesk\\chat\\*.txt", - "Description": "If the chat functionality is used, its entries will be printed in a text file in this folder.", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\AnyDesk\\user.conf", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\AnyDesk\\service.conf", - "Description": "Password can be set to auto-validate the session. The password will be saved in a salted hash format.", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\AnyDesk\\service.conf", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\AnyDesk\\system.conf", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\AnyDesk\\system.conf", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "~/Library/Application Support/AnyDesk/Logs/", - "Description": "N/A", - "OS": "Mac" - }, - { - "File": "~/.config/AnyDesk/Logs/", - "Description": "N/A", - "OS": "Linux" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "AnyDesk Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", - "Description": "Service installation event as result of AnyDesk installation." - }, - { - "EventID": 4697, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "ServiceName": "AnyDesk Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", - "Description": "Service installation event as result of AnyDesk installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk", - "Description": "N/A" - } - ], - "Network": [ - { - "Description": "During setup the boot.net.anydesk.com domain is request over port 443", - "Domains": [ - "boot.net.anydesk.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "relay-[a-f0-9]{8}.net.anydesk.com:443" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.anydesk.com" - ], - "Ports": [ - 443 - ] - } - ], - "Other": [ - { - "Type": "User-Agent", - "Value": "AnyDesk/*" - }, - { - "Type": "NamedPipe", - "Value": "adprinterpipe" - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml", - "Description": "Anydesk Remote Access Software Service Installation" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml", - "Description": "N/A" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml", - "Description": "N/A" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml", - "Description": "Remote Access Tool - AnyDesk Silent Installation" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml", - "Description": "Detects potential registry activity of AnyDesk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml", - "Description": "Detects potential network activity of AnyDesk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml", - "Description": "Detects potential files activity of AnyDesk RMM tool" - } - ], - "References": [ - "https://support.anydesk.com/knowledge/firewall", - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", - "https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk", - "https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/" - ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - }, - { - "Person": "Ali Alwashali", - "Handle": "@ali_alwashali" - }, - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] - }, - { - "Name": "AnyViewer", - "Description": "AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "@kostastsale", - "Created": "2024-08-03", - "LastModified": "2024-08-03", - "Details": { - "Website": "https://www.anyviewer.com/", - "PEMetadata": [ - { - "Filename": "AnyViewer.exe", - "OriginalFileName": "AnyViewer", - "Description": "Splash Window" - }, - { - "Filename": "RCClient.exe", - "OriginalFileName": "RCClient.exe", - "Description": "AnyViewer Core" - }, - { - "Filename": "ScreanCap.exe", - "Description": "Screan capture" - }, - { - "Filename": "AVCore.exe" - }, - { - "Filename": "RCService.exe" - } - ], - "Privileges": "System", - "Free": "up to 10 devices", - "Verification": "None", - "SupportedOS": [ - "Windows" - ], - "Capabilities": [ - "Remote desktop", - "Remote file transfer", - "Remote monitoring and management", - "Remote shell open" - ], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\AnyViewer\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [ - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "\"C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\" -d", - "Description": "Taking actions on the remote machine such as opening a command prompt." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "RCService", - "ImagePath": "C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe", - "Description": "AnyViewer service installation service." - } - ], - "Registry": [], - "Network": [ - { - "Description": "N/A", - "Domains": [ - "*.anyviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.aomeisoftware.com" - ], - "Ports": [ - 443 - ] - } - ] - }, - "Detections": [ - { - "Name": "Arbitrary code execution and remote sessions via Action1 RMM", - "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", - "author": "@kostastsale", - "Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml", - "Description": "Detects potential network activity of AnyViewer RMM tool" - } - ], - "References": [ - "https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html", - "https://www.anyviewer.com/help/remote-technical-support.html" - ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] - }, - { - "Name": "Level", - "Description": "Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "level.io" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml", - "Description": "Detects potential network activity of Level RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Site24x7", - "Description": "Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/13/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "MEAgentHelper.exe", - "MonitoringAgent.exe", - "Site24x7WindowsAgentTrayIcon.exe", - "Site24x7PluginAgent.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "plus*.site24x7.com", - "plus*.site24x7.eu", - "plus*.site24x7.in", - "plus*.site24x7.cn", - "plus*.site24x7.net.au", - "site24x7.com/msp" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml", - "Description": "Detects potential network activity of Site24x7 RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml", - "Description": "Detects potential processes activity of Site24x7 RMM tool" - } - ], - "References": [ - "https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent" - ], - "Acknowledgement": [] - }, - { - "Name": "ScreenConnect", - "Description": "ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "Ali Alwashali, Nasreddine Bencherchali", - "Created": "2023-10-01", - "LastModified": "2024-10-08", - "Details": { - "Website": "https://www.connectwise.com", - "PEMetadata": [ - { - "Filename": "", - "OriginalFileName": "", - "Description": "" - } - ], - "Privileges": "", - "Free": "14-Days Free Trial", - "Verification": "", - "SupportedOS": [ - "Android", - "IOS", - "Linux", - "Mac", - "Windows" - ], - "Capabilities": [ - "Command Line Support", - "File Transfer", - "Install Windows updates", - "Receive notification when user performs a predefined event", - "Remote Command Line", - "Remote Control", - "Sound Capture", - "Start / Stop services", - "View event logs" - ], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\ScreenConnect Client (Random)\\ScreenConnect.ClientService.exe", - "Remote Workforce Client.exe", - "*\\*\\ScreenConnect.ClientService.exe", - "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", - "*\\ScreenConnect Client*\\*", - "*\\*\\ScreenConnect.WindowsClient.exe", - "screenconnect*.exe", - "screenconnect.windowsclient.exe", - "Remote Workforce Client.exe", - "screenconnect*.exe", - "ConnectWiseControl*.exe", - "connectwise*.exe", - "screenconnect.windowsclient.exe", - "screenconnect.clientservice.exe" - ] - }, - "Artifacts": { - "Disk": [ - { - "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db", - "Description": "ScreenConnect session database", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml", - "Description": "ScreenConnect user configuration", - "OS": "Windows" - }, - { - "File": "C:\\ProgramData\\ScreenConnect Client*\\user.config", - "Description": "ScreenConnect client user configuration", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": [ - "ScreenConnect", - "ScreenConnect Client ()" - ], - "LogFile": "Application.evtx", - "ServiceName": "ScreenConnect Client ()", - "Description": "Service installation event as a result of ScreenConnect installation." - }, - { - "EventID": 20, - "ProviderName": [ - "ScreenConnect", - "ScreenConnect Client ()" - ], - "LogFile": "Application.evtx", - "ServiceName": "ScreenConnect Client ()", - "Description": "Logs events such as successful or failed connections, and user logins." - } - ], - "Registry": [], - "Network": [ + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { "Description": "Known remote domains", "Domains": [ - "control.connectwise.com", - "*.connectwise.com", - "*.screenconnect.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml", - "Description": "Detects potential network activity of ScreenConnect RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml", - "Description": "Detects potential files activity of ScreenConnect RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml", - "Description": "Detects potential processes activity of ScreenConnect RMM tool" - } - ], - "References": [ - "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/", - "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling" - ], - "Acknowledgement": [] - }, - { - "Name": "SmartFTP", - "Description": "SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\SmartFTP Client\\en-US\\", - "*\\SmartFTP Client\\*", - "*\\SfShellTools.dll.mui" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] + "*.litemanager.ru", + "*.litemanager.com", + "litemanager.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml", + "Description": "Detects potential network activity of LiteManager RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml", + "Description": "Detects potential processes activity of LiteManager RMM tool" + } + ], + "References": [ + "https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/" + ], "Acknowledgement": [] }, { - "Name": "SpyAnywhere", - "Description": "SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Sophos-Remote Management System", + "Description": "Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -2935,7 +2282,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "sysdiag.exe" + "clientmrinit.exe", + "mgntsvc.exe", + "routernt.exe" ] }, "Artifacts": { @@ -2946,8 +2295,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.spytech-web.com", - "spyanywhere.com" + "*.sophos.com", + "*.sophosupd.com", + "*.sophosupd.net", + "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" ], "Ports": [] } @@ -2955,25 +2306,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml", - "Description": "Detects potential network activity of SpyAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml", + "Description": "Detects potential network activity of Sophos-Remote Management System RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of SpyAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool" } ], "References": [ - "https://www.spyanywhere.com/support.shtml" + "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" ], "Acknowledgement": [] }, { - "Name": "NinjaRMM", - "Description": "NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ManageEngine", + "Description": "ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -2988,50 +2339,34 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ninjarmmagent.exe", - "NinjaRMMAgent.exe", - "NinjaRMMAgenPatcher.exe", - "ninjarmm-cli.exe" + "InstallShield Setup.exe", + "ManageEngine_Remote_Access_Plus.exe", + "*\\dcagentservice.exe", + "C:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\*", + "*\\DesktopCentral_Agent\\bin\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.ninjarmm.com", - "*.ninjaone.com", - "resources.ninjarmm.com", - "ninjaone.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml", - "Description": "Detects potential network activity of NinjaRMM RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml", - "Description": "Detects potential processes activity of NinjaRMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml", + "Description": "Detects potential processes activity of ManageEngine RMM tool" } ], - "References": [ - "https://www.ninjaone.com/faq/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "CruzControl", - "Description": "CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Splashtop Remote", + "Description": "Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3045,23 +2380,51 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "strwinclt.exe", + "Splashtop_Streamer_Windows*.exe", + "SplashtopSOS.exe", + "sragent.exe", + "srmanager.exe", + "srserver.exe", + "srservice.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "splashtop.com", + "*.api.splashtop.com", + "*.relay.splashtop.com", + "*.api.splashtop.eu" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop Remote RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop Remote RMM tool" + } + ], "References": [ - "https://resources.doradosoftware.com/cruz-rmm" + "https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services" ], "Acknowledgement": [] }, { - "Name": "SimpleHelp", - "Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "rdp2tcp", + "Description": "rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3079,11 +2442,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "simplehelpcustomer.exe", - "simpleservice.exe", - "simplegatewayservice.exe", - "remote access.exe", - "windowslauncher.exe" + "tdp2tcp.exe", + "rdp2tcp.py" ] }, "Artifacts": { @@ -3095,7 +2455,7 @@ "Description": "Known remote domains", "Domains": [ "user_managed", - "simple-help.com" + "github.com/V-E-O/rdp2tcp" ], "Ports": [] } @@ -3103,25 +2463,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml", - "Description": "Detects potential network activity of SimpleHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml", + "Description": "Detects potential network activity of rdp2tcp RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml", - "Description": "Detects potential processes activity of SimpleHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml", + "Description": "Detects potential processes activity of rdp2tcp RMM tool" } ], "References": [ - "https://simple-help.com/remote-support" + "github.com/V-E-O/rdp2tcp" ], "Acknowledgement": [] }, { - "Name": "EMCO Remote Console", - "Description": "EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Jump Cloud", + "Description": "Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -3136,7 +2496,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remoteconsole.exe" + "JumpCloud*.exe " ] }, "Artifacts": { @@ -3147,8 +2507,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "emcosoftware.com" + "*.api.jumpcloud.com", + "*.assist.jumpcloud.com" ], "Ports": [] } @@ -3156,20 +2516,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_network_sigma.yml", - "Description": "Detects potential network activity of EMCO Remote Console RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/emco_remote_console_processes_sigma.yml", - "Description": "Detects potential processes activity of EMCO Remote Console RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml", + "Description": "Detects potential network activity of Jump Cloud RMM tool" } ], - "References": [], + "References": [ + "https://jumpcloud.com/support/understand-remote-assist-agent" + ], "Acknowledgement": [] }, { - "Name": "ngrok", - "Description": "ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RuDesktop", + "Description": "RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3187,9 +2545,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ngrok.exe", - "C:\\*\\ngrok.zip", - "*\\ngrok*" + "rd.exe", + "rudesktop*.exe" ] }, "Artifacts": { @@ -3200,8 +2557,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ngrok.com" + "*.rudesktop.ru", + "rudesktop.ru" ], "Ports": [] } @@ -3209,41 +2566,52 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml", - "Description": "Detects potential network activity of ngrok RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml", + "Description": "Detects potential network activity of RuDesktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml", - "Description": "Detects potential processes activity of ngrok RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of RuDesktop RMM tool" } ], "References": [ - "https://ngrok.com/docs/guides/running-behind-firewalls/" + "https://rudesktop.ru" ], "Acknowledgement": [] }, { - "Name": "Apple Remote Desktop", - "Description": "Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/24/2024", + "Name": "LogMeIn", + "Description": "LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Website": "https://www.logmein.com/", + "PEMetadata": [ + { + "Filename": "lmiguardiansvc.exe" + }, + { + "Filename": "lmiignition.exe" + }, + { + "Filename": "logmeinsystray.exe" + }, + { + "Filename": "logmein.exe", + "OriginalFileName": "", + "Company": "LogMeIn, Inc.", + "Description": "LMIGuardianSvc", + "Product": "LMIGuardianSvc" + } + ], "Privileges": "", "Free": "", "Verification": "", "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ARDAgent.app" - ] + "InstallationPaths": null }, "Artifacts": { "Disk": [], @@ -3251,31 +2619,82 @@ "Registry": [], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", + "Domains": [ + "logmein-gateway.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.logmein.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.logmein.eu" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", "Domains": [ - "user_managed" + "logmeinrescue.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.logmeininc.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Apple Remote Desktop RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml", + "Description": "DNS Query To Remote Access Software Domain From Non-Browser App" + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml", + "Description": "Remote Access Tool - LogMeIn Execution" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn RMM tool" } ], "References": [ - "https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac" + "https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, { - "Name": "Netviewer (GoToMeet)", - "Description": "Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SmartFTP", + "Description": "SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -3290,8 +2709,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nvClient.exe", - "netviewer.exe" + "C:\\Program Files (x86)\\SmartFTP Client\\en-US\\", + "*\\SmartFTP Client\\*", + "*\\SfShellTools.dll.mui" ] }, "Artifacts": { @@ -3300,20 +2720,13 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml", - "Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool" - } - ], - "References": [ - "Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "NoMachine", - "Description": "NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NetSupport Manager", + "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3331,9 +2744,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nomachine*.exe", - "nxservice*.ese", - "nxd.exe" + "pcictlui.exe", + "pcicfgui.exe", + "client32.exe" ] }, "Artifacts": { @@ -3344,8 +2757,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "nomachine.com" + "*.netsupportmanager.com", + "netsupportmanager.com" ], "Ports": [] } @@ -3353,22 +2766,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml", - "Description": "Detects potential network activity of NoMachine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", + "Description": "Detects potential network activity of NetSupport Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml", - "Description": "Detects potential processes activity of NoMachine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of NetSupport Manager RMM tool" } ], "References": [ - "https://kb.nomachine.com/AR04S01122" + "https://www.netsupportmanager.com/resources/" ], "Acknowledgement": [] }, { - "Name": "MioNet (WD Anywhere Access)", - "Description": "MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Cloud (Wyse)", + "Description": "Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -3386,8 +2799,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mionet.exe", - "mionetmanager.exe" + "pocketcloud*.exe", + "pocketcloudservice.exe" ] }, "Artifacts": { @@ -3398,21 +2811,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__wd_anywhere_access__processes_sigma.yml", - "Description": "Detects potential processes activity of MioNet (WD Anywhere Access) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool" } ], "References": [ - "https://en.wikipedia.org/wiki/WD_Anywhere_Access - DOA as of 2016" + "https://wyse-pocketcloud.informer.com/2.1/" ], "Acknowledgement": [] }, { - "Name": "Splashtop", - "Description": "Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "Nasreddine Bencherchali", + "Name": "Guacamole", + "Description": "Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -3427,319 +2840,241 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Splashtop\\*", - "*\\Splashtop\\Splashtop Remote\\Client for RMM\\*", - "strwinclt.exe" + "guacd.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe", - "Description": "Splashtop Remote Service", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe", - "Description": "SplashTop Remote Agent", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe", - "Description": "Splashtop Updater", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Splashtop Software Updater Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"", - "Description": "Service installation event as result of Splashtop Software Updater Service installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Splashtop® Remote Service", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", - "Description": "Service installation event as result of Splashtop Remote Service installation." - }, - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "SplashtopRemoteService", - "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", - "Description": "Service installation event as result of Splashtop Remote Service installation." - } - ], - "Registry": [ - { - "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*", - "Description": "Splashtop Inc. registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", - "Description": "Splashtop Software Updater uninstall key" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService", - "Description": "Splashtop Remote Service registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational", - "Description": "Splashtop Streamer Remote Session event log channel" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational", - "Description": "Splashtop Streamer Status event log channel" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount", - "Description": "Splashtop Software Updater install reference count" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService", - "Description": "Splashtop Remote Service safe boot configuration" - }, - { - "Path": "HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*", - "Description": "Default user Splashtop Inc. registry key" - }, - { - "Path": "HKU\\SID\\Software\\Splashtop Inc.\\*", - "Description": "User-specific Splashtop Inc. registry key" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer", - "Description": "Splashtop PDF Remote Printer configuration" - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*", - "Description": "Splashtop Remote Server client information" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.splashtop.com" + "user_managed", + "guacamole.apache.org" ], - "Ports": [ - "N/A" - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml", - "Description": "Detects potential registry activity of Splashtop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml", - "Description": "Detects potential network activity of Splashtop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml", - "Description": "Detects potential files activity of Splashtop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml", + "Description": "Detects potential network activity of Guacamole RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml", + "Description": "Detects potential processes activity of Guacamole RMM tool" } ], "References": [ - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html" + "guacamole.apache.org" ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - } - ] + "Acknowledgement": [] }, { - "Name": "RAdmin", - "Description": "RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "LANDesk", + "Description": "LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/8/2024", "Details": { - "Website": "https://www.radmin.com/", - "PEMetadata": [ - { - "Filename": "RServer3.exe", - "OriginalFileName": "RServer3.exe", - "InternalName": "RServer3", - "Description": "Radmin Server", - "Product": "Radmin Server", - "Comments": "Radmin - Remote Control Server" - }, - { - "Filename": "Radmin.exe", - "OriginalFileName": "Radmin.exe", - "InternalName": "Radmin", - "Description": "Radmin Viewer", - "Product": "Radmin Viewer", - "Comments": "Radmin Viewer" - } - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [ - "Windows" - ], + "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Radmin Viewer 3\\Radmin.exe", - "C:\\Windows\\SysWOW64\\rserver30\\rserver3.exe", - "C:\\Windows\\SysWOW64\\rserver30\\FamItrfc", - "C:\\Windows\\SysWOW64\\rserver30\\FamItrf2" + "issuser.exe", + "landeskagentbootstrap.exe", + "LANDeskPortalManager.exe", + "ldinv32.exe", + "ldsensors.exe", + "C:\\Program Files (x86)\\LANDesk\\*", + "*\\LANDesk\\*", + "*\\issuser.exe", + "*\\softmon.exe", + "*\\tmcsvc.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm", - "Description": "RAdmin log file (32-bit)", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\System32\\rserver30\\Radm_log.htm", - "Description": "RAdmin log file (64-bit)", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm", - "Description": "RAdmin chat logs", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm", - "Description": "RAdmin user chat logs", - "OS": "Windows" - } - ], + "Disk": [], "EventLog": [], - "Registry": [ - { - "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security", - "Description": "N/A" - } - ], + "Registry": [], "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "radmin.com" + "*.ivanticloud.com", + "*.ivanti.com", + "ivanti.com" ], - "Ports": [ - 443 - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml", - "Description": "PUA - Radmin Viewer Utility Execution" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml", + "Description": "Detects potential network activity of LANDesk RMM tool" }, { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml", - "Description": "Enumeration for 3rd Party Creds From CLI" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml", + "Description": "Detects potential processes activity of LANDesk RMM tool" + } + ], + "References": [ + "https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US" + ], + "Acknowledgement": [] + }, + { + "Name": "pcAnywhere", + "Description": "pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "awhost32.exe", + "awrem32.exe", + "pcaquickconnect.exe", + "winaw32.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed" + ], + "Ports": [] + } + ] + }, + "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml", - "Description": "Detects potential registry activity of RAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml", + "Description": "Detects potential network activity of pcAnywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml", - "Description": "Detects potential network activity of RAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of pcAnywhere RMM tool" + } + ], + "References": [ + "https://en.wikipedia.org/wiki/PcAnywhere" + ], + "Acknowledgement": [] + }, + { + "Name": "mstsc", + "Description": "mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Windows\\System32\\mstsc.exe", + "*Windows\\System32\\mstsc.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml", - "Description": "Detects potential files activity of RAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mstsc_processes_sigma.yml", + "Description": "Detects potential processes activity of mstsc RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "FreeNX", + "Description": "FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\*\\nxplayer.exe", + "*\\nxplayer.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml", - "Description": "Detects potential processes activity of RAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml", + "Description": "Detects potential processes activity of FreeNX RMM tool" } ], - "References": [ - "https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/", - "https://helpdesk.radmin.com/radmin3help/", - "https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm", - "https://helpdesk.radmin.com/radmin3help/files/cmd.htm" - ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] + "References": [], + "Acknowledgement": [] }, { - "Name": "LANDesk", - "Description": "LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PSEXEC (Clone)", + "Description": "PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3754,16 +3089,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "issuser.exe", - "landeskagentbootstrap.exe", - "LANDeskPortalManager.exe", - "ldinv32.exe", - "ldsensors.exe", - "C:\\Program Files (x86)\\LANDesk\\*", - "*\\LANDesk\\*", - "*\\issuser.exe", - "*\\softmon.exe", - "*\\tmcsvc.exe" + "paexec.exe", + "PAExec-*.exe", + "csexec.exe ", + "remcom.exe", + "remcomsvc.exe", + "xcmd.exe", + "xcmdsvc.exe" ] }, "Artifacts": { @@ -3774,9 +3106,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.ivanticloud.com", - "*.ivanti.com", - "ivanti.com" + "user_managed" ], "Ports": [] } @@ -3784,25 +3114,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_network_sigma.yml", - "Description": "Detects potential network activity of LANDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC (Clone) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/landesk_processes_sigma.yml", - "Description": "Detects potential processes activity of LANDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool" } ], "References": [ - "https://forums.ivanti.com/s/article/URL-exception-list-for-Ivanti-Security-Controls?language=en_US" + "https://www.poweradmin.com/paexec/" ], "Acknowledgement": [] }, { - "Name": "SuperOps", - "Description": "SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SpyAnywhere", + "Description": "SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3817,8 +3147,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "superopsticket.exe", - "superops.exe" + "sysdiag.exe" ] }, "Artifacts": { @@ -3829,11 +3158,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.superopsbeta.com", - "superops.ai", - "serv.superopsalpha.com", - "*.superops.ai", - "*.superopsalpha.com" + "*.spytech-web.com", + "spyanywhere.com" ], "Ports": [] } @@ -3841,22 +3167,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml", - "Description": "Detects potential network activity of SuperOps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_network_sigma.yml", + "Description": "Detects potential network activity of SpyAnywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml", - "Description": "Detects potential processes activity of SuperOps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/spyanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of SpyAnywhere RMM tool" } ], "References": [ - "https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent" + "https://www.spyanywhere.com/support.shtml" ], "Acknowledgement": [] }, { - "Name": "Lite Manager", - "Description": "Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MultCloud", + "Description": "MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -3874,9 +3200,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\LiteManager Pro – Viewer\\*", - "*\\LiteManager Pro – Viewer\\*", - "*\\LMNoIpServer.exe." + "requires sign up", + "requires sign up" ] }, "Artifacts": { @@ -3890,11 +3215,11 @@ "Acknowledgement": [] }, { - "Name": "Supremo", - "Description": "Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Visual Studio Dev Tunnel", + "Description": "Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -3908,12 +3233,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "supremo.exe", - "supremoservice.exe", - "supremosystem.exe", - "supremohelper.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -3923,9 +3243,9 @@ { "Description": "Known remote domains", "Domains": [ - "supremocontrol.com", - "*.supremocontrol.com", - "* .nanosystems.it" + "global.rel.tunnels.api.visualstudio.com", + "*.rel.tunnels.api.visualstudio.com", + "*.devtunnels.ms" ], "Ports": [] } @@ -3933,22 +3253,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml", - "Description": "Detects potential network activity of Supremo RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml", - "Description": "Detects potential processes activity of Supremo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool" } ], "References": [ - "https://www.supremocontrol.com/frequently-asked-questions/" + "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security" ], "Acknowledgement": [] }, { - "Name": "Chicken (of the VNC)", - "Description": "Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xpra", + "Description": "Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -3965,7 +3281,12 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\Xpra\\*", + "*\\Xpra\\*", + "*\\Xpra-Launcher.exe", + "*\\Xpra-x86_64_Setup.exe" + ] }, "Artifacts": { "Disk": [], @@ -3973,18 +3294,21 @@ "Registry": [], "Network": [] }, - "Detections": [], - "References": [ - "https://github.com/flit/cotvnc" + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml", + "Description": "Detects potential processes activity of Xpra RMM tool" + } ], + "References": [], "Acknowledgement": [] }, { - "Name": "KHelpDesk", - "Description": "KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal Apps", + "Description": "Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -3999,7 +3323,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "KHelpDesk.exe" + "royalserver.exe", + "royalts.exe" ] }, "Artifacts": { @@ -4010,7 +3335,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.khelpdesk.com.br" + "user_managed" ], "Ports": [] } @@ -4018,25 +3343,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml", - "Description": "Detects potential network activity of KHelpDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml", + "Description": "Detects potential network activity of Royal Apps RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml", - "Description": "Detects potential processes activity of KHelpDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal Apps RMM tool" } ], "References": [ - "https://www.khelpdesk.com.br/en-us" + "https://www.royalapps.com/ts/win/download" ], "Acknowledgement": [] }, { - "Name": "TurboMeeting", - "Description": "TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "eHorus", + "Description": "eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4051,9 +3376,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcstarter.exe", - "turbomeeting.exe", - "turbomeetingstarter.exe" + "ehorus standalone.exe" ] }, "Artifacts": { @@ -4064,8 +3387,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "acceo.com/turbomeeting/" + "ehorus.com" ], "Ports": [] } @@ -4073,25 +3395,64 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml", - "Description": "Detects potential network activity of TurboMeeting RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml", + "Description": "Detects potential network activity of eHorus RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml", - "Description": "Detects potential processes activity of TurboMeeting RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml", + "Description": "Detects potential processes activity of eHorus RMM tool" } ], - "References": [ - "http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv" + "References": [], + "Acknowledgement": [] + }, + { + "Name": "SuperPuTTY", + "Description": "SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Downloads\\SuperPuTTY\\*", + "*Downloads\\SuperPuTTY\\*", + "*\\superputty.exe", + "*\\SuperPuTTY\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperPuTTY RMM tool" + } ], + "References": [], "Acknowledgement": [] }, { - "Name": "RPort", - "Description": "RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ZeroTier", + "Description": "ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -4106,7 +3467,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rport.exe" + "zerotier*.msi", + "zerotier*.exe", + "zero-powershell.exe" ] }, "Artifacts": { @@ -4117,8 +3480,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "rport.io" + "zerotier.com", + "*.zerotier.com" ], "Ports": [] } @@ -4126,22 +3489,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_network_sigma.yml", - "Description": "Detects potential network activity of RPort RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_network_sigma.yml", + "Description": "Detects potential network activity of ZeroTier RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rport_processes_sigma.yml", - "Description": "Detects potential processes activity of RPort RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zerotier_processes_sigma.yml", + "Description": "Detects potential processes activity of ZeroTier RMM tool" } ], "References": [ - "https://kb.rport.io/using-the-remote-access" + "https://my.zerotier.com/" ], "Acknowledgement": [] }, { - "Name": "MioNet (Also known as WD Anywhere Access)", - "Description": "MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Devolutions Remote Desktop Manager", + "Description": "Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4158,10 +3521,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "mionet.exe", - "mionetmanager.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -4169,21 +3529,16 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml", - "Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "OCS inventory", - "Description": "OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeAnyWhere", + "Description": "BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4198,8 +3553,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ocsinventory.exe", - "ocsservice.exe" + "basuptshelper.exe", + "basupsrvcupdate.exe", + "BASupApp.exe", + "BASupSysInf.exe", + "BASupAppSrvc.exe", + "TakeControl.exe", + "BASupAppElev.exe", + "basupsrvc.exe" ] }, "Artifacts": { @@ -4210,8 +3571,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ocsinventory-ng.org" + "beanywhere.en.uptodown.com/windows", + "beanywhere.com" ], "Ports": [] } @@ -4219,25 +3580,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_network_sigma.yml", - "Description": "Detects potential network activity of OCS inventory RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml", + "Description": "Detects potential network activity of BeAnyWhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ocs_inventory_processes_sigma.yml", - "Description": "Detects potential processes activity of OCS inventory RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of BeAnyWhere RMM tool" } ], "References": [ - "https://ocsinventory-ng.org/?page_id=878&lang=en" + "https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx" ], "Acknowledgement": [] }, { - "Name": "RemotePass", - "Description": "RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WebEx (Remote Access)", + "Description": "WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -4251,193 +3612,310 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "remotepass-access.exe", - "rpaccess.exe", - "rpwhostscr.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [ + "https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access" + ], + "Acknowledgement": [] + }, + { + "Name": "AnyDesk", + "Category": "RMM", + "Description": "AnyDesk is a popular remote desktop software that enables users to access and control a computer or device from a remote location. It was developed with the primary goal of facilitating remote work, technical support, and collaboration between individuals and teams.\n", + "Author": "Ali Alwashali, Nasreddine Bencherchali", + "Created": "2023-09-29", + "LastModified": "2024-10-06", + "Details": { + "Website": "https://anydesk.com/en", + "PEMetadata": [ + { + "Filename": "anydesk.exe", + "OriginalFileName": "AnyDesk.exe", + "Description": "AnyDesk", + "Product": "AnyDesk" + } + ], + "Privileges": "User", + "Free": true, + "Verification": false, + "SupportedOS": [ + "Android", + "ChromeOS", + "IOS", + "Linux", + "Mac", + "Windows" + ], + "Capabilities": [ + "File Transfer", + "File System Access", + "Remote Control", + "GUI Support", + "Command line Support" + ], + "Vulnerabilities": [ + "https://www.cvedetails.com/vulnerability-list/vendor_id-16953/product_id-40173/Anydesk-Anydesk.html" + ], + "InstallationPaths": [ + "C:\\Program Files (x86)\\AnyDesk\\*", + "C:\\Program Files\\AnyDesk\\*" + ] + }, + "Artifacts": { + "Disk": [ + { + "File": "%programdata%\\AnyDesk\\ad_svc.trace", + "Description": "AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.", + "OS": "Windows", + "Example": [ + "info 2022-08-23 10:20:11.969 gsvc 4628 3528 3 anynet.relay_conn - External address: 34.xx.xx.123:46798" + ] + }, + { + "File": "%programdata%\\AnyDesk\\connection_trace.txt", + "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", + "OS": "Windows", + "Example": [ + "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", + "Incoming 2022-09-28, 12:39 User 442226597 442226597" + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\connection_trace.txt", + "Description": "Incoming connection logs, contains IP Address of the remote machine and file transfer activity. Only generated on target side. The content indicates how the connection was approved (e.g. the local user authorized it, or a password was used)", + "OS": "Windows", + "Example": [ + "Incoming 2022-08-23, 10:23 Passwd 547911884 547911884", + "Incoming 2022-09-28, 12:39 User 442226597 442226597" + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\ad.trace", + "Description": "AnyDesk user interface log file. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.", + "OS": "Windows", + "Example": [ + "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).", + "info 2022-09-28 12:39:26.845 lsvc 9952 9944 21 anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0." + ] + }, + { + "File": "%APPDATA%\\AnyDesk\\chat\\*.txt", + "Description": "If the chat functionality is used, its entries will be printed in a text file in this folder.", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\user.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\AnyDesk\\service.conf", + "Description": "Password can be set to auto-validate the session. The password will be saved in a salted hash format.", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\service.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\AnyDesk\\system.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\AnyDesk\\system.conf", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AnyDesk.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\AnyDesk\\Uninstall AnyDesk.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\Videos\\AnyDesk\\*.anydesk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\AnyDesk\\*", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "~/Library/Application Support/AnyDesk/Logs/", + "Description": "N/A", + "OS": "Mac" + }, + { + "File": "~/.config/AnyDesk/Logs/", + "Description": "N/A", + "OS": "Linux" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "AnyDesk Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", + "Description": "Service installation event as result of AnyDesk installation." + }, + { + "EventID": 4697, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "ServiceName": "AnyDesk Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\AnyDesk\\\\AnyDesk.exe\" --service", + "Description": "Service installation event as result of AnyDesk installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SOFTWARE\\Clients\\Media\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Classes\\.anydesk\\shell\\open\\command", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Classes\\AnyDesk\\shell\\open\\command", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\AnyDesk Printer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\USBPRINT\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\DRIVERS\\DriverDatabase\\DeviceIds\\WSDPRINT\\AnyDesk", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\AnyDesk", + "Description": "N/A" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "During setup the boot.net.anydesk.com domain is request over port 443", "Domains": [ - "remotepass.com" + "boot.net.anydesk.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "relay-[a-f0-9]{8}.net.anydesk.com:443" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.anydesk.com" + ], + "Ports": [ + 443 + ] + } + ], + "Other": [ + { + "Type": "User-Agent", + "Value": "AnyDesk/*" + }, + { + "Type": "NamedPipe", + "Value": "adprinterpipe" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml", - "Description": "Detects potential network activity of RemotePass RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml", + "Description": "Anydesk Remote Access Software Service Installation" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml", - "Description": "Detects potential processes activity of RemotePass RMM tool" - } - ], - "References": [ - "https://www.remotepass.com/rpaccess.html - DOA as of 2024" - ], - "Acknowledgement": [] - }, - { - "Name": "GoToAssist (GoTo Resolve)", - "Description": "GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml", + "Description": "N/A" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\ProgramFiles*\\GoTo Machine Installer\\*", - "*\\GoTo Machine Installer\\*", - "*\\GoTo\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Comodo RMM", - "Description": "Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk.yml", + "Description": "N/A" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "itsmagent.exe", - "rviewer.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.itsm-us1.comodo.com", - "*mdmsupport.comodo.com", - "one.comodo.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_network_sigma.yml", - "Description": "Detects potential network activity of Comodo RMM RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml", + "Description": "Remote Access Tool - AnyDesk Silent Installation" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/comodo_rmm_processes_sigma.yml", - "Description": "Detects potential processes activity of Comodo RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_registry_sigma.yml", + "Description": "Detects potential registry activity of AnyDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_network_sigma.yml", + "Description": "Detects potential network activity of AnyDesk RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anydesk_files_sigma.yml", + "Description": "Detects potential files activity of AnyDesk RMM tool" } ], "References": [ - "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" + "https://support.anydesk.com/knowledge/firewall", + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", + "https://github.com/mthcht/awesome-lists/tree/79ced75eebe53bcabf1235b3c17eb11788875482/Lists/RMM/anydesk", + "https://ruler-project.github.io/ruler-project/RULER/remote/AnyDesk/" ], - "Acknowledgement": [] - }, - { - "Name": "ShowMyPC", - "Description": "ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "SMPCSetup.exe", - "showmypc*.exe", - "showmypc.exe", - "smpcsetup.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.showmypc.com", - "showmypc.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml", - "Description": "Detects potential network activity of ShowMyPC RMM tool" + "Person": "Ali Alwashali", + "Handle": "@ali_alwashali" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml", - "Description": "Detects potential processes activity of ShowMyPC RMM tool" + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" } - ], - "References": [ - "https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf" - ], - "Acknowledgement": [] + ] }, { - "Name": "ToDesk", - "Description": "ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Free Ping Tool", + "Description": "Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -4452,46 +3930,23 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "todesk.exe", - "ToDesk_Service.exe", - "ToDesk_Setup.exe" + "can't find this one", + "can't find this one" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "todesk.com", - "*.todesk.com", - "*.todesk.com", - "todesktop.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml", - "Description": "Detects potential network activity of ToDesk RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml", - "Description": "Detects potential processes activity of ToDesk RMM tool" - } - ], - "References": [ - "https://www.todesk.com/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "RunSmart", - "Description": "RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "S3 Browser", + "Description": "S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4508,34 +3963,30 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\S3 Browser\\*", + "*\\S3 Browser\\*", + "*\\s3browser*.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "runsmart.io" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml", - "Description": "Detects potential network activity of RunSmart RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml", + "Description": "Detects potential processes activity of S3 Browser RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "VNC Connect", - "Description": "VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NinjaOne (formerly NinjaRMM)", + "Description": "NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -4553,8 +4004,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\RealVNC\\VNC Server\\*", - "*\\RealVNC\\VNC Server\\*" + "*ProgramData\\NinjaRMMAgent\\*" ] }, "Artifacts": { @@ -4568,11 +4018,11 @@ "Acknowledgement": [] }, { - "Name": "Echoware", - "Description": "Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Adobe Connect", + "Description": "Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -4587,167 +4037,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "echoserver*.exe", - "echoware.dll" + "ConnectAppSetup*.exe", + "ConnectShellSetup*.exe", + "Connect.exe", + "ConnectDetector.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml", - "Description": "Detects potential processes activity of Echoware RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Alpemix", - "Description": "Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", - "Details": { - "Website": "https://www.alpemix.com/en/Home", - "PEMetadata": [ - { - "Filename": "Alpemix.exe", - "OriginalFileName": "Alpemix", - "Description": "Alpemix", - "Product": "Alpemix", - "InternalName": "Alpemix" - } - ], - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [ - "Windows", - "Linux", - "Android", - "Mac", - "IOS" - ], - "Capabilities": [ - "5 Different Solutions for Remote Support", - "Access to Unattended Computers", - "Access to User Account Control (UAC) Screens", - "Add Your Own Logo", - "Auto Sizing", - "Automatic Update", - "Clipboard Transfer", - "Computer Independent Licensing", - "Contact List and Groups", - "Encrypted Communication", - "External Communication Barrier", - "File Transfer", - "Instant Messaging", - "Multi-Platform Support", - "Multiple Chat", - "Multiple Connections", - "No Port Forwarding Required", - "Peer to Peer Connection (p2p)", - "Receiving Offline Message", - "Remote Restart", - "ReportingRestricting The Authority", - "Screen Sharing", - "Sending Announcement Message", - "Sharing a certain part of the screen", - "Video Recording", - "Voice Communication", - "Who is currently supporting?", - "Working in Black Screen Mode" - ], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\AlpemixService.exe", - "C:\\AlpemixSrvc\\" - ] - }, - "Artifacts": { - "Disk": [ - { - "File": "%localappdata%\\Alpemix\\Alpemix.ini", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "AlpemixSrvc", - "ImagePath": "*\\Alpemix.exe servicestartxxx", - "Description": "Service installation event as result of Alpemix installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\AlpemixSrvcx", - "Description": "N/A" - } - ], "Network": [ { + "Description": "Known remote domains", "Domains": [ - "*.alpemix.com" - ], - "Ports": [ - 443 - ], - "Description": "N/A" - }, - { - "Domains": [ - "*.teknopars.com" - ], - "Ports": [ - 80 + "*.adobeconnect.com" ], - "Description": "N/A" + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_registry_sigma.yml", - "Description": "Detects potential registry activity of Alpemix RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_network_sigma.yml", - "Description": "Detects potential network activity of Alpemix RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_files_sigma.yml", - "Description": "Detects potential files activity of Alpemix RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_network_sigma.yml", + "Description": "Detects potential network activity of Adobe Connect RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/alpemix_processes_sigma.yml", - "Description": "Detects potential processes activity of Alpemix RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/adobe_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Adobe Connect RMM tool" } ], "References": [ - "https://www.alpemix.com/en/remote-access" + "https://helpx.adobe.com/adobe-connect/firewall-proxy-server-configuration-adobe-connect.html" ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] + "Acknowledgement": [] }, { - "Name": "Royal TS", - "Description": "Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemotePC", + "Description": "RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -4762,7 +4092,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "royalts.exe" + "C:\\Program Files (x86)\\RemotePC\\*", + "Idrive.File-Transfer", + "*\\RemotePC\\*", + "remotepcservice.exe", + "RemotePC.exe", + "remotepchost.exe", + "idrive.RemotePCAgent", + "rpcsuite.exe", + "*\\RemotePCService.exe", + "RemotePCService.exe" ] }, "Artifacts": { @@ -4773,7 +4112,10 @@ { "Description": "Known remote domains", "Domains": [ - "royalapps.com" + "*.remotedesktop.com", + "*.remotepc.com", + "www.remotepc.com", + "remotepc.com" ], "Ports": [] } @@ -4781,23 +4123,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml", - "Description": "Detects potential network activity of Royal TS RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml", + "Description": "Detects potential network activity of RemotePC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml", - "Description": "Detects potential processes activity of Royal TS RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePC RMM tool" } ], - "References": [], + "References": [ + "https://www.remotedesktop.com/helpdesk/faq-firewall" + ], "Acknowledgement": [] }, { - "Name": "DragonDisk", - "Description": "DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "LogMeIn rescue", + "Description": "LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -4812,32 +4156,48 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Almageste\\DragonDisk\\*", - "*\\Almageste\\DragonDisk\\*", - "*\\DragonDisk.exe" + "support-logmeinrescue*.exe", + "support-logmeinrescue.exe", + "lmi_rescue.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.logmeinrescue.com", + "*.logmeinrescue.eu", + "logmeinrescue.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml", - "Description": "Detects potential processes activity of DragonDisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_network_sigma.yml", + "Description": "Detects potential network activity of LogMeIn rescue RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_rescue_processes_sigma.yml", + "Description": "Detects potential processes activity of LogMeIn rescue RMM tool" } ], - "References": [], + "References": [ + "https://support.logmeinrescue.com/rescue/help/allowlisting-and-rescue" + ], "Acknowledgement": [] }, { - "Name": "Pcvisit", - "Description": "Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "UltraViewer", + "Description": "UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -4852,10 +4212,18 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcvisit.exe", - "pcvisit_client.exe", - "pcvisit-easysupport.exe", - "pcvisit_service_client.exe" + "UltraViewer_Service.exe", + "UltraViewer_setup*", + "UltraViewer_Desktop.exe", + "ultraviewer.exe", + "C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe", + "*\\UltraViewer\\", + "*\\UltraViewer_Desktop.exe", + "ultraviewer_desktop.exe", + "ultraviewer_service.exe", + "UltraViewer_Desktop.exe", + "UltraViewer_setup*", + "UltraViewer_Service.exe" ] }, "Artifacts": { @@ -4866,8 +4234,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.pcvisit.de", - "pcvisit.de" + "* .ultraviewer.net", + "ultraviewer.net" ], "Ports": [] } @@ -4875,25 +4243,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml", - "Description": "Detects potential network activity of Pcvisit RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml", + "Description": "Detects potential network activity of UltraViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml", - "Description": "Detects potential processes activity of Pcvisit RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraViewer RMM tool" } ], "References": [ - "https://www.pcvisit.de/" + "https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html" ], "Acknowledgement": [] }, { - "Name": "Connectwise Automate (LabTech)", - "Description": "Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pandora RC (eHorus)", + "Description": "Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -4908,9 +4276,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ltsvc.exe", - "ltsvcmon.exe", - "lttray.exe" + "ehorus standalone.exe", + "ehorus_agent.exe" ] }, "Artifacts": { @@ -4921,7 +4288,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.hostedrmm.com" + "portal.ehorus.com" ], "Ports": [] } @@ -4929,25 +4296,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml", - "Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml", + "Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml", - "Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml", + "Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool" } ], "References": [ - "https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate" + "https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction" ], "Acknowledgement": [] }, { - "Name": "DameWare", - "Description": "DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "IntelliAdmin Remote Control", + "Description": "IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -4962,15 +4329,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SolarWinds-Dameware-DRS*.exe", - "DameWare Mini Remote Control*.exe", - "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\*", - "dntus*.exe", - "dwrcs.exe", - "*\\dwrcs\\*", - "*\\dwrcst.exe", - "DameWare Remote Support.exe", - "SolarWinds-Dameware-MRC*.exe" + "iadmin.exe", + "intelliadmin.exe", + "agent32.exe", + "agent64.exe", + "agent_setup_5.exe" ] }, "Artifacts": { @@ -4981,7 +4344,9 @@ { "Description": "Known remote domains", "Domains": [ - "dameware.com" + "user_managed", + "*.intelliadmin.com", + "intelliadmin.com/remote-control" ], "Ports": [] } @@ -4989,22 +4354,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml", - "Description": "Detects potential network activity of Dameware-mini remote control Protocol RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of IntelliAdmin Remote Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml", - "Description": "Detects potential processes activity of DameWare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/intelliadmin_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of IntelliAdmin Remote Control RMM tool" } ], "References": [ - "https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm" + "intelliadmin.com/remote-control" ], "Acknowledgement": [] }, { - "Name": "Onionshare", - "Description": "Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MEGAsync", + "Description": "MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -5022,10 +4387,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\OnionShare\\*", - "*\\OnionShare\\*", - "*\\onionshare*.exe", - "OnionShare-win*.msi" + "C:\\Users\\*\\AppData\\Local\\MEGAsync\\*", + "*Users\\*\\AppData\\Local\\MEGAsync\\*", + "*Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "*ProgramData\\MEGAsync\\*", + "*\\MEGAsyncSetup64.exe", + "*\\MEGAupdater.exe" ] }, "Artifacts": { @@ -5036,19 +4403,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml", - "Description": "Detects potential processes activity of Onionshare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml", + "Description": "Detects potential processes activity of MEGAsync RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Tailscale", - "Description": "Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Encapto", + "Description": "Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5062,11 +4429,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "tailscale-*.exe", - "tailscaled.exe", - "tailscale-ipn.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -5076,9 +4439,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.tailscale.com", - "*.tailscale.io", - "tailscale.com" + "encapto.com" ], "Ports": [] } @@ -5086,22 +4447,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_network_sigma.yml", - "Description": "Detects potential network activity of Tailscale RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tailscale_processes_sigma.yml", - "Description": "Detects potential processes activity of Tailscale RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml", + "Description": "Detects potential network activity of Encapto RMM tool" } ], "References": [ - "https://tailscale.com/kb/1023/troubleshooting" + "https://www.encapto.com - used to manage Cisco services" ], "Acknowledgement": [] }, { - "Name": "Senso.cloud", - "Description": "Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ShowMyPC", + "Description": "ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -5119,9 +4476,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SensoClient.exe", - "SensoService.exe", - "aadg.exe" + "SMPCSetup.exe", + "showmypc*.exe", + "showmypc.exe", + "smpcsetup.exe" ] }, "Artifacts": { @@ -5132,8 +4490,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.senso.cloud", - "senso.cloud" + "*.showmypc.com", + "showmypc.com" ], "Ports": [] } @@ -5141,25 +4499,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_network_sigma.yml", - "Description": "Detects potential network activity of Senso.cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_network_sigma.yml", + "Description": "Detects potential network activity of ShowMyPC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/senso.cloud_processes_sigma.yml", - "Description": "Detects potential processes activity of Senso.cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/showmypc_processes_sigma.yml", + "Description": "Detects potential processes activity of ShowMyPC RMM tool" } ], "References": [ - "https://support.senso.cloud/support/solutions/articles/79000116305-firewall-and-content-filter-configuration" + "https://showmypc.com/service/faq/ShowMyPCSecurityOverview1.pdf" ], "Acknowledgement": [] }, { - "Name": "UltraViewer", - "Description": "UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Lite Manager", + "Description": "Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -5174,18 +4532,45 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "UltraViewer_Service.exe", - "UltraViewer_setup*", - "UltraViewer_Desktop.exe", - "ultraviewer.exe", - "C:\\Program Files (x86)\\UltraViewer\\UltraViewer_Desktop.exe", - "*\\UltraViewer\\", - "*\\UltraViewer_Desktop.exe", - "ultraviewer_desktop.exe", - "ultraviewer_service.exe", - "UltraViewer_Desktop.exe", - "UltraViewer_setup*", - "UltraViewer_Service.exe" + "C:\\Program Files\\LiteManager Pro – Viewer\\*", + "*\\LiteManager Pro – Viewer\\*", + "*\\LMNoIpServer.exe." + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Netop Remote Control (aka Impero Connect)", + "Description": "Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "nhostsvc.exe", + "nhstw32.exe", + "nldrw32.exe", + "rmserverconsolemediator.exe" ] }, "Artifacts": { @@ -5196,8 +4581,7 @@ { "Description": "Known remote domains", "Domains": [ - "* .ultraviewer.net", - "ultraviewer.net" + "imperosoftware.com/impero-connect/" ], "Ports": [] } @@ -5205,25 +4589,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_network_sigma.yml", - "Description": "Detects potential network activity of UltraViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (aka Impero Connect) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultraviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of UltraViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__aka_impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (aka Impero Connect) RMM tool" } ], - "References": [ - "https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "KickIdler", - "Description": "KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist", + "Description": "GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5238,8 +4620,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "grabberEM.*msi", - "grabberTT*.msi" + "gotoassist.exe", + "g2a*.exe", + "GoTo Assist Opener.exe" ] }, "Artifacts": { @@ -5250,8 +4633,14 @@ { "Description": "Known remote domains", "Domains": [ - "kickidler.com", - "my.kickidler.com" + "goto.com", + "*.getgo.com", + "*.fastsupport.com", + "*.gotoassist.com", + "helpme.net", + "*.gotoassist.me", + "*.gotoassist.at", + "*.desktopstreaming.com" ], "Ports": [] } @@ -5259,21 +4648,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml", - "Description": "Detects potential network activity of KickIdler RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml", + "Description": "Detects potential network activity of GoToAssist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml", + "Description": "Detects potential processes activity of GoToAssist RMM tool" } ], "References": [ - "https://www.kickidler.com/for-it/faq/" + "https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5" ], "Acknowledgement": [] }, { - "Name": "Remmina", - "Description": "Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ericom Connect", + "Description": "Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5287,191 +4680,334 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "EricomConnectRemoteHost*.exe", + "ericomconnnectconfigurationtool.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "ericom.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml", + "Description": "Detects potential network activity of Ericom Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom Connect RMM tool" + } + ], + "References": [ + "https://www.ericom.com/connect-accessnow/" + ], "Acknowledgement": [] }, { - "Name": "eHorus", - "Description": "eHorus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", + "Name": "TeamViewer", + "Description": "TeamViewer is a remote monitoring and management (RMM) tool.\n", + "Author": "Nasreddine Bencherchali, Michael Haag", + "Created": "2024-08-02", + "LastModified": "2024-08-02", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], + "Website": "https://www.teamviewer.com/en", + "PEMetadata": [ + { + "Filename": "TeamViewer.exe", + "OriginalFileName": "", + "Description": "", + "Product": "TeamViewer" + } + ], + "Privileges": "user", + "Free": true, + "Verification": false, + "SupportedOS": [ + "Android", + "ChromeOS", + "IOS", + "Linux", + "Mac", + "Windows" + ], "Capabilities": [], - "Vulnerabilities": [], + "Vulnerabilities": [ + "https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html" + ], "InstallationPaths": [ - "ehorus standalone.exe" + "C:\\Program Files\\TeamViewer\\", + "teamviewer_desktop.exe", + "teamviewer_service.exe", + "teamviewerhost" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "TeamViewer\\d\\d_Logfile\\.log", + "Description": "N/A", + "OS": "Windows", + "Type": "Regex" + }, + { + "File": "C:\\Program Files\\TeamViewer\\Connections_incoming.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\TeamViewer\\TVNetwork.log", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log", + "Description": "N/A", + "OS": "Windows", + "Type": "Regex" + }, + { + "File": "teamviewerqs.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "tv_w32.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "tv_w64.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "tv_x64.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "teamviewer.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "teamviewer_service.exe", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db", + "Description": "SQlite 3 database storing cache about TeamViewer chat", + "OS": "Windows" + }, + { + "File": "%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db", + "Description": "SQlite 3 database storing TeamViewer print jobs", + "OS": "Windows" + }, + { + "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\TeamViewer\\connections*.txt", + "Description": "N/A", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "TeamViewer", + "ImagePath": "\"C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"", + "Description": "Service installation event as result of TeamViewer installation." + } + ], + "Registry": [ + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKU\\\\SOFTWARE\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint", + "Description": "N/A" + }, + { + "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode", + "Description": "N/A" + }, + { + "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions", + "Description": "N/A" + } + ], "Network": [ { "Description": "Known remote domains", "Domains": [ - "ehorus.com" + "*.teamviewer.com" ], "Ports": [] - } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_network_sigma.yml", - "Description": "Detects potential network activity of eHorus RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ehorus_processes_sigma.yml", - "Description": "Detects potential processes activity of eHorus RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Quick Assist", - "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "quickassist.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + }, { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "*.support.services.microsoft.com" + "router15.teamviewer.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "client.teamviewer.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "taf.teamviewer.com" + ], + "Ports": [ + 443 + ] + } + ], + "Other": [ + { + "Type": "Mutex", + "Value": "TeamViewer_LogMutex" + }, + { + "Type": "Mutex", + "Value": "TeamViewerHooks_DynamicMemMutex" + }, + { + "Type": "Mutex", + "Value": "TeamViewer3_Win32_Instance_Mutex" } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml", - "Description": "Detects potential network activity of Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml", + "Description": "Detects potential registry activity of TeamViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Quick Assist RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "N-Able Advanced Monitoring Agent", - "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml", + "Description": "Detects potential network activity of TeamViewer RMM tool" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "Agent_*_RW.exe", - "BASEClient.exe", - "BASupApp.exe", - "BASupSrvc.exe", - "BASupSrvcCnfg.exe", - "BASupTSHelper.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*remote.management", - "*.logicnow.com", - "*systemmonitor.us", - "*systemmonitor.eu.com", - "*system-monitor.com", - "systemmonitor.us.cdn.cloudflare.net", - "*cloudbackup.management", - "*systemmonitor.co.uk", - "*.n-able.com", - "*.beanywhere.com ", - "*.swi-tc.com" - ], - "Ports": [] - } - ] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", - "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml", + "Description": "Detects potential files activity of TeamViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of TeamViewer RMM tool" } ], "References": [ - "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" + "https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer", + "https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#", + "https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/", + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", + "https://github.com/Purp1eW0lf/Blue-Team-Notes" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + } + ] }, { - "Name": "KiTTY", - "Description": "KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Access Remote PC", + "Description": "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5486,8 +5022,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\kitty.exe", - "*\\kitty.exe" + "rpcgrab.exe", + "rpcsetup.exe" ] }, "Artifacts": { @@ -5498,16 +5034,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml", - "Description": "Detects potential processes activity of KiTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml", + "Description": "Detects potential processes activity of Access Remote PC RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "FleetDeck.io", - "Description": "FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SecureCRT", + "Description": "SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -5525,50 +5061,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "fleetdeck_agent_svc.exe", - "fleetdeck_commander_svc.exe", - "fleetdeck_installer.exe", - "fleetdeck_commander_launcher.exe", - "fleetdeck_agent.exe" + "C:\\*\\SecureCRT.EXE", + "*\\SecureCRT.EXE", + "*\\VanDyke Software\\ClientPack\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.fleetdeck.io", - "cognito-idp.us-west-2.amazonaws.com", - "fleetdeck.io" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml", - "Description": "Detects potential network activity of FleetDesk.io RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml", - "Description": "Detects potential processes activity of FleetDesk.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml", + "Description": "Detects potential processes activity of SecureCRT RMM tool" } ], - "References": [ - "https://fleetdeck.io/faq/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "TeleDesktop", - "Description": "TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Acronic Cyber Protect (Remotix)", + "Description": "Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -5583,9 +5101,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pstlaunch.exe", - "ptdskclient.exe", - "ptdskhost.exe" + "AcronisCyberProtectConnectQuickAssist*.exe", + "AcronisCyberProtectConnectAgent.exe" ] }, "Artifacts": { @@ -5596,8 +5113,10 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "tele-desk.com" + "cloud.acronis.com", + "agents*-cloud.acronis.com", + "gw.remotix.com", + "connect.acronis.com" ], "Ports": [] } @@ -5605,22 +5124,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml", - "Description": "Detects potential network activity of TeleDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml", + "Description": "Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml", - "Description": "Detects potential processes activity of TeleDesktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml", + "Description": "Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool" } ], "References": [ - "http://potomacsoft.com/ - DOA as of 2024" + "https://kb.acronis.com/content/47189" ], "Acknowledgement": [] }, { - "Name": "Remote Utilities", - "Description": "Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Sorillus", + "Description": "Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -5638,8 +5157,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rutview.exe", - "rutserv.exe" + "Sorillus-Launcher*.exe", + "Sorillus Launcher.exe" ] }, "Artifacts": { @@ -5650,7 +5169,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.internetid.ru" + "*.sorillus.com", + "sorillus.com" ], "Ports": [] } @@ -5658,25 +5178,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml", - "Description": "Detects potential network activity of Remote Utilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml", + "Description": "Detects potential network activity of Sorillus RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Utilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml", + "Description": "Detects potential processes activity of Sorillus RMM tool" } ], "References": [ - "https://www.remoteutilities.com/download/" + "https://sorillus.com/" ], "Acknowledgement": [] }, { - "Name": "NetSupport Manager", - "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Barracuda", + "Description": "Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5690,11 +5210,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "pcictlui.exe", - "pcicfgui.exe", - "client32.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -5704,8 +5220,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.netsupportmanager.com", - "netsupportmanager.com" + "*.islonline.net", + "rmm.barracudamsp.com", + "barracudamsp.com" ], "Ports": [] } @@ -5713,25 +5230,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", - "Description": "Detects potential network activity of NetSupport Manager RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of NetSupport Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml", + "Description": "Detects potential network activity of Barracuda RMM tool" } ], "References": [ - "https://www.netsupportmanager.com/resources/" + "https://help.islonline.com/19799/166125" ], "Acknowledgement": [] }, { - "Name": "GotoHTTP", - "Description": "GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DeskDay", + "Description": "DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -5746,9 +5259,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "GotoHTTP_x64.exe", - "gotohttp.exe", - "GotoHTTP*.exe" + "ultimate_*.exe" ] }, "Artifacts": { @@ -5759,8 +5270,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.gotohttp.com", - "gotohttp.com" + "deskday.ai", + "app.deskday.ai" ], "Ports": [] } @@ -5768,25 +5279,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_network_sigma.yml", - "Description": "Detects potential network activity of GotoHTTP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml", + "Description": "Detects potential network activity of DeskDay RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotohttp_processes_sigma.yml", - "Description": "Detects potential processes activity of GotoHTTP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskDay RMM tool" } ], "References": [ - "https://gotohttp.com/goto/help.12x" + "https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate" ], "Acknowledgement": [] }, { - "Name": "RemoteUtilities", - "Description": "RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteCall", + "Description": "RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -5801,12 +5312,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rutview.exe", - "*\\Remote Manipulator System - Server\\*", - "C:\\Program Files\\Remote Utilities\\*", - "*\\Remote Utilities\\*", - "rutserv.exe", - "*\\rutserv.exe" + "rcengmgru.exe", + "rcmgrsvc.exe", + "rxstartsupport.exe", + "rcstartsupport.exe", + "raautoup.exe", + "agentu.exe", + "remotesupportplayeru.exe" ] }, "Artifacts": { @@ -5817,7 +5329,9 @@ { "Description": "Known remote domains", "Domains": [ - "remoteutilities.com" + "*.remotecall.com", + "*.startsupport.com", + "remotecall.com" ], "Ports": [] } @@ -5825,188 +5339,189 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml", - "Description": "Detects potential network activity of RemoteUtilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml", + "Description": "Detects potential network activity of RemoteCall RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteUtilities RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteCall RMM tool" } ], - "References": [], + "References": [ + "https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall" + ], "Acknowledgement": [] }, { - "Name": "GoToMyPC", - "Description": "GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Name": "Splashtop", + "Description": "Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Created": "", + "LastModified": "", "Details": { "Website": "", - "PEMetadata": [ - { - "Filename": "AppCore.exe" - }, - { - "Filename": "g2comm.exe" - }, - { - "Filename": "g2file*.exe" - }, - { - "Filename": "g2fileh.exe" - }, - { - "Filename": "g2host.exe" - }, - { - "Filename": "g2m_download.exe" - }, - { - "Filename": "g2mainh.exe" - }, - { - "Filename": "G2MChat.exe" - }, - { - "Filename": "G2MCodecInstExtractor.exe" - }, - { - "Filename": "G2MComm.exe" - }, - { - "Filename": "G2MCoreInstExtractor.exe" - }, - { - "Filename": "G2MFeedback.exe" - }, - { - "Filename": "G2MHost.exee" - }, - { - "Filename": "G2MInstaller.exe" - }, - { - "Filename": "G2MInstallerExtractor.exe" - }, + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\Splashtop\\*", + "*\\Splashtop\\Splashtop Remote\\Client for RMM\\*", + "strwinclt.exe" + ] + }, + "Artifacts": { + "Disk": [ { - "Filename": "G2MInstHigh.exe" + "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Status%4Operational.evtx", + "Description": "N/A", + "OS": "Windows" }, { - "Filename": "G2MLauncher.exe" + "File": "C:\\windows\\System32\\winevt\\Logs\\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx", + "Description": "N/A", + "OS": "Windows" }, { - "Filename": "G2MMatchMaking.exe" + "File": "%PROGRAMDATA%\\Splashtop\\Temp\\log\\FTCLog.txt", + "Description": "N/A", + "OS": "Windows" }, { - "Filename": "G2MMaterials.exe" + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\agent_log.txt", + "Description": "N/A", + "OS": "Windows" }, { - "Filename": "G2MPolling.exe" + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\SPLog.txt", + "Description": "N/A", + "OS": "Windows" }, { - "Filename": "G2MQandA.exe" + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\svcinfo.txt", + "Description": "N/A", + "OS": "Windows" }, { - "Filename": "G2MRecorder.exe" + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\log\\sysinfo.txt", + "Description": "N/A", + "OS": "Windows" }, { - "Filename": "G2MScrUtil64.exe" + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe", + "Description": "Splashtop Remote Service", + "OS": "Windows" }, { - "Filename": "G2MSessionControl.exe" + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRAgent.exe", + "Description": "SplashTop Remote Agent", + "OS": "Windows" }, { - "Filename": "G2MStart.exe" + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUAgent.exe", + "Description": "Splashtop Updater", + "OS": "Windows" }, { - "Filename": "G2MTesting.exe" + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe", + "Description": "N/A", + "OS": "Windows" }, { - "Filename": "G2MTranscoder.exe" + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe", + "Description": "N/A", + "OS": "Windows" }, { - "Filename": "G2MUI.exe" - }, + "File": "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\db\\SRAgent.sqlite3", + "Description": "N/A", + "OS": "Windows" + } + ], + "EventLog": [ { - "Filename": "G2MUninstall.exe" + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Splashtop Software Updater Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Software Updater\\\\SSUService.exe\"", + "Description": "Service installation event as result of Splashtop Software Updater Service installation." }, { - "Filename": "g2mupload.exe" + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Splashtop® Remote Service", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", + "Description": "Service installation event as result of Splashtop Remote Service installation." }, { - "Filename": "g2mvideoconference.exe" - }, + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "SplashtopRemoteService", + "ImagePath": "\"C:\\\\Program Files (x86)\\\\Splashtop\\\\Splashtop Remote\\\\Server\\\\SRService.exe\"", + "Description": "Service installation event as result of Splashtop Remote Service installation." + } + ], + "Registry": [ { - "Filename": "G2MView.exe" + "Path": "KLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\*", + "Description": "Splashtop Inc. registry key" }, { - "Filename": "g2printh.exe" + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater", + "Description": "Splashtop Software Updater uninstall key" }, { - "Filename": "g2quick.exe" + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SplashtopRemoteService", + "Description": "Splashtop Remote Service registry key" }, { - "Filename": "g2svc.exe" + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Remote Session/Operational", + "Description": "Splashtop Streamer Remote Session event log channel" }, { - "Filename": "g2tray.exe" + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\Splashtop-Splashtop Streamer-Status/Operational", + "Description": "Splashtop Streamer Status event log channel" }, { - "Filename": "gopcsrv.exe" + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Splashtop Software Updater\\InstallRefCount", + "Description": "Splashtop Software Updater install reference count" }, { - "Filename": "GoToScrUtils.exe" + "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\SplashtopRemoteService", + "Description": "Splashtop Remote Service safe boot configuration" }, { - "Filename": "GoTo.exe", - "OriginalFileName": "", - "Description": "" - } - ], - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\GoToMyPC\\*" - ] - }, - "Artifacts": { - "Disk": [ - { - "File": "%AppData%\\GoTo\\Logs\\goto.log", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [], - "Registry": [ - { - "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc", - "Description": "Configuration settings including registration email" + "Path": "HKU\\.DEFAULT\\Software\\Splashtop Inc.\\*", + "Description": "Default user Splashtop Inc. registry key" }, { - "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite", - "Description": "Guest invites send to connect" + "Path": "HKU\\SID\\Software\\Splashtop Inc.\\*", + "Description": "User-specific Splashtop Inc. registry key" }, { - "Path": "HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", - "Description": "hostname of the computer making connections and location of transferred files" + "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers\\Splashtop PDF Remote Printer", + "Description": "Splashtop PDF Remote Printer configuration" }, { - "Path": "HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", - "Description": "hostname of the computer making connections and location of transferred files" + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Splashtop Inc.\\Splashtop Remote Server\\ClientInfo\\*", + "Description": "Splashtop Remote Server client information" } ], "Network": [ { "Description": "N/A", "Domains": [ - "*.GoToMyPC.com" + "*.splashtop.com" ], "Ports": [ "N/A" @@ -6016,33 +5531,35 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml", - "Description": "Detects potential registry activity of GoToMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_registry_sigma.yml", + "Description": "Detects potential registry activity of Splashtop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml", - "Description": "Detects potential network activity of GoToMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_network_sigma.yml", + "Description": "Detects potential network activity of Splashtop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml", - "Description": "Detects potential files activity of GoToMyPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_files_sigma.yml", + "Description": "Detects potential files activity of Splashtop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop_processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop RMM tool" } ], "References": [ - "https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#", - "https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls", - "https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/" + "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html" ], "Acknowledgement": [ { - "Person": "Phill Moore", - "Handle": "@phillmoore" + "Person": "Théo Letailleur", + "Handle": "in/theosyn" } ] }, { - "Name": "SmartCode Web VNC", - "Description": "SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ManageEngine RMM Central", + "Description": "ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6059,24 +5576,34 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\TightVNC\\*", - "*\\TightVNC\\*" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "manageengine.com/remote-monitoring-management/" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml", + "Description": "Detects potential network activity of ManageEngine RMM Central RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Seetrol", - "Description": "Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AeroAdmin", + "Description": "AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -6094,11 +5621,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "seetrolcenter.exe", - "seetrolclient.exe", - "seetrolmyservice.exe", - "seetrolremote.exe", - "seetrolsetting.exe" + "aeroadmin.exe", + "AeroAdmin.exe" ] }, "Artifacts": { @@ -6109,7 +5633,8 @@ { "Description": "Known remote domains", "Domains": [ - "seetrol.co.kr" + "auth*.aeroadmin.com", + "aeroadmin.com" ], "Ports": [] } @@ -6117,22 +5642,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_network_sigma.yml", - "Description": "Detects potential network activity of Seetrol RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml", + "Description": "Detects potential network activity of AeroAdmin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/seetrol_processes_sigma.yml", - "Description": "Detects potential processes activity of Seetrol RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml", + "Description": "Detects potential processes activity of AeroAdmin RMM tool" } ], "References": [ - "http://www.seetrol.com/en/features/features3.php" + "https://support.aeroadmin.com/kb/faq.php?id=58" ], "Acknowledgement": [] }, { - "Name": "RDPView", - "Description": "RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NoMachine", + "Description": "NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -6150,7 +5675,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dwrcs.exe" + "nomachine*.exe", + "nxservice*.ese", + "nxd.exe" ] }, "Artifacts": { @@ -6162,7 +5689,7 @@ "Description": "Known remote domains", "Domains": [ "user_managed", - "systemmanager.ru/dntu.en/rdp_view.htm" + "nomachine.com" ], "Ports": [] } @@ -6170,22 +5697,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml", - "Description": "Detects potential network activity of RDPView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_network_sigma.yml", + "Description": "Detects potential network activity of NoMachine RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml", - "Description": "Detects potential processes activity of RDPView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nomachine_processes_sigma.yml", + "Description": "Detects potential processes activity of NoMachine RMM tool" } ], "References": [ - "systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware" + "https://kb.nomachine.com/AR04S01122" ], "Acknowledgement": [] }, { - "Name": "Zoho Assist", - "Description": "Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "UltraVNC", + "Description": "UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/14/2024", @@ -6203,16 +5730,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zaservice.exe", - "ZMAgent.exe", - "C:\\*\\ZA_Access.exe", - "ZohoMeeting.exe", - "Zohours.exe", - "zohotray.exe", - "ZohoURSService.exe", - "*\\ZA_Access.exe", - "Zaservice.exe", - "za_connect.exe" + "UltraVNC*.exe" ] }, "Artifacts": { @@ -6223,19 +5741,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.zoho.com.au", - "*.zohoassist.jp", - "assist.zoho.com", - "zoho.com/assist/", - "*.zoho.in", - "downloads.zohodl.com.cn", - "*.zohoassist.com", - "downloads.zohocdn.com", - "gateway.zohoassist.com", - "*.zohoassist.com.cn", - "*.zoho.com.cn", - "*.zoho.com", - "*.zoho.eu" + "ultravnc.com", + "user_managed" ], "Ports": [] } @@ -6243,25 +5750,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml", - "Description": "Detects potential network activity of Zoho Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml", + "Description": "Detects potential network activity of UltraVNC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Zoho Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml", + "Description": "Detects potential processes activity of UltraVNC RMM tool" } ], "References": [ - "https://www.zoho.com/assist/kb/firewall-configuration.html" + "https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html" ], "Acknowledgement": [] }, { - "Name": "Xpra", - "Description": "Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Instant Housecall", + "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6276,66 +5783,50 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Xpra\\*", - "*\\Xpra\\*", - "*\\Xpra-Launcher.exe", - "*\\Xpra-x86_64_Setup.exe" + "hsloader.exe", + "ihcserver.exe", + "instanthousecall.exe", + "instanthousecall.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xpra_processes_sigma.yml", - "Description": "Detects potential processes activity of Xpra RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "DeskNets", - "Description": "DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/26/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.instanthousecall.com", + "*.instanthousecall.net", + "instanthousecall.com", + "secure.instanthousecall.com" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", + "Description": "Detects potential network activity of Instant Housecall RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", + "Description": "Detects potential processes activity of Instant Housecall RMM tool" + } + ], "References": [ - "https://www.desknets.com/en/download.html" + "https://instanthousecall.com/features/" ], "Acknowledgement": [] }, { - "Name": "XRDP", - "Description": "XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NinjaRMM", + "Description": "NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -6349,24 +5840,51 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "ninjarmmagent.exe", + "NinjaRMMAgent.exe", + "NinjaRMMAgenPatcher.exe", + "ninjarmm-cli.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.ninjarmm.com", + "*.ninjaone.com", + "resources.ninjarmm.com", + "ninjaone.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_network_sigma.yml", + "Description": "Detects potential network activity of NinjaRMM RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ninjarmm_processes_sigma.yml", + "Description": "Detects potential processes activity of NinjaRMM RMM tool" + } + ], + "References": [ + "https://www.ninjaone.com/faq/" + ], "Acknowledgement": [] }, { - "Name": "ManageEngine", - "Description": "ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ngrok", + "Description": "ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -6381,31 +5899,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "InstallShield Setup.exe", - "ManageEngine_Remote_Access_Plus.exe", - "*\\dcagentservice.exe", - "C:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\*", - "*\\DesktopCentral_Agent\\bin\\*" + "ngrok.exe", + "C:\\*\\ngrok.zip", + "*\\ngrok*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "ngrok.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_processes_sigma.yml", - "Description": "Detects potential processes activity of ManageEngine RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_network_sigma.yml", + "Description": "Detects potential network activity of ngrok RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ngrok_processes_sigma.yml", + "Description": "Detects potential processes activity of ngrok RMM tool" } ], - "References": [], + "References": [ + "https://ngrok.com/docs/guides/running-behind-firewalls/" + ], "Acknowledgement": [] }, { - "Name": "Impero Connect", - "Description": "Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Bitvise SSH Client", + "Description": "Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6423,39 +5954,29 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ImperoClientSVC.exe" + "C:\\Program Files (x86)\\Bitvise SSH Client\\*", + "*\\Bitvise SSH Client\\*", + "*\\BvSshClient-Inst.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "imperosoftware.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml", - "Description": "Detects potential network activity of Impero Connect RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Impero Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_client_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Client RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Remcos", - "Description": "Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chicken (of the VNC)", + "Description": "Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6472,9 +5993,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "remcos*.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -6482,21 +6001,18 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml", - "Description": "Detects potential processes activity of Remcos RMM tool" - } + "Detections": [], + "References": [ + "https://github.com/flit/cotvnc" ], - "References": [], "Acknowledgement": [] }, { - "Name": "PDQ Connect", - "Description": "PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SkyFex", + "Description": "SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -6511,7 +6027,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pdq-connect*.exe" + "Deskroll.exe", + "DeskRollUA.exe" ] }, "Artifacts": { @@ -6522,8 +6039,9 @@ { "Description": "Known remote domains", "Domains": [ - "app.pdq.com", - "cfcdn.pdq.com" + "skyfex.com", + "deskroll.com", + "*.deskroll.com" ], "Ports": [] } @@ -6531,25 +6049,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_network_sigma.yml", - "Description": "Detects potential network activity of PDQ Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml", + "Description": "Detects potential network activity of SkyFex RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pdq_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of PDQ Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml", + "Description": "Detects potential processes activity of SkyFex RMM tool" } ], "References": [ - "https://connect.pdq.com/hc/en-us/articles/9518992071707-Network-Requirements" + "https://skyfex.com/" ], "Acknowledgement": [] }, { - "Name": "Terminals", - "Description": "Terminals is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ericom AccessNow", + "Description": "Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -6563,24 +6081,47 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "accessserver*.exe", + "accessserver.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "ericom.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_network_sigma.yml", + "Description": "Detects potential network activity of Ericom AccessNow RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_accessnow_processes_sigma.yml", + "Description": "Detects potential processes activity of Ericom AccessNow RMM tool" + } + ], + "References": [ + "https://www.ericom.com/connect-accessnow/" + ], "Acknowledgement": [] }, { - "Name": "Syncro", - "Description": "Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft RDP", + "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/13/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6595,63 +6136,34 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Syncro.Installer.exe", - "Kabuto.App.Runner.exe", - "Syncro.Overmind.Service.exe", - "Kabuto.Installer.exe", - "KabutoSetup.exe", - "Syncro.Service.exe", - "Kabuto.Service.Runner.exe", - "Syncro.App.Runner.exe", - "SyncroLive.Service.exe", - "SyncroLive.Agent.exe" + "termsrv.exe", + "mstsc.exe", + "Microsoft Remote Desktop" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "kabuto.io", - "*.syncromsp.com", - "*.syncroapi.com", - "syncromsp.com", - "servably.com", - "ld.aurelius.host", - "app.kabuto.io ", - "*.kabutoservices.com", - "repairshopr.com", - "kabutoservices.com", - "attachments.servably.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml", - "Description": "Detects potential network activity of Syncro RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml", - "Description": "Detects potential processes activity of Syncro RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft RDP RMM tool" } ], "References": [ - "https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004" + "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" ], "Acknowledgement": [] }, { - "Name": "247ithelp.com (ConnectWise)", - "Description": "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal Server", + "Description": "Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6665,9 +6177,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "Remote Workforce Client.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -6677,7 +6187,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.247ithelp.com" + "royalapps.com" ], "Ports": [] } @@ -6685,22 +6195,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_server_network_sigma.yml", + "Description": "Detects potential network activity of Royal Server RMM tool" } ], "References": [ - "Similar / replaced by ScreenConnect" + "https://royalapps.com/server/main/features" ], "Acknowledgement": [] }, { - "Name": "Netviewer", - "Description": "Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Solar-PuTTY", + "Description": "Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -6718,43 +6224,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "netviewer*.exe", - "netviewer.exe" + "C:\\Program Files\\Solar-Putty-v4\\*", + "*\\Solar-Putty-v4\\*", + "*\\Solar-PuTTY.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "download.cnet.com/Net-Viewer/3000-2370_4-10034828.html" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml", - "Description": "Detects potential network activity of Netviewer RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of Netviewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml", + "Description": "Detects potential processes activity of Solar-PuTTY RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Syspectr", - "Description": "Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Duplicati", + "Description": "Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -6769,46 +6264,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "oo-syspectr*.exe", - "OOSysAgent.exe" + "c:\\Program Files\\*\\Duplicati.Server.exe", + "*\\*\\Duplicati.Server.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "atled.syspectr.com", - "app.syspectr.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml", - "Description": "Detects potential network activity of Syspectr RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml", - "Description": "Detects potential processes activity of Syspectr RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml", + "Description": "Detects potential processes activity of Duplicati RMM tool" } ], - "References": [ - "https://www.syspectr.com/en/installation-in-a-network" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "I'm InTouch", - "Description": "I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Desktop Plus", + "Description": "Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -6823,9 +6303,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iit.exe", - "intouch.exe", - "I'm InTouch Go Installer.exe" + "rdp.exe" ] }, "Artifacts": { @@ -6836,8 +6314,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.01com.com", - "01com.com/imintouch-remote-pc-desktop" + "donkz.nl" ], "Ports": [] } @@ -6845,25 +6322,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_network_sigma.yml", - "Description": "Detects potential network activity of I'm InTouch RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml", + "Description": "Detects potential network activity of Remote Desktop Plus RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/i'm_intouch_processes_sigma.yml", - "Description": "Detects potential processes activity of I'm InTouch RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Desktop Plus RMM tool" } ], "References": [ - "https://www.01com.com/mobile/imintouch-remote-pc-desktop/faqs/remote-access/" + "https://www.donkz.nl/" ], "Acknowledgement": [] }, { - "Name": "ISL Light", - "Description": "ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ITSupport247 (ConnectWise)", + "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -6878,9 +6355,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "islalwaysonmonitor.exe", - "isllight.exe", - "isllightservice.exe" + "saazapsc.exe" ] }, "Artifacts": { @@ -6891,7 +6366,8 @@ { "Description": "Known remote domains", "Domains": [ - "islonline.com" + "*.itsupport247.net", + "itsupport247.net" ], "Ports": [] } @@ -6899,58 +6375,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml", - "Description": "Detects potential network activity of ISL Light RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Light RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" } ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "Mocha VNC Lite", - "Description": "Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "This installs a modified VNC and cannot be blocked by path separate from VNC", - "This installs a modified VNC and cannot be blocked by path separate from VNC", - "*\\RealVNC\\VNC4\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], + "References": [ + "https://control.itsupport247.net/" + ], "Acknowledgement": [] }, { - "Name": "Ericom Connect", - "Description": "Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DesktopNow", + "Description": "DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -6965,8 +6408,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "EricomConnectRemoteHost*.exe", - "ericomconnnectconfigurationtool.exe" + "desktopnow.exe" ] }, "Artifacts": { @@ -6977,8 +6419,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ericom.com" + "*.nchuser.com" ], "Ports": [] } @@ -6986,22 +6427,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_network_sigma.yml", - "Description": "Detects potential network activity of Ericom Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_network_sigma.yml", + "Description": "Detects potential network activity of DesktopNow RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ericom_connect_processes_sigma.yml", - "Description": "Detects potential processes activity of Ericom Connect RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktopnow_processes_sigma.yml", + "Description": "Detects potential processes activity of DesktopNow RMM tool" } ], "References": [ - "https://www.ericom.com/connect-accessnow/" + "https://forums.ivanti.com/s/article/Network-Ports-used-by-Environment-Manager?language=en_US" ], "Acknowledgement": [] }, { - "Name": "Yandex.Disk", - "Description": "Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remmina", + "Description": "Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7018,11 +6459,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files (x86)\\Yandex\\*", - "*\\Yandex\\*", - "*\\YandexDisk2.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -7030,18 +6467,13 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml", - "Description": "Detects potential processes activity of Yandex.Disk RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "LiteManager", - "Description": "LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Distant Desktop", + "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -7059,12 +6491,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "lmnoipserver.exe", - "ROMFUSClient.exe", - "romfusclient.exe", - "romviewer.exe", - "romserver.exe", - "ROMServer.exe" + "ddsystem.exe", + "dd.exe", + "distant-desktop.exe" ] }, "Artifacts": { @@ -7075,9 +6504,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.litemanager.ru", - "*.litemanager.com", - "litemanager.com" + "*.distantdesktop.com", + "*signalserver.xyz" ], "Ports": [] } @@ -7085,22 +6513,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_network_sigma.yml", - "Description": "Detects potential network activity of LiteManager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Distant Desktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/litemanager_processes_sigma.yml", - "Description": "Detects potential processes activity of LiteManager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Distant Desktop RMM tool" } ], "References": [ - "https://www.litemanager.com/articles/LiteManager_remote_access_to_a_desktop_via_the_Internet_or_LAN/" + "https://www.distantdesktop.com/manual/first-start.htm" ], "Acknowledgement": [] }, { - "Name": "BeAnyWhere", - "Description": "BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DameWare", + "Description": "DameWare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -7118,14 +6546,15 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "basuptshelper.exe", - "basupsrvcupdate.exe", - "BASupApp.exe", - "BASupSysInf.exe", - "BASupAppSrvc.exe", - "TakeControl.exe", - "BASupAppElev.exe", - "basupsrvc.exe" + "SolarWinds-Dameware-DRS*.exe", + "DameWare Mini Remote Control*.exe", + "C:\\Windows\\dwrcs\\*\n c:\\Program File\\SolarWinds\\Dameware Mini Remote Control\\*", + "dntus*.exe", + "dwrcs.exe", + "*\\dwrcs\\*", + "*\\dwrcst.exe", + "DameWare Remote Support.exe", + "SolarWinds-Dameware-MRC*.exe" ] }, "Artifacts": { @@ -7136,34 +6565,33 @@ { "Description": "Known remote domains", "Domains": [ - "beanywhere.en.uptodown.com/windows", - "beanywhere.com" + "dameware.com" ], "Ports": [] } ] }, "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_network_sigma.yml", - "Description": "Detects potential network activity of BeAnyWhere RMM tool" + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware-mini_remote_control_protocol_network_sigma.yml", + "Description": "Detects potential network activity of Dameware-mini remote control Protocol RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of BeAnyWhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dameware_processes_sigma.yml", + "Description": "Detects potential processes activity of DameWare RMM tool" } ], "References": [ - "https://www.shouldiremoveit.com/beanywhere-support-service-40908-program.aspx" + "https://documentation.solarwinds.com/en/success_center/dameware/content/install-standalone-port-requirements.htm" ], "Acknowledgement": [] }, { - "Name": "Jump Cloud", - "Description": "Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level", + "Description": "Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7177,9 +6605,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "JumpCloud*.exe " - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -7189,8 +6615,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.api.jumpcloud.com", - "*.assist.jumpcloud.com" + "level.io" ], "Ports": [] } @@ -7198,18 +6623,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_cloud_network_sigma.yml", - "Description": "Detects potential network activity of Jump Cloud RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level_network_sigma.yml", + "Description": "Detects potential network activity of Level RMM tool" } ], - "References": [ - "https://jumpcloud.com/support/understand-remote-assist-agent" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Remote Desktop Manager (Devolutions)", - "Description": "Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Insync", + "Description": "Insync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7226,7 +6649,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Users\\USERNAME\\AppData\\Roaming\\Insync\\App\\Insync.exe", + "*Users\\*\\AppData\\Roaming\\Insync\\App\\Insync.exe", + "*\\Insync.exe" + ] }, "Artifacts": { "Disk": [], @@ -7234,16 +6661,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/insync_processes_sigma.yml", + "Description": "Detects potential processes activity of Insync RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "AweRay", - "Description": "AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Online", + "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -7258,8 +6690,14 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "aweray_remote*.exe", - "AweSun.exe" + "*\\ISLLight.exe", + "isllight.exe", + "ISLLightClient.exe", + "C:\\Program Files (x86)\\ISL Online\\ISL Light*", + "*\\ISL Online\\ISL Light*", + "ISLLight.exe", + "isllightservice.exe", + "islalwaysonmonitor.exe" ] }, "Artifacts": { @@ -7270,8 +6708,8 @@ { "Description": "Known remote domains", "Domains": [ - "asapi*.aweray.net", - "client-api.aweray.com" + "*.islonline.com", + "*.islonline.net" ], "Ports": [] } @@ -7279,22 +6717,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml", - "Description": "Detects potential network activity of AweRay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml", - "Description": "Detects potential processes activity of AweRay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" } ], "References": [ - "https://sun.aweray.com/help" + "https://help.islonline.com/19818/165940" ], "Acknowledgement": [] }, { - "Name": "Remobo", - "Description": "Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote.it", + "Description": "Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -7312,9 +6750,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remobo.exe", - "remobo_client.exe", - "remobo_tracker.exe" + "remote-it-installer.exe", + "remote.it.exe", + "remoteit.exe" ] }, "Artifacts": { @@ -7325,8 +6763,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "remobo.en.softonic.com" + "auth.api.remote.it", + "api.remote.it", + "remote.it" ], "Ports": [] } @@ -7334,25 +6773,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml", - "Description": "Detects potential network activity of Remobo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml", + "Description": "Detects potential network activity of Remote.it RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml", - "Description": "Detects potential processes activity of Remobo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote.it RMM tool" } ], "References": [ - "https://www.remobo.com - DOA as of 2024" + "https://docs.remote.it/introduction/get-started" ], "Acknowledgement": [] }, { - "Name": "ESET Remote Administrator", - "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netreo", + "Description": "Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7366,13 +6805,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "era.exe", - "einstaller.exe", - "ezhelp*.exe", - "eratool.exe", - "ERAAgent.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -7382,8 +6815,10 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "eset.com/me/business/remote-management/remote-administrator/" + "charon.netreo.net", + "activation.netreo.net", + "*.api.netreo.com", + "netreo.com" ], "Ports": [] } @@ -7391,22 +6826,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", - "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", - "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml", + "Description": "Detects potential network activity of Netreo RMM tool" } ], "References": [ - "eset.com/me/business/remote-management/remote-administrator/" + "https://solutions.netreo.com/docs/firewall-requirements" ], "Acknowledgement": [] }, { - "Name": "Ultra VNC", - "Description": "Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NoteOn-desktop sharing", + "Description": "NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -7424,11 +6855,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\uvnc bvba\\UltraVNC\\*", - "*\\uvnc bvba\\UltraVNC\\*", - "*\\UVNC_Launch.exe", - "*\\winvnc.exe", - "*\\vncviewer.exe" + "nateon*.exe", + "nateon.exe", + "nateonmain.exe" ] }, "Artifacts": { @@ -7439,19 +6868,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml", - "Description": "Detects potential processes activity of Ultra VNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/noteon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NoteOn-desktop sharing RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "pcAnywhere", - "Description": "pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Royal TS", + "Description": "Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7466,10 +6895,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "awhost32.exe", - "awrem32.exe", - "pcaquickconnect.exe", - "winaw32.exe" + "royalts.exe" ] }, "Artifacts": { @@ -7480,7 +6906,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "royalapps.com" ], "Ports": [] } @@ -7488,22 +6914,53 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_network_sigma.yml", - "Description": "Detects potential network activity of pcAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_network_sigma.yml", + "Description": "Detects potential network activity of Royal TS RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcanywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of pcAnywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_ts_processes_sigma.yml", + "Description": "Detects potential processes activity of Royal TS RMM tool" } ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "DeskNets", + "Description": "DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/26/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], "References": [ - "https://en.wikipedia.org/wiki/PcAnywhere" + "https://www.desknets.com/en/download.html" ], "Acknowledgement": [] }, { - "Name": "Remote.it", - "Description": "Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "QQ IM-remote assistance", + "Description": "QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -7521,9 +6978,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remote-it-installer.exe", - "remote.it.exe", - "remoteit.exe" + "qq.exe", + "QQProtect.exe", + "qqpcmgr.exe" ] }, "Artifacts": { @@ -7534,9 +6991,10 @@ { "Description": "Known remote domains", "Domains": [ - "auth.api.remote.it", - "api.remote.it", - "remote.it" + "*.mdt.qq.com", + "*.desktop.qq.com", + "upload_data.qq.com", + "qq-messenger.en.softonic.com" ], "Ports": [] } @@ -7544,25 +7002,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_network_sigma.yml", - "Description": "Detects potential network activity of Remote.it RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml", + "Description": "Detects potential network activity of QQ IM-remote assistance RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote.it_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote.it RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml", + "Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool" } ], "References": [ - "https://docs.remote.it/introduction/get-started" + "https://en.wikipedia.org/wiki/Tencent_QQ" ], "Acknowledgement": [] }, { - "Name": "Guacamole", - "Description": "Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PuTTY Tray", + "Description": "PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7577,45 +7035,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "guacd.exe" + "C:\\*\\puttytray.exe", + "*\\puttytray.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "guacamole.apache.org" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_network_sigma.yml", - "Description": "Detects potential network activity of Guacamole RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/guacamole_processes_sigma.yml", - "Description": "Detects potential processes activity of Guacamole RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/putty_tray_processes_sigma.yml", + "Description": "Detects potential processes activity of PuTTY Tray RMM tool" } ], - "References": [ - "guacamole.apache.org" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Addigy", - "Description": "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "XRDP", + "Description": "XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/27/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7629,40 +7073,21 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "addigy-*.pkg" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "prod.addigy.com", - "grtmprod.addigy.com", - "agents.addigy.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml", - "Description": "Detects potential network activity of Addigy RMM tool" - } - ], - "References": [ - "https://addigy.com/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "AeroAdmin", - "Description": "AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FastViewer", + "Description": "FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -7680,8 +7105,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "aeroadmin.exe", - "AeroAdmin.exe" + "fastclient.exe", + "fastmaster.exe", + "FastViewer.exe" ] }, "Artifacts": { @@ -7692,8 +7118,8 @@ { "Description": "Known remote domains", "Domains": [ - "auth*.aeroadmin.com", - "aeroadmin.com" + "*.fastviewer.com", + "fastviewer.com" ], "Ports": [] } @@ -7701,25 +7127,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_network_sigma.yml", - "Description": "Detects potential network activity of AeroAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml", + "Description": "Detects potential network activity of FastViewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aeroadmin_processes_sigma.yml", - "Description": "Detects potential processes activity of AeroAdmin RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of FastViewer RMM tool" } ], "References": [ - "https://support.aeroadmin.com/kb/faq.php?id=58" + "https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf" ], "Acknowledgement": [] }, { - "Name": "Access Remote PC", - "Description": "Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Jump Desktop", + "Description": "Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7734,31 +7160,51 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rpcgrab.exe", - "rpcsetup.exe" + "jumpclient.exe", + "jumpdesktop.exe", + "jumpservice.exe", + "jumpconnect.exe", + "jumpupdater.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.jumpdesktop.com", + "jumpdesktop.com", + "jumpto.me", + "*.jumpto.me" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/access_remote_pc_processes_sigma.yml", - "Description": "Detects potential processes activity of Access Remote PC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Jump Desktop RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/jump_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Jump Desktop RMM tool" } ], - "References": [], + "References": [ + "https://support.jumpdesktop.com/hc/en-us/articles/360042490351-Administrators-Guide-For-Jump-Desktop-Connect" + ], "Acknowledgement": [] }, { - "Name": "Acronic Cyber Protect (Remotix)", - "Description": "Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ivanti Remote Control", + "Description": "Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -7773,8 +7219,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "AcronisCyberProtectConnectQuickAssist*.exe", - "AcronisCyberProtectConnectAgent.exe" + "IvantiRemoteControl.exe", + "ArcUI.exe", + "AgentlessRC.exe" ] }, "Artifacts": { @@ -7785,10 +7232,7 @@ { "Description": "Known remote domains", "Domains": [ - "cloud.acronis.com", - "agents*-cloud.acronis.com", - "gw.remotix.com", - "connect.acronis.com" + "*.ivanticloud.com" ], "Ports": [] } @@ -7796,25 +7240,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__network_sigma.yml", - "Description": "Detects potential network activity of Acronic Cyber Protect (Remotix) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of Ivanti Remote Control RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/acronic_cyber_protect__remotix__processes_sigma.yml", - "Description": "Detects potential processes activity of Acronic Cyber Protect (Remotix) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of Ivanti Remote Control RMM tool" } ], "References": [ - "https://kb.acronis.com/content/47189" + "https://rc1.ivanticloud.com/" ], "Acknowledgement": [] }, { - "Name": "Instant Housecall", - "Description": "Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeInSync", + "Description": "BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -7829,10 +7273,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "hsloader.exe", - "InstantHousecall.exe", - "ihcserver.exe", - "instanthousecall.exe" + "Beinsync*.exe" ] }, "Artifacts": { @@ -7843,10 +7284,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.instanthousecall.com", - "secure.instanthousecall.com", - "*.instanthousecall.net", - "instanthousecall.com" + "*.beinsync.net", + "*.beinsync.com" ], "Ports": [] } @@ -7854,22 +7293,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_network_sigma.yml", - "Description": "Detects potential network activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml", + "Description": "Detects potential network activity of BeInSync RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/instant_housecall_processes_sigma.yml", - "Description": "Detects potential processes activity of Instant Housecall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml", + "Description": "Detects potential processes activity of BeInSync RMM tool" } ], "References": [ - "https://instanthousecall.com/features/" + "https://en.wikipedia.org/wiki/Phoenix_Technologies" ], "Acknowledgement": [] }, { - "Name": "SkyFex", - "Description": "SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NateOn-desktop sharing", + "Description": "NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -7887,8 +7326,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Deskroll.exe", - "DeskRollUA.exe" + "nateon*.exe", + "nateon.exe", + "nateonmain.exe" ] }, "Artifacts": { @@ -7899,9 +7339,7 @@ { "Description": "Known remote domains", "Domains": [ - "skyfex.com", - "deskroll.com", - "*.deskroll.com" + "*.nate.com" ], "Ports": [] } @@ -7909,25 +7347,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_network_sigma.yml", - "Description": "Detects potential network activity of SkyFex RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of NateOn-desktop sharing RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/skyfex_processes_sigma.yml", - "Description": "Detects potential processes activity of SkyFex RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of NateOn-desktop sharing RMM tool" } ], "References": [ - "https://skyfex.com/" + "http://rsupport.nate.com/rview/r8/main/index.aspx" ], "Acknowledgement": [] }, { - "Name": "PSEXEC", - "Description": "PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xeox", + "Description": "Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -7942,8 +7380,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "psexec.exe", - "psexecsvc.exe" + "xeox-agent_x64.exe", + "xeox_service_windows.exe", + "xeox-agent_*.exe", + "xeox-agent_x86.exe" ] }, "Artifacts": { @@ -7954,7 +7394,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "*.xeox.com", + "xeox.com" ], "Ports": [] } @@ -7962,25 +7403,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml", - "Description": "Detects potential network activity of PSEXEC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml", + "Description": "Detects potential network activity of Xeox RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml", - "Description": "Detects potential processes activity of PSEXEC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml", + "Description": "Detects potential processes activity of Xeox RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" + "https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW" ], "Acknowledgement": [] }, { - "Name": "MSP360", - "Description": "MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "WinSCP", + "Description": "WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -7995,57 +7436,33 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Online Backup.exe", - "CBBackupPlan.exe", - "Cloud.Backup.Scheduler.exe", - "Cloud.Backup.RM.Service.exe", - "cbb.exe", - "CloudRaService.exe", - "CloudRaSd.exe", - "CloudRaCmd.exe", - "CloudRaUtilities.exe", - "Remote Desktop.exe", - "Connect.exe" + "C:\\Users\\IEUser\\Downloads\\WinSCP-5.21.6-Portable\\*", + "*\\WinSCP*Portable\\*", + "*\\WinSCP.exe", + "*\\WinSCP\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.cloudberrylab.com", - "*.msp360.com", - "*.mspbackups.com", - "msp360.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml", - "Description": "Detects potential network activity of MSP360 RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml", - "Description": "Detects potential processes activity of MSP360 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml", + "Description": "Detects potential processes activity of WinSCP RMM tool" } ], - "References": [ - "https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "SecureCRT", - "Description": "SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DW Service", + "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -8060,32 +7477,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\SecureCRT.EXE", - "*\\SecureCRT.EXE", - "*\\VanDyke Software\\ClientPack\\*" + "dwagsvc.exe", + "dwagent.exe", + "dwagsvc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.dwservice.net" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/securecrt_processes_sigma.yml", - "Description": "Detects potential processes activity of SecureCRT RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", + "Description": "Detects potential network activity of DW Service RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", + "Description": "Detects potential processes activity of DW Service RMM tool" } ], - "References": [], + "References": [ + "https://news.dwservice.net/dwservice-security-infrastructure/" + ], "Acknowledgement": [] }, { - "Name": "VNC", - "Description": "VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "NTR Remote", + "Description": "NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -8100,13 +7531,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "winvnc*.exe", - "vncserver.exe", - "winwvc.exe", - "winvncsc.exe", - "vncserverui.exe", - "vncviewer.exe", - "winvnc.exe" + "NTRsupportPro_EN.exe" ] }, "Artifacts": { @@ -8117,8 +7542,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "realvnc.com/en/connect/download/vnc" + "*.ntrsupport.com" ], "Ports": [] } @@ -8126,25 +7550,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml", - "Description": "Detects potential network activity of VNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml", + "Description": "Detects potential network activity of NTR Remote RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml", - "Description": "Detects potential processes activity of VNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of NTR Remote RMM tool" } ], "References": [ - "https://realvnc.com/en/connect/download/vnc" + "DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "Panorama9", - "Description": "Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TurboMeeting", + "Description": "TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -8159,7 +7583,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "p9agent*.exe" + "pcstarter.exe", + "turbomeeting.exe", + "turbomeetingstarter.exe" ] }, "Artifacts": { @@ -8170,9 +7596,8 @@ { "Description": "Known remote domains", "Domains": [ - "trusted.panorama9.com", - "changes.panorama9.com", - "panorama9.com" + "user_managed", + "acceo.com/turbomeeting/" ], "Ports": [] } @@ -8180,25 +7605,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml", - "Description": "Detects potential network activity of Panorama9 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_network_sigma.yml", + "Description": "Detects potential network activity of TurboMeeting RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml", - "Description": "Detects potential processes activity of Panorama9 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/turbomeeting_processes_sigma.yml", + "Description": "Detects potential processes activity of TurboMeeting RMM tool" } ], "References": [ - "https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with" + "http://sourcing.rhubcom.com/v5/faqs.html#collapsetwentysix2-topdiv" ], "Acknowledgement": [] }, { - "Name": "FixMe.it", - "Description": "FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteUtilities", + "Description": "RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -8213,17 +7638,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "FixMeit Client.exe", - "TiExpertStandalone.exe", - "FixMeitClient*.exe", - "TiExpertCore.exe", - "FixMeit Unattended Access Setup.exe", - "FixMeit Expert Setup.exe", - "TiExpertCore.exe", - "fixmeitclient.exe", - "TiClientCore.exe", - "TiClientHelper*.exe", - "9380CC75B872221A7425D7503565B67580407F60" + "rutview.exe", + "*\\Remote Manipulator System - Server\\*", + "C:\\Program Files\\Remote Utilities\\*", + "*\\Remote Utilities\\*", + "rutserv.exe", + "*\\rutserv.exe" ] }, "Artifacts": { @@ -8234,11 +7654,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.fixme.it", - "*.techinline.net", - "fixme.it", - "*set.me", - "*setme.net" + "remoteutilities.com" ], "Ports": [] } @@ -8246,23 +7662,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml", - "Description": "Detects potential network activity of FixMe RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_network_sigma.yml", + "Description": "Detects potential network activity of RemoteUtilities RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml", - "Description": "Detects potential processes activity of FixMe RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteutilities_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteUtilities RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "ISL Online", - "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pulseway", + "Description": "Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -8277,14 +7693,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "*\\ISLLight.exe", - "isllight.exe", - "ISLLightClient.exe", - "C:\\Program Files (x86)\\ISL Online\\ISL Light*", - "*\\ISL Online\\ISL Light*", - "ISLLight.exe", - "isllightservice.exe", - "islalwaysonmonitor.exe" + "PCMonitorManager.exe", + "pcmonitorsrv.exe" ] }, "Artifacts": { @@ -8295,8 +7705,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.islonline.com", - "*.islonline.net" + "pulseway.com" ], "Ports": [] } @@ -8304,22 +7713,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", - "Description": "Detects potential network activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml", + "Description": "Detects potential network activity of Pulseway RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml", + "Description": "Detects potential processes activity of Pulseway RMM tool" } ], "References": [ - "https://help.islonline.com/19818/165940" + "https://intercom.help/pulseway/en/" ], "Acknowledgement": [] }, { - "Name": "RES Automation Manager", - "Description": "RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Panorama9", + "Description": "Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -8337,10 +7746,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "wisshell*.exe", - "wmc.exe", - "wmc_deployer.exe", - "wmcsvc.exe" + "p9agent*.exe" ] }, "Artifacts": { @@ -8351,8 +7757,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "ivanti.com/" + "trusted.panorama9.com", + "changes.panorama9.com", + "panorama9.com" ], "Ports": [] } @@ -8360,16 +7767,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_network_sigma.yml", - "Description": "Detects potential network activity of RES Automation Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_network_sigma.yml", + "Description": "Detects potential network activity of Panorama9 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/res_automation_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of RES Automation Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/panorama9_processes_sigma.yml", + "Description": "Detects potential processes activity of Panorama9 RMM tool" } ], "References": [ - "https://forums.ivanti.com/s/article/INFO-Which-ports-does-Ivanti-Automation-use?language=en_US&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1" + "https://support.panorama9.com/en/articles/1859605-what-ports-and-hosts-does-the-p9-agent-communicate-with" ], "Acknowledgement": [] }, @@ -8662,80 +8069,398 @@ ] }, { - "Description": "N/A", + "Description": "N/A", + "Domains": [ + "atera.pubnubapi.com" + ], + "Ports": [ + "N/A" + ] + }, + { + "Description": "N/A", + "Domains": [ + "appcdn.atera.com" + ], + "Ports": [ + "N/A" + ] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml", + "Name": "AteraAgent malicious installations", + "Description": "Detects AteraAgent installations with suspicious command line arguments." + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml", + "Name": "Atera Agent Installation", + "Description": "Detects Atera Agent installation." + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml", + "Description": "Detects potential registry activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml", + "Description": "Detects potential network activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml", + "Description": "Detects potential files activity of Atera RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml", + "Description": "Detects potential processes activity of Atera RMM tool" + } + ], + "References": [ + "https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations", + "https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent", + "https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018", + "https://thedfirreport.com/?s=ateraagent" + ], + "Acknowledgement": [ + { + "Person": "Théo Letailleur", + "Handle": "in/theosyn" + }, + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + }, + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] + }, + { + "Name": "JollysFastVNC", + "Description": "JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "RunSmart", + "Description": "RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", "Domains": [ - "atera.pubnubapi.com" + "runsmart.io" ], - "Ports": [ - "N/A" - ] - }, + "Ports": [] + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/runsmart_network_sigma.yml", + "Description": "Detects potential network activity of RunSmart RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Chrome Remote Desktop", + "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "remote_host.exe", + "remoting_host.exe", + "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", + "*\\Google\\Chrome Remote Desktop\\*", + "*\\remoting_host.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "appcdn.atera.com" + "*remotedesktop.google.com", + "*remotedesktop-pa.googleapis.com", + "remotedesktop.google.com" ], - "Ports": [ - "N/A" - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/The-DFIR-Report/Sigma-Rules/blob/d67407d357ad32b247e2a303abc5a38bb30fd576/rules/windows/process_creation/proc_creation_win_ateraagent_malicious_installations.yml", - "Name": "AteraAgent malicious installations", - "Description": "Detects AteraAgent installations with suspicious command line arguments." - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/builtin/application/msiinstaller/win_software_atera_rmm_agent_install.yml", - "Name": "Atera Agent Installation", - "Description": "Detects Atera Agent installation." + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_registry_sigma.yml", - "Description": "Detects potential registry activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" + } + ], + "References": [ + "https://support.google.com/chrome/a/answer/2799701?hl=en" + ], + "Acknowledgement": [] + }, + { + "Name": "Netviewer (GoToMeet)", + "Description": "Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "nvClient.exe", + "netviewer.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_network_sigma.yml", - "Description": "Detects potential network activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer__gotomeet__processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer (GoToMeet) RMM tool" + } + ], + "References": [ + "Obsolute - found copy here: https://www.enviolet.com/en/service/online-consultant.html" + ], + "Acknowledgement": [] + }, + { + "Name": "Netviewer", + "Description": "Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "netviewer*.exe", + "netviewer.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "download.cnet.com/Net-Viewer/3000-2370_4-10034828.html" + ], + "Ports": [] + } + ] + }, + "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_files_sigma.yml", - "Description": "Detects potential files activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_network_sigma.yml", + "Description": "Detects potential network activity of Netviewer RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/atera_processes_sigma.yml", - "Description": "Detects potential processes activity of Atera RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netviewer_processes_sigma.yml", + "Description": "Detects potential processes activity of Netviewer RMM tool" } ], - "References": [ - "https://support.atera.com/hc/en-us/articles/360015461139-Firewall-Settings-for-Atera-s-Integrations", - "https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-Atera-s-Windows-agent", - "https://support.atera.com/hc/en-us/articles/115015619747-Release-Notes-February-2018", - "https://thedfirreport.com/?s=ateraagent" - ], - "Acknowledgement": [ + "References": [], + "Acknowledgement": [] + }, + { + "Name": "ConnectWise Control", + "Description": "ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "connectwisechat-customer.exe", + "connectwisecontrol.client.exe", + "screenconnect.windowsclient.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "live.screenconnect.com", + "control.connectwise.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_network_sigma.yml", + "Description": "Detects potential network activity of ConnectWise Control RMM tool" }, { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_control_processes_sigma.yml", + "Description": "Detects potential processes activity of ConnectWise Control RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "ExtraPuTTY", + "Description": "ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", + "*Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", + "*\\ExtraPuTTY-0.30-2016-01-28-installer.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ { - "Person": "Kostas", - "Handle": "@kostastsale" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml", + "Description": "Detects potential processes activity of ExtraPuTTY RMM tool" } - ] + ], + "References": [], + "Acknowledgement": [] }, { - "Name": "CrossLoop", - "Description": "CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FleetDeck.io", + "Description": "FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -8750,9 +8475,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "crossloopservice.exe", - "CrossLoopConnect.exe", - "WinVNCStub.exe" + "fleetdeck_agent_svc.exe", + "fleetdeck_commander_svc.exe", + "fleetdeck_installer.exe", + "fleetdeck_commander_launcher.exe", + "fleetdeck_agent.exe" ] }, "Artifacts": { @@ -8763,8 +8490,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.crossloop.com", - "crossloop.en.softonic.com" + "*.fleetdeck.io", + "cognito-idp.us-west-2.amazonaws.com", + "fleetdeck.io" ], "Ports": [] } @@ -8772,22 +8500,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml", - "Description": "Detects potential network activity of CrossLoop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_network_sigma.yml", + "Description": "Detects potential network activity of FleetDesk.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml", - "Description": "Detects potential processes activity of CrossLoop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fleetdesk.io_processes_sigma.yml", + "Description": "Detects potential processes activity of FleetDesk.io RMM tool" } ], "References": [ - "www.CrossLoop.com -> redirects to avast.com" + "https://fleetdeck.io/faq/" ], "Acknowledgement": [] }, { - "Name": "Level.io", - "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "HelpU", + "Description": "HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -8805,9 +8533,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "level-windows-amd64.exe", - "level.exe", - "level-remote-control-ffmpeg.exe" + "helpu_install.exe", + "HelpuUpdater.exe", + "HelpuManager.exe" ] }, "Artifacts": { @@ -8818,8 +8546,8 @@ { "Description": "Known remote domains", "Domains": [ - "level.io", - "*.level.io" + "helpu.co.kr", + "*.helpu.co.kr" ], "Ports": [] } @@ -8827,22 +8555,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", - "Description": "Detects potential network activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_network_sigma.yml", + "Description": "Detects potential network activity of HelpU RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", - "Description": "Detects potential processes activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpu_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpU RMM tool" } ], "References": [ - "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" + "https://helpu.co.kr/" ], "Acknowledgement": [] }, { - "Name": "Tactical RMM", - "Description": "Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ToDesk", + "Description": "ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/14/2024", @@ -8860,8 +8588,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tacticalrmm.exe", - "tacticalrmm.exe" + "todesk.exe", + "ToDesk_Service.exe", + "ToDesk_Setup.exe" ] }, "Artifacts": { @@ -8872,9 +8601,10 @@ { "Description": "Known remote domains", "Domains": [ - "login.tailscale.com", - "login.tailscale.com", - "docs.tacticalrmm.com" + "todesk.com", + "*.todesk.com", + "*.todesk.com", + "todesktop.com" ], "Ports": [] } @@ -8882,71 +8612,147 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_network_sigma.yml", - "Description": "Detects potential network activity of Tactical RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_network_sigma.yml", + "Description": "Detects potential network activity of ToDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tactical_rmm_processes_sigma.yml", - "Description": "Detects potential processes activity of Tactical RMM RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/todesk_processes_sigma.yml", + "Description": "Detects potential processes activity of ToDesk RMM tool" } ], "References": [ - "docs.tacticalrmm.com" + "https://www.todesk.com/" ], "Acknowledgement": [] }, { - "Name": "Fortra", - "Description": "Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", + "Name": "RAdmin", + "Description": "RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Website": "https://www.radmin.com/", + "PEMetadata": [ + { + "Filename": "RServer3.exe", + "OriginalFileName": "RServer3.exe", + "InternalName": "RServer3", + "Description": "Radmin Server", + "Product": "Radmin Server", + "Comments": "Radmin - Remote Control Server" + }, + { + "Filename": "Radmin.exe", + "OriginalFileName": "Radmin.exe", + "InternalName": "Radmin", + "Description": "Radmin Viewer", + "Product": "Radmin Viewer", + "Comments": "Radmin Viewer" + } + ], "Privileges": "", "Free": "", "Verification": "", - "SupportedOS": [], + "SupportedOS": [ + "Windows" + ], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files (x86)\\Radmin Viewer 3\\Radmin.exe", + "C:\\Windows\\SysWOW64\\rserver30\\rserver3.exe", + "C:\\Windows\\SysWOW64\\rserver30\\FamItrfc", + "C:\\Windows\\SysWOW64\\rserver30\\FamItrf2" + ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "C:\\Windows\\SysWOW64\\rserver30\\Radm_log.htm", + "Description": "RAdmin log file (32-bit)", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\System32\\rserver30\\Radm_log.htm", + "Description": "RAdmin log file (64-bit)", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\System32\\rserver30\\CHATLOGS\\*\\*.htm", + "Description": "RAdmin chat logs", + "OS": "Windows" + }, + { + "File": "C:\\Users\\*\\Documents\\ChatLogs\\*\\*.htm", + "Description": "RAdmin user chat logs", + "OS": "Windows" + } + ], "EventLog": [], - "Registry": [], + "Registry": [ + { + "Path": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin Security", + "Description": "N/A" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "fortra.com" + "radmin.com" ], - "Ports": [] + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml", - "Description": "Detects potential network activity of Fortra RMM tool" + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_pua_radmin.yml", + "Description": "PUA - Radmin Viewer Utility Execution" + }, + { + "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml", + "Description": "Enumeration for 3rd Party Creds From CLI" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_registry_sigma.yml", + "Description": "Detects potential registry activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_network_sigma.yml", + "Description": "Detects potential network activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_files_sigma.yml", + "Description": "Detects potential files activity of RAdmin RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/radmin_processes_sigma.yml", + "Description": "Detects potential processes activity of RAdmin RMM tool" } ], "References": [ - "https://www.fortra.com - No free/cloud RMM softwars listed" + "https://radmin-club.com/radmin/how-to-establish-a-connection-outside-of-lan/", + "https://helpdesk.radmin.com/radmin3help/", + "https://helpdesk.radmin.com/radmin3help/files/viewercmd.htm", + "https://helpdesk.radmin.com/radmin3help/files/cmd.htm" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Nasreddine Bencherchali", + "Handle": "@nas_bench" + } + ] }, - { - "Name": "Sorillus", - "Description": "Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + { + "Name": "CrossLoop", + "Description": "CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -8961,8 +8767,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Sorillus-Launcher*.exe", - "Sorillus Launcher.exe" + "crossloopservice.exe", + "CrossLoopConnect.exe", + "WinVNCStub.exe" ] }, "Artifacts": { @@ -8973,8 +8780,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.sorillus.com", - "sorillus.com" + "*.crossloop.com", + "crossloop.en.softonic.com" ], "Ports": [] } @@ -8982,25 +8789,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_network_sigma.yml", - "Description": "Detects potential network activity of Sorillus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_network_sigma.yml", + "Description": "Detects potential network activity of CrossLoop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sorillus_processes_sigma.yml", - "Description": "Detects potential processes activity of Sorillus RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crossloop_processes_sigma.yml", + "Description": "Detects potential processes activity of CrossLoop RMM tool" } ], "References": [ - "https://sorillus.com/" + "www.CrossLoop.com -> redirects to avast.com" ], "Acknowledgement": [] }, { - "Name": "RemoteCall", - "Description": "RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Centurion", + "Description": "Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9015,13 +8822,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rcengmgru.exe", - "rcmgrsvc.exe", - "rxstartsupport.exe", - "rcstartsupport.exe", - "raautoup.exe", - "agentu.exe", - "remotesupportplayeru.exe" + "ctiserv.exe" ] }, "Artifacts": { @@ -9032,9 +8833,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.remotecall.com", - "*.startsupport.com", - "remotecall.com" + "centuriontech.com" ], "Ports": [] } @@ -9042,22 +8841,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_network_sigma.yml", - "Description": "Detects potential network activity of RemoteCall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml", + "Description": "Detects potential network activity of Centurion RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotecall_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteCall RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml", + "Description": "Detects potential processes activity of Centurion RMM tool" } ], "References": [ - "https://help.remotecall.com/hc/en-us/articles/360005128814--RemoteCall-Server-List-For-Firewall" + "https://data443.atlassian.net/servicedesk/customer/portal/20" ], "Acknowledgement": [] }, { - "Name": "Laplink Everywhere", - "Description": "Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KickIdler", + "Description": "KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -9075,12 +8874,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "laplink.exe", - "laplink-everywhere-setup*.exe", - "laplinkeverywhere.exe", - "llrcservice.exe", - "serverproxyservice.exe", - "OOSysAgent.exe" + "grabberEM.*msi", + "grabberTT*.msi" ] }, "Artifacts": { @@ -9091,9 +8886,8 @@ { "Description": "Known remote domains", "Domains": [ - "everywhere.laplink.com", - "le.laplink.com", - "atled.syspectr.com" + "kickidler.com", + "my.kickidler.com" ], "Ports": [] } @@ -9101,68 +8895,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml", - "Description": "Detects potential network activity of Laplink Everywhere RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml", - "Description": "Detects potential processes activity of Laplink Everywhere RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kickidler_network_sigma.yml", + "Description": "Detects potential network activity of KickIdler RMM tool" } ], "References": [ - "https://everywhere.laplink.com/docs" - ], - "Acknowledgement": [] - }, - { - "Name": "MEGAsync", - "Description": "MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Local\\MEGAsync\\*", - "*Users\\*\\AppData\\Local\\MEGAsync\\*", - "*Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", - "*ProgramData\\MEGAsync\\*", - "*\\MEGAsyncSetup64.exe", - "*\\MEGAupdater.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/megasync_processes_sigma.yml", - "Description": "Detects potential processes activity of MEGAsync RMM tool" - } + "https://www.kickidler.com/for-it/faq/" ], - "References": [], "Acknowledgement": [] }, { - "Name": "Neturo", - "Description": "Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syncro", + "Description": "Syncro is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -9177,9 +8924,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "neturo*.exe", - "ntrntservice.exe", - "neturo.exe" + "Syncro.Installer.exe", + "Kabuto.App.Runner.exe", + "Syncro.Overmind.Service.exe", + "Kabuto.Installer.exe", + "KabutoSetup.exe", + "Syncro.Service.exe", + "Kabuto.Service.Runner.exe", + "Syncro.App.Runner.exe", + "SyncroLive.Service.exe", + "SyncroLive.Agent.exe" ] }, "Artifacts": { @@ -9190,7 +8944,17 @@ { "Description": "Known remote domains", "Domains": [ - "neturo.uplus.co.kr" + "kabuto.io", + "*.syncromsp.com", + "*.syncroapi.com", + "syncromsp.com", + "servably.com", + "ld.aurelius.host", + "app.kabuto.io ", + "*.kabutoservices.com", + "repairshopr.com", + "kabutoservices.com", + "attachments.servably.com" ], "Ports": [] } @@ -9198,25 +8962,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml", - "Description": "Detects potential network activity of Neturo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_network_sigma.yml", + "Description": "Detects potential network activity of Syncro RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml", - "Description": "Detects potential processes activity of Neturo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncro_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncro RMM tool" } ], "References": [ - "Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2" + "https://community.syncromsp.com/t/syncro-exceptions-and-allowlists/2004" ], "Acknowledgement": [] }, { - "Name": "Distant Desktop", - "Description": "Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AweRay", + "Description": "AweRay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9231,9 +8995,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ddsystem.exe", - "dd.exe", - "distant-desktop.exe" + "aweray_remote*.exe", + "AweSun.exe" ] }, "Artifacts": { @@ -9244,8 +9007,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.distantdesktop.com", - "*signalserver.xyz" + "asapi*.aweray.net", + "client-api.aweray.com" ], "Ports": [] } @@ -9253,25 +9016,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Distant Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_network_sigma.yml", + "Description": "Detects potential network activity of AweRay RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/distant_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Distant Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aweray_processes_sigma.yml", + "Description": "Detects potential processes activity of AweRay RMM tool" } ], "References": [ - "https://www.distantdesktop.com/manual/first-start.htm" + "https://sun.aweray.com/help" ], "Acknowledgement": [] }, { - "Name": "Anyplace Control", - "Description": "Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SunLogin", + "Description": "SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -9286,7 +9049,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "apc_host.exe" + "OrayRemoteShell.exe", + "OrayRemoteService.exe", + "sunlogin*.exe" ] }, "Artifacts": { @@ -9297,7 +9062,8 @@ { "Description": "Known remote domains", "Domains": [ - "anyplace-control.com" + "sunlogin.oray.com", + "client.oray.net" ], "Ports": [] } @@ -9305,22 +9071,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_network_sigma.yml", - "Description": "Detects potential network activity of Anyplace Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_network_sigma.yml", + "Description": "Detects potential network activity of SunLogin RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyplace_control_processes_sigma.yml", - "Description": "Detects potential processes activity of Anyplace Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sunlogin_processes_sigma.yml", + "Description": "Detects potential processes activity of SunLogin RMM tool" } ], "References": [ - "http://www.anyplace-control.com/anyplace-control/help/faq.htm" + "https://sunlogin.oray.com/en/embed/software.html" ], "Acknowledgement": [] }, { - "Name": "JollysFastVNC", - "Description": "JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Koofr", + "Description": "Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9350,8 +9116,8 @@ "Acknowledgement": [] }, { - "Name": "ExtraPuTTY", - "Description": "ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SysAid", + "Description": "SysAid is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9369,9 +9135,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", - "*Users\\*\\ExtraPuTTY-0.30-2016-01-28-installer.exe", - "*\\ExtraPuTTY-0.30-2016-01-28-installer.exe" + "C:\\Program Files\\SysAidServer\\*", + "*\\SysAidServer\\*", + "*\\SysAid\\*", + "*\\IliAS.exe" ] }, "Artifacts": { @@ -9382,16 +9149,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/extraputty_processes_sigma.yml", - "Description": "Detects potential processes activity of ExtraPuTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sysaid_processes_sigma.yml", + "Description": "Detects potential processes activity of SysAid RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "rdpwrap", - "Description": "rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Neturo", + "Description": "Neturo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -9409,9 +9176,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "RDPWInst.exe", - "RDPCheck.exe", - "RDPConf.exe" + "neturo*.exe", + "ntrntservice.exe", + "neturo.exe" ] }, "Artifacts": { @@ -9422,8 +9189,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/stascorp/rdpwrap" + "neturo.uplus.co.kr" ], "Ports": [] } @@ -9431,22 +9197,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml", - "Description": "Detects potential network activity of rdpwrap RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_network_sigma.yml", + "Description": "Detects potential network activity of Neturo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml", - "Description": "Detects potential processes activity of rdpwrap RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/neturo_processes_sigma.yml", + "Description": "Detects potential processes activity of Neturo RMM tool" } ], "References": [ - "github.com/stascorp/rdpwrap" + "Obscure, located an older copy here: http://www.iconpos.com/pos/home/iconpos/bbs.php?id=file&q=view&uid=2" ], "Acknowledgement": [] }, { - "Name": "N-ABLE Remote Access Software", - "Description": "N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SmarTTY", + "Description": "SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9463,34 +9229,30 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "c:\\Program Files (x86)\\Sysprogs\\SmarTTY\\*", + "*\\Sysprogs\\SmarTTY\\*", + "*\\SmarTTY.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "n-able.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml", - "Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml", + "Description": "Detects potential processes activity of SmarTTY RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Solar-PuTTY", - "Description": "Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Impero Connect", + "Description": "Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -9508,319 +9270,295 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Solar-Putty-v4\\*", - "*\\Solar-Putty-v4\\*", - "*\\Solar-PuTTY.exe" + "ImperoClientSVC.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "imperosoftware.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/solar-putty_processes_sigma.yml", - "Description": "Detects potential processes activity of Solar-PuTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_network_sigma.yml", + "Description": "Detects potential network activity of Impero Connect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/impero_connect_processes_sigma.yml", + "Description": "Detects potential processes activity of Impero Connect RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "TeamViewer", - "Description": "TeamViewer is a remote monitoring and management (RMM) tool.\n", - "Author": "Nasreddine Bencherchali, Michael Haag", - "Created": "2024-08-02", - "LastModified": "2024-08-02", + "Name": "247ithelp.com (ConnectWise)", + "Description": "247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/8/2024", "Details": { - "Website": "https://www.teamviewer.com/en", - "PEMetadata": [ - { - "Filename": "TeamViewer.exe", - "OriginalFileName": "", - "Description": "", - "Product": "TeamViewer" - } - ], - "Privileges": "user", - "Free": true, - "Verification": false, - "SupportedOS": [ - "Android", - "ChromeOS", - "IOS", - "Linux", - "Mac", - "Windows" - ], - "Capabilities": [], - "Vulnerabilities": [ - "https://www.cvedetails.com/vulnerability-list/vendor_id-11100/product_id-19942/Teamviewer-Teamviewer.html" - ], - "InstallationPaths": [ - "C:\\Program Files\\TeamViewer\\", - "teamviewer_desktop.exe", - "teamviewer_service.exe", - "teamviewerhost" - ] - }, - "Artifacts": { - "Disk": [ - { - "File": "C:\\Users\\\\AppData\\Local\\Temp\\TeamViewer\\TV15Install.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "TeamViewer\\d\\d_Logfile\\.log", - "Description": "N/A", - "OS": "Windows", - "Type": "Regex" - }, - { - "File": "C:\\Program Files\\TeamViewer\\Connections_incoming.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\TeamViewer\\TVNetwork.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\Temp\\TeamViewer\\TV15Install.log", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%APPDATA%\\\\TeamViewer\\\\TeamViewer\\d\\d_Logfile\\.log", - "Description": "N/A", - "OS": "Windows", - "Type": "Regex" - }, - { - "File": "teamviewerqs.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_w32.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_w64.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "tv_x64.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "teamviewer.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "teamviewer_service.exe", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\TeamViewer\\Database\\tvchatfilecache.db", - "Description": "SQlite 3 database storing cache about TeamViewer chat", - "OS": "Windows" - }, - { - "File": "%LOCALAPPDATA%\\TeamViewer\\RemotePrinting\\tvprint.db", - "Description": "SQlite 3 database storing TeamViewer print jobs", - "OS": "Windows" - }, - { - "File": "%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\TeamViewer.lnk", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Program Files*\\TeamViewer\\connections*.txt", - "Description": "N/A", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\Roaming\\TeamViewer\\MRU\\RemoteSupport\\*tvc", - "Description": "N/A", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "TeamViewer", - "ImagePath": "\"C:\\\\Program Files\\\\TeamViewer\\\\TeamViewer_Service.exe\"", - "Description": "Service installation event as result of TeamViewer installation." - } - ], - "Registry": [ - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKU\\\\SOFTWARE\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\TeamViewer\\*", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MainWindowHandle", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImage", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePath", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\DesktopWallpaperSingleImagePosition", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MinimizeToTray", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedCapturingEndpoint", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioSendingVolumeV2", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\MultiMedia\\AudioUserSelectedRenderingEndpoint", - "Description": "N/A" - }, - { - "Path": "HKLM\\SOFTWARE\\TeamViewer\\ConnectionHistory", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindow_Mode", - "Description": "N/A" - }, - { - "Path": "HKU\\SID\\SOFTWARE\\TeamViewer\\ClientWindowPositions", - "Description": "N/A" - } - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "Remote Workforce Client.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.teamviewer.com" + "*.247ithelp.com" ], "Ports": [] - }, - { - "Description": "N/A", - "Domains": [ - "router15.teamviewer.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "client.teamviewer.com" - ], - "Ports": [ - 443 - ] - }, + } + ] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of 247ithelp.com (ConnectWise) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/247ithelp.com__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of 247ithelp.com (ConnectWise) RMM tool" + } + ], + "References": [ + "Similar / replaced by ScreenConnect" + ], + "Acknowledgement": [] + }, + { + "Name": "Remobo", + "Description": "Remobo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "remobo.exe", + "remobo_client.exe", + "remobo_tracker.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "taf.teamviewer.com" + "user_managed", + "remobo.en.softonic.com" ], - "Ports": [ - 443 - ] - } - ], - "Other": [ - { - "Type": "Mutex", - "Value": "TeamViewer_LogMutex" - }, - { - "Type": "Mutex", - "Value": "TeamViewerHooks_DynamicMemMutex" - }, - { - "Type": "Mutex", - "Value": "TeamViewer3_Win32_Instance_Mutex" + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_registry_sigma.yml", - "Description": "Detects potential registry activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_network_sigma.yml", + "Description": "Detects potential network activity of Remobo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_network_sigma.yml", - "Description": "Detects potential network activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remobo_processes_sigma.yml", + "Description": "Detects potential processes activity of Remobo RMM tool" + } + ], + "References": [ + "https://www.remobo.com - DOA as of 2024" + ], + "Acknowledgement": [] + }, + { + "Name": "Free Tools Launcher", + "Description": "Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files\\ManageEngine\\ManageEngine Free Tools\\Launcher\\*", + "*\\ManageEngine\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Echoware", + "Description": "Echoware is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "echoserver*.exe", + "echoware.dll" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/echoware_processes_sigma.yml", + "Description": "Detects potential processes activity of Echoware RMM tool" + } + ], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Zoho Assist", + "Description": "Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/14/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "zaservice.exe", + "ZMAgent.exe", + "C:\\*\\ZA_Access.exe", + "ZohoMeeting.exe", + "Zohours.exe", + "zohotray.exe", + "ZohoURSService.exe", + "*\\ZA_Access.exe", + "Zaservice.exe", + "za_connect.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.zoho.com.au", + "*.zohoassist.jp", + "assist.zoho.com", + "zoho.com/assist/", + "*.zoho.in", + "downloads.zohodl.com.cn", + "*.zohoassist.com", + "downloads.zohocdn.com", + "gateway.zohoassist.com", + "*.zohoassist.com.cn", + "*.zoho.com.cn", + "*.zoho.com", + "*.zoho.eu" + ], + "Ports": [] + } + ] + }, + "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_files_sigma.yml", - "Description": "Detects potential files activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_network_sigma.yml", + "Description": "Detects potential network activity of Zoho Assist RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teamviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of TeamViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoho_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Zoho Assist RMM tool" } ], "References": [ - "https://community.teamviewer.com/English/kb/articles/4139-ports-used-by-teamviewer", - "https://arista.my.site.com/AristaCommunity/s/article/Security-Analysis-TeamViewer#", - "https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/troubleshooting/log-file-reading-incoming-connection/", - "https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html", - "https://github.com/Purp1eW0lf/Blue-Team-Notes" + "https://www.zoho.com/assist/kb/firewall-configuration.html" ], - "Acknowledgement": [ - { - "Person": "Théo Letailleur", - "Handle": "in/theosyn" - } - ] + "Acknowledgement": [] }, { - "Name": "Itarian", - "Description": "Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KiTTY", + "Description": "KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -9835,57 +9573,31 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ITSMAgent.exe", - "RViewer.exe", - "ItsmRsp.exe", - "RAccess.exe", - "RmmService.exe", - "ITarianRemoteAccessSetup.exe", - "RDesktop.exe", - "ComodoRemoteControl.exe", - "ITSMService.exe", - "RHost.exe" + "C:\\*\\kitty.exe", + "*\\kitty.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "mdmsupport.comodo.com", - "*.itsm-us1.comodo.com", - "*.cmdm.comodo.com", - "remoteaccess.itarian.com", - "servicedesk.itarian.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml", - "Description": "Detects potential network activity of Itarian RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml", - "Description": "Detects potential processes activity of Itarian RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kitty_processes_sigma.yml", + "Description": "Detects potential processes activity of KiTTY RMM tool" } ], - "References": [ - "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Visual Studio Dev Tunnel", - "Description": "Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SimpleHelp", + "Description": "SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -9899,7 +9611,13 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "simplehelpcustomer.exe", + "simpleservice.exe", + "simplegatewayservice.exe", + "remote access.exe", + "windowslauncher.exe" + ] }, "Artifacts": { "Disk": [], @@ -9909,9 +9627,8 @@ { "Description": "Known remote domains", "Domains": [ - "global.rel.tunnels.api.visualstudio.com", - "*.rel.tunnels.api.visualstudio.com", - "*.devtunnels.ms" + "user_managed", + "simple-help.com" ], "Ports": [] } @@ -9919,21 +9636,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/visual_studio_dev_tunnel_network_sigma.yml", - "Description": "Detects potential network activity of Visual Studio Dev Tunnel RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_network_sigma.yml", + "Description": "Detects potential network activity of SimpleHelp RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/simplehelp_processes_sigma.yml", + "Description": "Detects potential processes activity of SimpleHelp RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security" + "https://simple-help.com/remote-support" ], "Acknowledgement": [] }, { - "Name": "ITSupport247 (ConnectWise)", - "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "CloudFlare Tunnel", + "Description": "CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -9948,7 +9669,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "saazapsc.exe" + "cloudflared.exe" ] }, "Artifacts": { @@ -9959,7 +9680,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.itsupport247.net" + "cloudflare.com/products/tunnel/" ], "Ports": [] } @@ -9967,52 +9688,78 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_network_sigma.yml", + "Description": "Detects potential network activity of CloudFlare Tunnel RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/cloudflare_tunnel_processes_sigma.yml", + "Description": "Detects potential processes activity of CloudFlare Tunnel RMM tool" } ], "References": [ - "https://control.itsupport247.net/" + "cloudflare.com/products/tunnel/" ], "Acknowledgement": [] }, { - "Name": "LogMeIn", - "Description": "LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", - "Author": "Nasreddine Bencherchali", - "Created": "2024-08-05", - "LastModified": "2024-08-05", + "Name": "GoTo Opener", + "Description": "GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", "Details": { - "Website": "https://www.logmein.com/", - "PEMetadata": [ - { - "Filename": "lmiguardiansvc.exe" - }, - { - "Filename": "lmiignition.exe" - }, - { - "Filename": "logmeinsystray.exe" - }, - { - "Filename": "logmein.exe", - "OriginalFileName": "", - "Company": "LogMeIn, Inc.", - "Description": "LMIGuardianSvc", - "Product": "LMIGuardianSvc" - } - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, "Privileges": "", "Free": "", "Verification": "", "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": null + "InstallationPaths": [ + "C:\\Program Files (x86)\\GoTo Opener", + "*\\GoTo Opener" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Pcvisit", + "Description": "Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/9/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "pcvisit.exe", + "pcvisit_client.exe", + "pcvisit-easysupport.exe", + "pcvisit_service_client.exe" + ] }, "Artifacts": { "Disk": [], @@ -10020,79 +9767,33 @@ "Registry": [], "Network": [ { - "Description": "N/A", - "Domains": [ - "logmein-gateway.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.logmein.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "*.logmein.eu" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", - "Domains": [ - "logmeinrescue.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "*.logmeininc.com" + "*.pcvisit.de", + "pcvisit.de" ], - "Ports": [ - 443 - ] + "Ports": [] } ] }, "Detections": [ { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml", - "Description": "DNS Query To Remote Access Software Domain From Non-Browser App" - }, - { - "Sigma": "https://github.com/SigmaHQ/sigma/blob/782f0f524e6f797ea114fe0d87b22cb4abaa6b7c/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml", - "Description": "Remote Access Tool - LogMeIn Execution" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_network_sigma.yml", + "Description": "Detects potential network activity of Pcvisit RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/logmein_network_sigma.yml", - "Description": "Detects potential network activity of LogMeIn RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pcvisit_processes_sigma.yml", + "Description": "Detects potential processes activity of Pcvisit RMM tool" } ], "References": [ - "https://support.logmeininc.com/central/help/allowlisting-and-firewall-configuration" + "https://www.pcvisit.de/" ], - "Acknowledgement": [ - { - "Person": "Nasreddine Bencherchali", - "Handle": "@nas_bench" - } - ] + "Acknowledgement": [] }, { - "Name": "PuTTY", - "Description": "PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Mocha VNC Lite", + "Description": "Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10109,7 +9810,11 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "This installs a modified VNC and cannot be blocked by path separate from VNC", + "This installs a modified VNC and cannot be blocked by path separate from VNC", + "*\\RealVNC\\VNC4\\*" + ] }, "Artifacts": { "Disk": [], @@ -10122,11 +9827,11 @@ "Acknowledgement": [] }, { - "Name": "Netreo", - "Description": "Netreo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Laplink Gold", + "Description": "Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10140,7 +9845,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "tsircusr.exe", + "laplink.exe" + ] }, "Artifacts": { "Disk": [], @@ -10150,10 +9858,8 @@ { "Description": "Known remote domains", "Domains": [ - "charon.netreo.net", - "activation.netreo.net", - "*.api.netreo.com", - "netreo.com" + "user_managed", + "wen.laplink.com/product/laplink-gold" ], "Ports": [] } @@ -10161,21 +9867,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netreo_network_sigma.yml", - "Description": "Detects potential network activity of Netreo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Gold RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Gold RMM tool" } ], "References": [ - "https://solutions.netreo.com/docs/firewall-requirements" + "wen.laplink.com/product/laplink-gold" ], "Acknowledgement": [] }, { - "Name": "Netop Remote Control (Impero Connect)", - "Description": "Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Iperius Remote", + "Description": "Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10190,15 +9900,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nhostsvc.exe", - "nhstw32.exe", - "ngstw32.exe", - "Netop Ondemand.exe", - "nldrw32.exe", - "rmserverconsolemediator.exe", - "ImperoInit.exe", - "Connect.Backdrop.cloud*.exe", - "ImperoClientSVC.exe" + "iperius.exe", + "iperiusremote.exe" ] }, "Artifacts": { @@ -10209,8 +9912,10 @@ { "Description": "Known remote domains", "Domains": [ - "*.connect.backdrop.cloud", - "*.netop.com" + "*.iperiusremote.com", + "*.iperius.com", + "*.iperius-rs.com", + "iperiusremote.com" ], "Ports": [] } @@ -10218,25 +9923,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml", - "Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml", + "Description": "Detects potential network activity of Iperius Remote RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml", - "Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml", + "Description": "Detects potential processes activity of Iperius Remote RMM tool" } ], "References": [ - "https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html" + "https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx" ], "Acknowledgement": [] }, { - "Name": "Splashtop (Beta)", - "Description": "Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "BeamYourScreen", + "Description": "BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -10251,10 +9956,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "SRServer.exe", - "SplashtopSOS.exe", - "Splashtop_Streamer_Windows*.exe", - "SRManager.exe" + "beamyourscreen.exe", + "beamyourscreen-host.exe" ] }, "Artifacts": { @@ -10265,7 +9968,8 @@ { "Description": "Known remote domains", "Domains": [ - "splashtop.com" + "beamyourscreen.com", + "*.beamyourscreen.com" ], "Ports": [] } @@ -10273,23 +9977,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml", - "Description": "Detects potential network activity of Splashtop (Beta) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml", + "Description": "Detects potential network activity of BeamYourScreen RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml", - "Description": "Detects potential processes activity of Splashtop (Beta) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of BeamYourScreen RMM tool" } ], - "References": [], + "References": [ + "beamyourscreen redirects to https://www.mikogo.com/" + ], "Acknowledgement": [] }, { - "Name": "FastViewer", - "Description": "FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TeleDesktop", + "Description": "TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -10304,9 +10010,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "fastclient.exe", - "fastmaster.exe", - "FastViewer.exe" + "pstlaunch.exe", + "ptdskclient.exe", + "ptdskhost.exe" ] }, "Artifacts": { @@ -10317,8 +10023,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.fastviewer.com", - "fastviewer.com" + "user_managed", + "tele-desk.com" ], "Ports": [] } @@ -10326,22 +10032,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_network_sigma.yml", - "Description": "Detects potential network activity of FastViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_network_sigma.yml", + "Description": "Detects potential network activity of TeleDesktop RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fastviewer_processes_sigma.yml", - "Description": "Detects potential processes activity of FastViewer RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/teledesktop_processes_sigma.yml", + "Description": "Detects potential processes activity of TeleDesktop RMM tool" } ], "References": [ - "https://fastviewer.com/demo/EN_FastViewer_Server%20Installation%20Configuration.pdf" + "http://potomacsoft.com/ - DOA as of 2024" ], "Acknowledgement": [] }, { - "Name": "RustDesk", - "Description": "RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Parallels Access", + "Description": "Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -10359,8 +10065,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rustdesk*.exe", - "rustdesk.exe" + "parallelsaccess-*.exe", + "TSClient.exe", + "prl_deskctl_agent.exe", + "prl_deskctl_wizard.exe", + "prl_pm_service.exe" ] }, "Artifacts": { @@ -10371,9 +10080,8 @@ { "Description": "Known remote domains", "Domains": [ - "rustdesk.com", - "user_managed", - "web.rustdesk.com" + "*.parallels.com", + "parallels.com/products/ras/try" ], "Ports": [] } @@ -10381,57 +10089,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_network_sigma.yml", - "Description": "Detects potential network activity of RustDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_network_sigma.yml", + "Description": "Detects potential network activity of Parallels Access RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rustdesk_processes_sigma.yml", - "Description": "Detects potential processes activity of RustDesk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/parallels_access_processes_sigma.yml", + "Description": "Detects potential processes activity of Parallels Access RMM tool" } ], "References": [ - "https://rustdesk.com/docs/en/" + "https://kb.parallels.com/en/129097" ], "Acknowledgement": [] }, { - "Name": "MobaXterm", - "Description": "MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\*\\MobaXterm_installer_12.1.msi", - "*\\MobaXterm_installer_*.msi", - "*\\Mobatek\\MobaXterm\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "GoToAssist", - "Description": "GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Basecamp", + "Description": "Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -10448,11 +10121,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "gotoassist.exe", - "g2a*.exe", - "GoTo Assist Opener.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -10462,14 +10131,7 @@ { "Description": "Known remote domains", "Domains": [ - "goto.com", - "*.getgo.com", - "*.fastsupport.com", - "*.gotoassist.com", - "helpme.net", - "*.gotoassist.me", - "*.gotoassist.at", - "*.desktopstreaming.com" + "basecamp.com" ], "Ports": [] } @@ -10477,59 +10139,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_network_sigma.yml", - "Description": "Detects potential network activity of GoToAssist RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotoassist_processes_sigma.yml", - "Description": "Detects potential processes activity of GoToAssist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/basecamp_network_sigma.yml", + "Description": "Detects potential network activity of Basecamp RMM tool" } ], "References": [ - "https://help.gotoassist.com/remote-support/help/what-should-i-allow-on-my-firewall-for-gotoassist-remote-support-v5" + "basecamp.com - No specific RMM tool listed" ], "Acknowledgement": [] }, { - "Name": "Free Ping Tool", - "Description": "Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "can't find this one", - "can't find this one" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "HelpBeam", - "Description": "HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Weezo", + "Description": "Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -10544,7 +10168,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "helpbeam*.exe" + "weezohttpd.exe", + "weezo.exe", + "weezo setup*.exe" ] }, "Artifacts": { @@ -10555,7 +10181,10 @@ { "Description": "Known remote domains", "Domains": [ - "helpbeam.software.informer.com" + "*.weezo.me", + "weezo.net", + "*.weezo.net", + "weezo.en.softonic.com" ], "Ports": [] } @@ -10563,25 +10192,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml", - "Description": "Detects potential network activity of HelpBeam RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml", + "Description": "Detects potential network activity of Weezo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml", - "Description": "Detects potential processes activity of HelpBeam RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml", + "Description": "Detects potential processes activity of Weezo RMM tool" } ], "References": [ - "https://www.helpbeam.com domain for sale in 2024" + "weezo.en.softonic.com" ], "Acknowledgement": [] }, { - "Name": "NTR Remote", - "Description": "NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "X2Go", + "Description": "X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10595,45 +10224,26 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "NTRsupportPro_EN.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.ntrsupport.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_network_sigma.yml", - "Description": "Detects potential network activity of NTR Remote RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ntr_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of NTR Remote RMM tool" - } - ], + "Detections": [], "References": [ - "DOA as of 2024" + "https://wiki.x2go.org/doku.php" ], "Acknowledgement": [] }, { - "Name": "ServerEye", - "Description": "ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Dev Tunnels (aka Visual Studio Dev Tunnel)", + "Description": "Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -10647,10 +10257,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "servereye*.exe", - "ServiceProxyLocalSys.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -10660,7 +10267,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.server-eye.de" + "learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview" ], "Ports": [] } @@ -10668,25 +10275,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml", - "Description": "Detects potential network activity of ServerEye RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml", - "Description": "Detects potential processes activity of ServerEye RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml", + "Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool" } ], - "References": [ - "https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "WebRDP", - "Description": "WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Connectwise Automate (LabTech)", + "Description": "Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10701,7 +10302,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "webrdp.exe" + "ltsvc.exe", + "ltsvcmon.exe", + "lttray.exe" ] }, "Artifacts": { @@ -10712,8 +10315,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/Mikej81/WebRDP" + "*.hostedrmm.com" ], "Ports": [] } @@ -10721,22 +10323,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml", - "Description": "Detects potential network activity of WebRDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__network_sigma.yml", + "Description": "Detects potential network activity of Connectwise Automate (LabTech) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml", - "Description": "Detects potential processes activity of WebRDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/connectwise_automate__labtech__processes_sigma.yml", + "Description": "Detects potential processes activity of Connectwise Automate (LabTech) RMM tool" } ], "References": [ - "github.com/Mikej81/WebRDP" + "https://www.connectwise.com/company/announcements/labtech-now-connectwise-automate" ], "Acknowledgement": [] }, { - "Name": "GoTo Opener", - "Description": "GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Splashtop (Beta)", + "Description": "Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10754,23 +10356,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\GoTo Opener", - "*\\GoTo Opener" + "SRServer.exe", + "SplashtopSOS.exe", + "Splashtop_Streamer_Windows*.exe", + "SRManager.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "splashtop.com" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__network_sigma.yml", + "Description": "Detects potential network activity of Splashtop (Beta) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/splashtop__beta__processes_sigma.yml", + "Description": "Detects potential processes activity of Splashtop (Beta) RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "S3 Browser", - "Description": "S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop", + "Description": "Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -10788,9 +10409,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\S3 Browser\\*", - "*\\S3 Browser\\*", - "*\\s3browser*.exe" + "C:\\Program Files\\Danware Data\\NetOp Packn Deploy\\*", + "*\\Danware Data\\NetOp Packn Deploy\\*", + "*\\Netop Remote Control\\*" ] }, "Artifacts": { @@ -10799,28 +10420,31 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/s3_browser_processes_sigma.yml", - "Description": "Detects potential processes activity of S3 Browser RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "Any Support", - "Description": "Any Support is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/27/2024", + "Name": "Kaseya (VSA)", + "Description": "Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "PEMetadata": [ + { + "Filename": "agentmon.exe" + }, + { + "Filename": "KaUpdHlp.exe" + }, + { + "Filename": "KaUsrTsk.exe", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", "Free": "", "Verification": "", @@ -10828,72 +10452,102 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ManualLauncher.exe" + "C:\\Program Files (x86)\\Kaseya\\", + "C:\\ProgramData\\Kaseya\\" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ + "Disk": [ { - "Description": "Known remote domains", - "Domains": [ - "*.anysupport.net" - ], - "Ports": [] + "File": "%localappdata%\\Kaseya\\Log\\KaseyaLiveConnect\\*", + "Description": "Kaseya Live Connect logs", + "OS": "Windows" + }, + { + "File": "~/Library/Logs/com.kaseya/KaseyaLiveConnect/*", + "Description": "Kaseya Live Connect logs", + "OS": "MacOS" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\*", + "Description": "Kaseya Endpoint logs", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\Kaseya\\*\\agentmon.log", + "Description": "Kaseya Agent Monitor log" + }, + { + "File": "/var/log/system.log", + "Description": "Kaseya Agent Monitor log", + "OS": "MacOS 32bit" + }, + { + "File": " ~/opt/kaseya/*/logs*", + "Description": "Kaseya Agent Monitor log", + "OS": "MacOS 64bit" + }, + { + "File": "C:\\Users\\*\\AppData\\Local\\Temp\\KASetup.log", + "Description": "Kaseya Setup log in user temp directory", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Temp\\KASetup.log", + "Description": "Kaseya Setup log in Windows temp directory", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\KaseyaEdgeServices\\*", + "Description": "Kaseya Edge Services logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.0\\logs\\", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.5\\endpoint\\logs", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\api\\v1.5\\endpoints\\logs", + "Description": "Kaseya API logs", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Kaseya\\Log\\MakeSelfSignedCert.exe\\", + "Description": "Certificate creation", + "OS": "Windows" + }, + { + "File": "C:\\Kaseya\\WebPages\\install\\makecert.txt", + "Description": "Certificate creation", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\KaseyaEndpoint*", + "Description": "Endpoint service logs", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\Kaseya\\Log\\Endpoint\\Instance_*\\Session_*", + "Description": "Session logs", + "OS": "Windows" } - ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_network_sigma.yml", - "Description": "Detects potential network activity of Any Support RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/any_support_processes_sigma.yml", - "Description": "Detects potential processes activity of Any Support RMM tool" - } - ], - "References": [ - "https://www.anysupport.net/introduce_howto.php" - ], - "Acknowledgement": [] - }, - { - "Name": "BeamYourScreen", - "Description": "BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "beamyourscreen.exe", - "beamyourscreen-host.exe" - ] - }, - "Artifacts": { - "Disk": [], + ], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "beamyourscreen.com", - "*.beamyourscreen.com" + "deploy01.kaseya.com", + "*managedsupport.kaseya.net", + "*.kaseya.net", + "kaseya.com" ], "Ports": [] } @@ -10901,25 +10555,28 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_network_sigma.yml", - "Description": "Detects potential network activity of BeamYourScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__network_sigma.yml", + "Description": "Detects potential network activity of Kaseya (VSA) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beamyourscreen_processes_sigma.yml", - "Description": "Detects potential processes activity of BeamYourScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kaseya__vsa__files_sigma.yml", + "Description": "Detects potential files activity of Kaseya (VSA) RMM tool" } ], "References": [ - "beamyourscreen redirects to https://www.mikogo.com/" + "https://helpdesk.kaseya.com/hc/en-gb/articles/229012608-Software-Deployment-URL-Port-Requirements", + "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations", + "https://ruler-project.github.io/ruler-project/RULER/remote/Kaseya/", + "https://helpdesk.kaseya.com/hc/en-gb/articles/229009708-Live-Connect-Log-File-Locations" ], "Acknowledgement": [] }, { - "Name": "Sophos-Remote Management System", - "Description": "Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "HelpBeam", + "Description": "HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -10934,9 +10591,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "clientmrinit.exe", - "mgntsvc.exe", - "routernt.exe" + "helpbeam*.exe" ] }, "Artifacts": { @@ -10947,10 +10602,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.sophos.com", - "*.sophosupd.com", - "*.sophosupd.net", - "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" + "helpbeam.software.informer.com" ], "Ports": [] } @@ -10958,22 +10610,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_network_sigma.yml", - "Description": "Detects potential network activity of Sophos-Remote Management System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_network_sigma.yml", + "Description": "Detects potential network activity of HelpBeam RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/sophos-remote_management_system_processes_sigma.yml", - "Description": "Detects potential processes activity of Sophos-Remote Management System RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/helpbeam_processes_sigma.yml", + "Description": "Detects potential processes activity of HelpBeam RMM tool" } ], "References": [ - "community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/5725/sophos-remote-management-system" + "https://www.helpbeam.com domain for sale in 2024" ], "Acknowledgement": [] }, { - "Name": "PSEXEC (Clone)", - "Description": "PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Quest KACE Agent (formerly Dell KACE)", + "Description": "Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -10991,13 +10643,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "paexec.exe", - "PAExec-*.exe", - "csexec.exe ", - "remcom.exe", - "remcomsvc.exe", - "xcmd.exe", - "xcmdsvc.exe" + "konea.exe" ] }, "Artifacts": { @@ -11008,7 +10654,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "*.kace.com", + "www.quest.com/kace/" ], "Ports": [] } @@ -11016,25 +10663,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__network_sigma.yml", - "Description": "Detects potential network activity of PSEXEC (Clone) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml", + "Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec__clone__processes_sigma.yml", - "Description": "Detects potential processes activity of PSEXEC (Clone) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml", + "Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool" } ], "References": [ - "https://www.poweradmin.com/paexec/" + "https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function" ], "Acknowledgement": [] }, { - "Name": "GetScreen", - "Description": "GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DeskShare", + "Description": "DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -11049,8 +10696,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "GetScreen.exe", - "getscreen.exe" + "TeamTaskManager.exe", + "DSGuest.exe" ] }, "Artifacts": { @@ -11061,9 +10708,7 @@ { "Description": "Known remote domains", "Domains": [ - "getscreen.me", - "GetScreen.me", - "*.getscreen.me" + "user_managed" ], "Ports": [] } @@ -11071,22 +10716,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml", - "Description": "Detects potential network activity of GetScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml", + "Description": "Detects potential network activity of DeskShare RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml", - "Description": "Detects potential processes activity of GetScreen RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml", + "Description": "Detects potential processes activity of DeskShare RMM tool" } ], "References": [ - "https://docs.getscreen.me/self-hosted/system-requirements/" + "https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx" ], "Acknowledgement": [] }, { - "Name": "RemotePC", - "Description": "RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "rdpwrap", + "Description": "rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -11104,16 +10749,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\RemotePC\\*", - "Idrive.File-Transfer", - "*\\RemotePC\\*", - "remotepcservice.exe", - "RemotePC.exe", - "remotepchost.exe", - "idrive.RemotePCAgent", - "rpcsuite.exe", - "*\\RemotePCService.exe", - "RemotePCService.exe" + "RDPWInst.exe", + "RDPCheck.exe", + "RDPConf.exe" ] }, "Artifacts": { @@ -11124,10 +10762,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.remotedesktop.com", - "*.remotepc.com", - "www.remotepc.com", - "remotepc.com" + "user_managed", + "github.com/stascorp/rdpwrap" ], "Ports": [] } @@ -11135,25 +10771,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_network_sigma.yml", - "Description": "Detects potential network activity of RemotePC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_network_sigma.yml", + "Description": "Detects potential network activity of rdpwrap RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepc_processes_sigma.yml", - "Description": "Detects potential processes activity of RemotePC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpwrap_processes_sigma.yml", + "Description": "Detects potential processes activity of rdpwrap RMM tool" } ], "References": [ - "https://www.remotedesktop.com/helpdesk/faq-firewall" + "github.com/stascorp/rdpwrap" ], "Acknowledgement": [] }, { - "Name": "Tanium", - "Description": "Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Total Software Deployment", + "Description": "Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -11168,46 +10804,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "TaniumClient.exe", - "TaniumCX.exe", - "TaniumExecWrapper.exe", - "TaniumFileInfo.exe", - "TPowerShell.exe" + "C:\\ProgramData\\Total Software Deployment\\*", + "*\\Total Software Deployment\\*", + "*\\tniwinagent.exe", + "*\\Tsdservice.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "cloud.tanium.com", - "*.cloud.tanium.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml", - "Description": "Detects potential network activity of Tanium RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml", - "Description": "Detects potential processes activity of Tanium RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml", + "Description": "Detects potential processes activity of Total Software Deployment RMM tool" } ], - "References": [ - "https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "LabTeach (Connectwise Automate)", - "Description": "LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PuTTY", + "Description": "PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -11224,9 +10844,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ltsvc.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -11234,18 +10852,13 @@ "Registry": [], "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labteach__connectwise_automate__processes_sigma.yml", - "Description": "Detects potential processes activity of LabTeach (Connectwise Automate) RMM tool" - } - ], + "Detections": [], "References": [], "Acknowledgement": [] }, { - "Name": "RemoteView", - "Description": "RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RDPView", + "Description": "RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -11263,10 +10876,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remoteview.exe", - "rv.exe", - "rvagent.exe", - "rvagtray.exe" + "dwrcs.exe" ] }, "Artifacts": { @@ -11277,9 +10887,8 @@ { "Description": "Known remote domains", "Domains": [ - "*content.rview.com", - "*.rview.com", - "content.rview.com" + "user_managed", + "systemmanager.ru/dntu.en/rdp_view.htm" ], "Ports": [] } @@ -11287,25 +10896,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml", - "Description": "Detects potential network activity of RemoteView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_network_sigma.yml", + "Description": "Detects potential network activity of RDPView RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml", - "Description": "Detects potential processes activity of RemoteView RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdpview_processes_sigma.yml", + "Description": "Detects potential processes activity of RDPView RMM tool" } ], "References": [ - "https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall" + "systemmanager.ru/dntu.en/rdp_view.htm - Same as Damware" ], "Acknowledgement": [] }, { - "Name": "UltraVNC", - "Description": "UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Fortra", + "Description": "Fortra is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -11319,9 +10928,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "UltraVNC*.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -11331,8 +10938,7 @@ { "Description": "Known remote domains", "Domains": [ - "ultravnc.com", - "user_managed" + "fortra.com" ], "Ports": [] } @@ -11340,22 +10946,18 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_network_sigma.yml", - "Description": "Detects potential network activity of UltraVNC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultravnc_processes_sigma.yml", - "Description": "Detects potential processes activity of UltraVNC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fortra_network_sigma.yml", + "Description": "Detects potential network activity of Fortra RMM tool" } ], "References": [ - "https://uvnc.com/docs/uvnc-server/49-UltraVNC-server-configuration.html" + "https://www.fortra.com - No free/cloud RMM softwars listed" ], "Acknowledgement": [] }, { - "Name": "SmarTTY", - "Description": "SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Light", + "Description": "ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -11373,32 +10975,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "c:\\Program Files (x86)\\Sysprogs\\SmarTTY\\*", - "*\\Sysprogs\\SmarTTY\\*", - "*\\SmarTTY.exe" + "islalwaysonmonitor.exe", + "isllight.exe", + "isllightservice.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "islonline.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/smartty_processes_sigma.yml", - "Description": "Detects potential processes activity of SmarTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_network_sigma.yml", + "Description": "Detects potential network activity of ISL Light RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_light_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Light RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Absolute (Computrace)", - "Description": "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Pocket Controller (Soti Xsight)", + "Description": "Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "6/18/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -11413,11 +11027,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rpcnet.exe", - "ctes.exe", - "ctespersitence.exe", - "cteshostsvc.exe", - "rpcld.exe" + "pocketcontroller.exe", + "wysebrowser.exe", + "XSightService.exe" ] }, "Artifacts": { @@ -11428,8 +11040,7 @@ { "Description": "Known remote domains", "Domains": [ - "*search.namequery.com", - "*server.absolute.com" + "*soti.net" ], "Ports": [] } @@ -11437,25 +11048,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml", - "Description": "Detects potential network activity of Absolute (Computrace) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__network_sigma.yml", + "Description": "Detects potential network activity of Pocket Controller (Soti Xsight) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml", - "Description": "Detects potential processes activity of Absolute (Computrace) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_controller__soti_xsight__processes_sigma.yml", + "Description": "Detects potential processes activity of Pocket Controller (Soti Xsight) RMM tool" } ], "References": [ - "https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com" + "https://pulse.soti.net/support/soti-xsight/help/" ], "Acknowledgement": [] }, { - "Name": "Quest KACE Agent (formerly Dell KACE)", - "Description": "Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GatherPlace-desktop sharing", + "Description": "GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -11470,7 +11081,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "konea.exe" + "gp3.exe", + "gp4.exe", + "gp5.exe" ] }, "Artifacts": { @@ -11481,8 +11094,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.kace.com", - "www.quest.com/kace/" + "*.gatherplace.com", + "*.gatherplace.net", + "gatherplace.com" ], "Ports": [] } @@ -11490,25 +11104,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__network_sigma.yml", - "Description": "Detects potential network activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml", + "Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quest_kace_agent__formerly_dell_kace__processes_sigma.yml", - "Description": "Detects potential processes activity of Quest KACE Agent (formerly Dell KACE) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml", + "Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool" } ], "References": [ - "https://support.quest.com/kb/4211365/which-network-ports-and-urls-are-required-for-the-kace-sma-appliance-to-function" + "https://www.gatherplace.com/kb?id=136377" ], "Acknowledgement": [] }, { - "Name": "DeskShare", - "Description": "DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Site24x7", + "Description": "Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -11523,8 +11137,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "TeamTaskManager.exe", - "DSGuest.exe" + "MEAgentHelper.exe", + "MonitoringAgent.exe", + "Site24x7WindowsAgentTrayIcon.exe", + "Site24x7PluginAgent.exe" ] }, "Artifacts": { @@ -11535,7 +11151,12 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "plus*.site24x7.com", + "plus*.site24x7.eu", + "plus*.site24x7.in", + "plus*.site24x7.cn", + "plus*.site24x7.net.au", + "site24x7.com/msp" ], "Ports": [] } @@ -11543,63 +11164,119 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_network_sigma.yml", - "Description": "Detects potential network activity of DeskShare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_network_sigma.yml", + "Description": "Detects potential network activity of Site24x7 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskshare_processes_sigma.yml", - "Description": "Detects potential processes activity of DeskShare RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/site24x7_processes_sigma.yml", + "Description": "Detects potential processes activity of Site24x7 RMM tool" } ], "References": [ - "https://www.deskshare.com/help/fml/Active-and-Passive-connection-mode.aspx" + "https://support.site24x7.com/portal/en/kb/articles/which-ports-do-i-need-to-allow-access-in-my-firewall-to-use-site24x7-agent" ], "Acknowledgement": [] }, { - "Name": "Pocket Cloud (Wyse)", - "Description": "Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/9/2024", + "Name": "MeshCentral", + "Description": "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", + "Author": "@kostastsale", + "Created": "2024-09-20", + "LastModified": "2024-09-20", "Details": { - "Website": "", + "Website": "https://meshcentral.com/", "PEMetadata": { - "Filename": "", + "Filename": "MeshAgent.exe", "OriginalFileName": "", - "Description": "" + "Description": "MeshCentral Background Service Agent" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], + "Privileges": "SYSTEM", + "Free": "Yes", + "Verification": "N/A", + "SupportedOS": [ + "Windows", + "Linux", + "MacOS", + "FreeBSD" + ], + "Capabilities": [ + "Remote Desktop & Terminal", + "Remote File Access", + "Text and Voice Chat", + "Server File Storage", + "Real-time User interface", + "Port Forwarding" + ], + "Vulnerabilities": [ + "CVE-2024-26135" + ], "InstallationPaths": [ - "pocketcloud*.exe", - "pocketcloudservice.exe" + "meshcentral*.exe", + "meshagent*.exe" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] + "Disk": [ + { + "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe", + "Description": "Local MeshAgent service binary after installation", + "OS": "Windows" + }, + { + "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh", + "Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "Mesh Agent background service", + "ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"", + "Description": "Service installation event as result of MeshAgent installation." + } + ], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "meshcentral.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pocket_cloud__wyse__processes_sigma.yml", - "Description": "Detects potential processes activity of Pocket Cloud (Wyse) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml", + "Description": "Detects potential network activity of MeshCentral RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", + "Description": "Detects potential processes activity of MeshCentral RMM tool" + }, + { + "Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml", + "Description": "Detects MeshAgent Command Execution via MeshCentral" } ], "References": [ - "https://wyse-pocketcloud.informer.com/2.1/" + "https://ylianst.github.io/MeshCentral/meshcentral/", + "https://github.com/Ylianst/MeshAgent" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "Pilixo", - "Description": "Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MSP360", + "Description": "MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -11617,8 +11294,17 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rdp.exe", - "Pilixo_Installer*.exe" + "Online Backup.exe", + "CBBackupPlan.exe", + "Cloud.Backup.Scheduler.exe", + "Cloud.Backup.RM.Service.exe", + "cbb.exe", + "CloudRaService.exe", + "CloudRaSd.exe", + "CloudRaCmd.exe", + "CloudRaUtilities.exe", + "Remote Desktop.exe", + "Connect.exe" ] }, "Artifacts": { @@ -11629,9 +11315,10 @@ { "Description": "Known remote domains", "Domains": [ - "pilixo.com", - "download.pilixo.com", - "*.pilixo.com" + "*.cloudberrylab.com", + "*.msp360.com", + "*.mspbackups.com", + "msp360.com" ], "Ports": [] } @@ -11639,61 +11326,100 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_network_sigma.yml", - "Description": "Detects potential network activity of Pilixo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_network_sigma.yml", + "Description": "Detects potential network activity of MSP360 RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pilixo_processes_sigma.yml", - "Description": "Detects potential processes activity of Pilixo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/msp360_processes_sigma.yml", + "Description": "Detects potential processes activity of MSP360 RMM tool" } ], "References": [ - "https://pilixo.freshdesk.com/support/solutions/articles/9000141879-device-connectivity-and-firewalls" + "https://kb.msp360.com/managed-backup-service/mbs-tcp-ports-configuration#" ], "Acknowledgement": [] }, { - "Name": "Mikogo", - "Description": "Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/7/2024", + "Name": "ScreenConnect", + "Description": "ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "Ali Alwashali, Nasreddine Bencherchali", + "Created": "2023-10-01", + "LastModified": "2024-08-03", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "Website": "https://www.connectwise.com", + "PEMetadata": [ + { + "Filename": "", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", - "Free": "", + "Free": "14-Days Free Trial", "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "SupportedOS": [ + "Android", + "IOS", + "Linux", + "Mac", + "Windows" + ], + "Capabilities": [ + "Command Line Support", + "File Transfer", + "Install Windows updates", + "Receive notification when user performs a predefined event", + "Remote Command Line", + "Remote Control", + "Sound Capture", + "Start / Stop services", + "View event logs" + ], "Vulnerabilities": [], "InstallationPaths": [ - "mikogo.exe", - "mikogo-starter.exe", - "mikogo-service.exe", - "mikogolauncher.exe", - "C:\\Users\\*\\AppData\\Roaming\\Mikogo\\*", - "*Users\\*\\AppData\\Roaming\\Mikogo\\*", - "*\\Mikogo-Service.exe", - "*\\Mikogo-Screen-Service.exe" + "C:\\Program Files (x86)\\ScreenConnect Client (Random)\\ScreenConnect.ClientService.exe", + "Remote Workforce Client.exe", + "*\\*\\ScreenConnect.ClientService.exe", + "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", + "*\\ScreenConnect Client*\\*", + "*\\*\\ScreenConnect.WindowsClient.exe", + "screenconnect*.exe", + "screenconnect.windowsclient.exe", + "Remote Workforce Client.exe", + "screenconnect*.exe", + "ConnectWiseControl*.exe", + "connectwise*.exe", + "screenconnect.windowsclient.exe", + "screenconnect.clientservice.exe" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\Session.db", + "Description": "ScreenConnect session database", + "OS": "Windows" + }, + { + "File": "C:\\Program Files*\\ScreenConnect\\App_Data\\User.xml", + "Description": "ScreenConnect user configuration", + "OS": "Windows" + }, + { + "File": "C:\\ProgramData\\ScreenConnect Client*\\user.config", + "Description": "ScreenConnect client user configuration", + "OS": "Windows" + } + ], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "*.real-time-collaboration.com", - "*.mikogo4.com", - "*.mikogo.com", - "mikogo.com" + "control.connectwise.com", + "*.connectwise.com", + "*.screenconnect.com" ], "Ports": [] } @@ -11701,25 +11427,29 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_network_sigma.yml", - "Description": "Detects potential network activity of Mikogo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_network_sigma.yml", + "Description": "Detects potential network activity of ScreenConnect RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mikogo_processes_sigma.yml", - "Description": "Detects potential processes activity of Mikogo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_files_sigma.yml", + "Description": "Detects potential files activity of ScreenConnect RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenconnect_processes_sigma.yml", + "Description": "Detects potential processes activity of ScreenConnect RMM tool" } ], "References": [ - "https://mikogo.zendesk.com/hc/en-us/articles/214072478-Which-IP-addresses-do-we-use-for-our-services" + "https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/" ], "Acknowledgement": [] }, { - "Name": "WebEx (Remote Access)", - "Description": "WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft TSC", + "Description": "Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -11733,7 +11463,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "termsrv.exe", + "mstsc.exe" + ] }, "Artifacts": { "Disk": [], @@ -11741,18 +11474,23 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_tsc_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft TSC RMM tool" + } + ], "References": [ - "https://help.webex.com/en-us/article/nyc3q0b/Set-Up-a-Computer-for-Remote-Access" + "https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/terminal-server-startup-connection-application" ], "Acknowledgement": [] }, { - "Name": "Koofr", - "Description": "Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tanium", + "Description": "Tanium is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -11766,21 +11504,47 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "TaniumClient.exe", + "TaniumCX.exe", + "TaniumExecWrapper.exe", + "TaniumFileInfo.exe", + "TPowerShell.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "cloud.tanium.com", + "*.cloud.tanium.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_network_sigma.yml", + "Description": "Detects potential network activity of Tanium RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_processes_sigma.yml", + "Description": "Detects potential processes activity of Tanium RMM tool" + } + ], + "References": [ + "https://help.tanium.com/bundle/ug_client_cloud/page/client/platform_connections.html" + ], "Acknowledgement": [] }, { - "Name": "Duplicati", - "Description": "Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Ultra VNC", + "Description": "Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -11798,8 +11562,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "c:\\Program Files\\*\\Duplicati.Server.exe", - "*\\*\\Duplicati.Server.exe" + "C:\\Program Files\\uvnc bvba\\UltraVNC\\*", + "*\\uvnc bvba\\UltraVNC\\*", + "*\\UVNC_Launch.exe", + "*\\winvnc.exe", + "*\\vncviewer.exe" ] }, "Artifacts": { @@ -11810,19 +11577,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/duplicati_processes_sigma.yml", - "Description": "Detects potential processes activity of Duplicati RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ultra_vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of Ultra VNC RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "ManageEngine RMM Central", - "Description": "ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Manipulator System", + "Description": "Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -11836,7 +11603,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "rfusclient.exe", + "rutserv.exe" + ] }, "Artifacts": { "Disk": [], @@ -11846,7 +11616,8 @@ { "Description": "Known remote domains", "Domains": [ - "manageengine.com/remote-monitoring-management/" + "*.internetid.ru", + "rmansys.ru" ], "Ports": [] } @@ -11854,57 +11625,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/manageengine_rmm_central_network_sigma.yml", - "Description": "Detects potential network activity of ManageEngine RMM Central RMM tool" - } - ], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "WinSCP", - "Description": "WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_network_sigma.yml", + "Description": "Detects potential network activity of Remote Manipulator System RMM tool" }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Users\\IEUser\\Downloads\\WinSCP-5.21.6-Portable\\*", - "*\\WinSCP*Portable\\*", - "*\\WinSCP.exe", - "*\\WinSCP\\*" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/winscp_processes_sigma.yml", - "Description": "Detects potential processes activity of WinSCP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_manipulator_system_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Manipulator System RMM tool" } ], - "References": [], + "References": [ + "https://rmansys.ru/files/" + ], "Acknowledgement": [] }, { - "Name": "GatherPlace-desktop sharing", - "Description": "GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Domotz", + "Description": "Domotz is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -11922,9 +11658,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "gp3.exe", - "gp4.exe", - "gp5.exe" + "domotz.exe", + "Domotz Pro Desktop App.exe", + "domotz_bash.exe", + "domotz*.exe", + "Domotz Pro Desktop App Setup*.exe", + "domotz-windows*.exe" ] }, "Artifacts": { @@ -11935,9 +11674,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.gatherplace.com", - "*.gatherplace.net", - "gatherplace.com" + "*.domotz.co", + "domotz.com", + "*cell-1.domotz.com" ], "Ports": [] } @@ -11945,25 +11684,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_network_sigma.yml", - "Description": "Detects potential network activity of GatherPlace-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_network_sigma.yml", + "Description": "Detects potential network activity of Domotz RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gatherplace-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of GatherPlace-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/domotz_processes_sigma.yml", + "Description": "Detects potential processes activity of Domotz RMM tool" } ], "References": [ - "https://www.gatherplace.com/kb?id=136377" + "https://help.domotz.com/tips-tricks/unblock-outgoing-connections-on-firewall/" ], "Acknowledgement": [] }, { - "Name": "Laplink Gold", - "Description": "Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FixMe.it", + "Description": "FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -11978,8 +11717,17 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tsircusr.exe", - "laplink.exe" + "FixMeit Client.exe", + "TiExpertStandalone.exe", + "FixMeitClient*.exe", + "TiExpertCore.exe", + "FixMeit Unattended Access Setup.exe", + "FixMeit Expert Setup.exe", + "TiExpertCore.exe", + "fixmeitclient.exe", + "TiClientCore.exe", + "TiClientHelper*.exe", + "9380CC75B872221A7425D7503565B67580407F60" ] }, "Artifacts": { @@ -11990,8 +11738,11 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "wen.laplink.com/product/laplink-gold" + "*.fixme.it", + "*.techinline.net", + "fixme.it", + "*set.me", + "*setme.net" ], "Ports": [] } @@ -11999,25 +11750,23 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_network_sigma.yml", - "Description": "Detects potential network activity of Laplink Gold RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_network_sigma.yml", + "Description": "Detects potential network activity of FixMe RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_gold_processes_sigma.yml", - "Description": "Detects potential processes activity of Laplink Gold RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/fixme_processes_sigma.yml", + "Description": "Detects potential processes activity of FixMe RMM tool" } ], - "References": [ - "wen.laplink.com/product/laplink-gold" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Centurion", - "Description": "Centurion is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Tanium Deploy", + "Description": "Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12031,9 +11780,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ctiserv.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -12043,7 +11790,7 @@ { "Description": "Known remote domains", "Domains": [ - "centuriontech.com" + "tanium.com/products/tanium-deploy" ], "Ports": [] } @@ -12051,25 +11798,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_network_sigma.yml", - "Description": "Detects potential network activity of Centurion RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/centurion_processes_sigma.yml", - "Description": "Detects potential processes activity of Centurion RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml", + "Description": "Detects potential network activity of Tanium Deploy RMM tool" } ], - "References": [ - "https://data443.atlassian.net/servicedesk/customer/portal/20" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Ivanti Remote Control", - "Description": "Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-ABLE Remote Access Software", + "Description": "N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12083,11 +11824,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "IvantiRemoteControl.exe", - "ArcUI.exe", - "AgentlessRC.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -12097,7 +11834,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.ivanticloud.com" + "n-able.com" ], "Ports": [] } @@ -12105,22 +11842,16 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of Ivanti Remote Control RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ivanti_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of Ivanti Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_remote_access_software_network_sigma.yml", + "Description": "Detects potential network activity of N-ABLE Remote Access Software RMM tool" } ], - "References": [ - "https://rc1.ivanticloud.com/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "NordLocker", - "Description": "NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Quick Assist", + "Description": "Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -12137,24 +11868,154 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "quickassist.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.support.services.microsoft.com" + ], + "Ports": [] + } + ] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Quick Assist RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Quick Assist RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Xeox", - "Description": "Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AnyViewer", + "Description": "AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "@kostastsale", + "Created": "2024-08-03", + "LastModified": "2024-08-03", + "Details": { + "Website": "https://www.anyviewer.com/", + "PEMetadata": [ + { + "Filename": "AnyViewer.exe", + "OriginalFileName": "AnyViewer", + "Description": "Splash Window" + }, + { + "Filename": "RCClient.exe", + "OriginalFileName": "RCClient.exe", + "Description": "AnyViewer Core" + }, + { + "Filename": "ScreanCap.exe", + "Description": "Screan capture" + }, + { + "Filename": "AVCore.exe" + }, + { + "Filename": "RCService.exe" + } + ], + "Privileges": "System", + "Free": "up to 10 devices", + "Verification": "None", + "SupportedOS": [ + "Windows" + ], + "Capabilities": [ + "Remote desktop", + "Remote file transfer", + "Remote monitoring and management", + "Remote shell open" + ], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Program Files (x86)\\AnyViewer\\*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [ + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "\"C:\\\\Program Files (x86)\\\\AnyViewer\\\\AVCore.exe\" -d", + "Description": "Taking actions on the remote machine such as opening a command prompt." + }, + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "RCService", + "ImagePath": "C:\\\\Program Files (x86)\\\\AnyViewer\\\\RCService.exe", + "Description": "AnyViewer service installation service." + } + ], + "Registry": [], + "Network": [ + { + "Description": "N/A", + "Domains": [ + "*.anyviewer.com" + ], + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "*.aomeisoftware.com" + ], + "Ports": [ + 443 + ] + } + ] + }, + "Detections": [ + { + "Name": "Arbitrary code execution and remote sessions via Action1 RMM", + "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", + "author": "@kostastsale", + "Link": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/Anyviewer.yml" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/anyviewer_network_sigma.yml", + "Description": "Detects potential network activity of AnyViewer RMM tool" + } + ], + "References": [ + "https://www.anyviewer.com/how-to/how-to-open-firewall-ports-for-remote-desktop-0427-gc.html", + "https://www.anyviewer.com/help/remote-technical-support.html" + ], + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] + }, + { + "Name": "Naverisk", + "Description": "Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12169,10 +12030,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "xeox-agent_x64.exe", - "xeox_service_windows.exe", - "xeox-agent_*.exe", - "xeox-agent_x86.exe" + "AgentSetup-*.exe" ] }, "Artifacts": { @@ -12183,8 +12041,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.xeox.com", - "xeox.com" + "user_managed", + "naverisk.com" ], "Ports": [] } @@ -12192,25 +12050,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_network_sigma.yml", - "Description": "Detects potential network activity of Xeox RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml", + "Description": "Detects potential network activity of Naverisk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xeox_processes_sigma.yml", - "Description": "Detects potential processes activity of Xeox RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml", + "Description": "Detects potential processes activity of Naverisk RMM tool" } ], "References": [ - "https://help.xeox.com/knowledge-base/gSuyNfDH6u79M82utnswf2/firewall-settings-xeox-agent-and-integrations/47T7S9tZJ2L1Z2W5gwuXoW" + "http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents" ], "Acknowledgement": [] }, { - "Name": "ezHelp", - "Description": "ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Addigy", + "Description": "Addigy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/27/2024", "Details": { "Website": "", "PEMetadata": { @@ -12225,9 +12083,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ezhelpclientmanager.exe", - "ezHelpManager.exe", - "ezhelpclient.exe" + "addigy-*.pkg" ] }, "Artifacts": { @@ -12238,8 +12094,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.ezhelp.co.kr", - "ezhelp.co.kr" + "prod.addigy.com", + "grtmprod.addigy.com", + "agents.addigy.com" ], "Ports": [] } @@ -12247,80 +12104,188 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml", - "Description": "Detects potential network activity of ezHelp RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml", - "Description": "Detects potential processes activity of ezHelp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/addigy_network_sigma.yml", + "Description": "Detects potential network activity of Addigy RMM tool" } ], "References": [ - "https://www.exhelp.co.kr" + "https://addigy.com/" ], "Acknowledgement": [] }, { - "Name": "Level.io", - "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", + "Name": "Action1", + "Description": "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. \nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n", + "Author": "@kostastsale", + "Created": "2024-08-03", + "LastModified": "2024-10-06", "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], + "Website": "https://www.action1.com/", + "PEMetadata": [ + { + "Filename": "action1_connector.exe" + }, + { + "Filename": "action1_remote.exe" + }, + { + "Filename": "action1_update.exe" + }, + { + "Filename": "action1_agent.exe", + "OriginalFileName": "action1_agent.exe", + "Description": "Endpoint Agent" + } + ], + "Privileges": "SYSTEM", + "Free": "Yes", + "Verification": "Corporate email required although temporary email services are accepted", + "SupportedOS": [ + "Windows" + ], + "Capabilities": [ + "Backup and disaster recovery", + "Billing and invoicing", + "Customer portal", + "HelpDesk and ticketing", + "Mobile app", + "Network discovery", + "Patch management", + "Remote monitoring and management", + "Reporting and analytics" + ], "Vulnerabilities": [], "InstallationPaths": [ - "level-windows-amd64.exe", - "level.exe", - "level-remote-control-ffmpeg.exe" + "C:\\Windows\\Action1\\*" ] }, "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], + "Disk": [ + { + "File": "C:\\Windows\\Action1\\action1_agent.exe", + "Description": "Action1 service binary", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\*", + "Description": "Multiple files and binaries related to Action1 installation", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\scripts\\*", + "Description": "Multiple scripts related to Action1 installation", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\rule_data\\*", + "Description": "Files related to Action1 rules", + "OS": "Windows" + }, + { + "File": "C:\\Windows\\Action1\\action1_log_*.log", + "Description": "Contains history, errors, system notifications. Incoming and outgoing connections.", + "OS": "Windows" + } + ], + "EventLog": [ + { + "EventID": 7045, + "ProviderName": "Service Control Manager", + "LogFile": "System.evtx", + "ServiceName": "A1Agent", + "ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"", + "Description": "Service installation event as result of Action1 installation." + }, + { + "EventID": 4697, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "ServiceName": "A1Agent", + "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service", + "Description": "Service installation event as result of Action1 installation." + }, + { + "EventID": 4688, + "ProviderName": "Microsoft-Security-Auditing", + "LogFile": "Security.evtx", + "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser", + "Description": "Executing command to get logged on user." + } + ], + "Registry": [ + { + "Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent", + "Description": "Service installation event as result of Action1 installation." + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe", + "Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software." + }, + { + "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1", + "Description": "Storing its configuration settings and other relevant information" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "level.io", - "*.level.io" + "*.action1.com" ], - "Ports": [] + "Ports": [ + 443 + ] + }, + { + "Description": "N/A", + "Domains": [ + "a1-backend-packages.s3.amazonaws.com" + ], + "Ports": [ + 443 + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", - "Description": "Detects potential network activity of Level.io RMM tool" + "Name": "Arbitrary code execution and remote sessions via Action1 RMM", + "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", + "author": "@kostastsale", + "Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", - "Description": "Detects potential processes activity of Level.io RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml", + "Description": "Detects potential registry activity of Action1 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml", + "Description": "Detects potential network activity of Action1 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml", + "Description": "Detects potential files activity of Action1 RMM tool" } ], "References": [ - "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" + "https://www.action1.com/documentation/firewall-configuration/", + "https://www.action1.com/documentation/", + "https://twitter.com/Kostastsale/status/1646256901506605063?s=20", + "https://ruler-project.github.io/ruler-project/RULER/remote/Action1/" ], - "Acknowledgement": [] + "Acknowledgement": [ + { + "Person": "Kostas", + "Handle": "@kostastsale" + } + ] }, { - "Name": "MultCloud", - "Description": "MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "AliWangWang-remote-control", + "Description": "AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -12335,26 +12300,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "requires sign up", - "requires sign up" + "alitask.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "wangwang.taobao.com" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml", + "Description": "Detects potential network activity of AliWangWang-remote-control RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml", + "Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool" + } + ], + "References": [ + "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" + ], "Acknowledgement": [] }, { - "Name": "Synergy", - "Description": "Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "FreeRDP", + "Description": "FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12374,33 +12357,18 @@ "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml", - "Description": "Detects potential network activity of Synergy RMM tool" - } - ], - "References": [ - "https://symless.com/synergy" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "OptiTune", - "Description": "OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MioNet (Also known as WD Anywhere Access)", + "Description": "MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12415,43 +12383,28 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "OTService.exe", - "OTPowerShell.exe" + "mionet.exe", + "mionetmanager.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.optitune.us", - "*.opti-tune.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_network_sigma.yml", - "Description": "Detects potential network activity of OptiTune RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/optitune_processes_sigma.yml", - "Description": "Detects potential processes activity of OptiTune RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mionet__also_known_as_wd_anywhere_access__processes_sigma.yml", + "Description": "Detects potential processes activity of MioNet (Also known as WD Anywhere Access) RMM tool" } ], - "References": [ - "https://www.bravurasoftware.com/optitune/support/faq.aspx" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Netop", - "Description": "Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "SmartCode Web VNC", + "Description": "SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -12469,9 +12422,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Danware Data\\NetOp Packn Deploy\\*", - "*\\Danware Data\\NetOp Packn Deploy\\*", - "*\\Netop Remote Control\\*" + "C:\\Program Files\\TightVNC\\*", + "*\\TightVNC\\*" ] }, "Artifacts": { @@ -12485,8 +12437,8 @@ "Acknowledgement": [] }, { - "Name": "ConnectWise", - "Description": "ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Onionshare", + "Description": "Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -12504,8 +12456,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", - "*\\ScreenConnect*Client*\\*" + "C:\\Program Files (x86)\\OnionShare\\*", + "*\\OnionShare\\*", + "*\\onionshare*.exe", + "OnionShare-win*.msi" ] }, "Artifacts": { @@ -12514,16 +12468,21 @@ "Registry": [], "Network": [] }, - "Detections": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/onionshare_processes_sigma.yml", + "Description": "Detects potential processes activity of Onionshare RMM tool" + } + ], "References": [], "Acknowledgement": [] }, { - "Name": "Encapto", - "Description": "Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Rocket Remote Desktop", + "Description": "Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -12537,203 +12496,170 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "RDConsole.exe", + "RocketRemoteDesktop_Setup.exe" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "encapto.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/encapto_network_sigma.yml", - "Description": "Detects potential network activity of Encapto RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rocket_remote_desktop_processes_sigma.yml", + "Description": "Detects potential processes activity of Rocket Remote Desktop RMM tool" } ], - "References": [ - "https://www.encapto.com - used to manage Cisco services" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Action1", - "Description": "Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute commands, scripts, and binaries. \nThrough the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.\n", - "Author": "@kostastsale", - "Created": "2024-08-03", - "LastModified": "2024-10-06", + "Name": "WebRDP", + "Description": "WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/14/2024", "Details": { - "Website": "https://www.action1.com/", - "PEMetadata": [ - { - "Filename": "action1_connector.exe" - }, - { - "Filename": "action1_remote.exe" - }, - { - "Filename": "action1_update.exe" - }, - { - "Filename": "action1_agent.exe", - "OriginalFileName": "action1_agent.exe", - "Description": "Endpoint Agent" - } - ], - "Privileges": "SYSTEM", - "Free": "Yes", - "Verification": "Corporate email required although temporary email services are accepted", - "SupportedOS": [ - "Windows" - ], - "Capabilities": [ - "Backup and disaster recovery", - "Billing and invoicing", - "Customer portal", - "HelpDesk and ticketing", - "Mobile app", - "Network discovery", - "Patch management", - "Remote monitoring and management", - "Reporting and analytics" - ], + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Windows\\Action1\\*" + "webrdp.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Windows\\Action1\\action1_agent.exe", - "Description": "Action1 service binary", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\*", - "Description": "Multiple files and binaries related to Action1 installation", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\scripts\\*", - "Description": "Multiple scripts related to Action1 installation", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\rule_data\\*", - "Description": "Files related to Action1 rules", - "OS": "Windows" - }, - { - "File": "C:\\Windows\\Action1\\action1_log_*.log", - "Description": "Contains history, errors, system notifications. Incoming and outgoing connections.", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "A1Agent", - "ImagePath": "\"C:\\\\Windows\\\\Action1\\\\action1_agent.exe\"", - "Description": "Service installation event as result of Action1 installation." - }, - { - "EventID": 4697, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "ServiceName": "A1Agent", - "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe service", - "Description": "Service installation event as result of Action1 installation." - }, - { - "EventID": 4688, - "ProviderName": "Microsoft-Security-Auditing", - "LogFile": "Security.evtx", - "CommandLine": "C:\\Windows\\Action1\\action1_agent.exe loggedonuser", - "Description": "Executing command to get logged on user." - } - ], - "Registry": [ - { - "Path": "HKLM\\System\\CurrentControlSet\\Services\\A1Agent", - "Description": "Service installation event as result of Action1 installation." - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps\\action1_agent.exe", - "Description": "Ensures that detailed crash information is available for analysis, which aids in maintaining the stability and reliability of the software." - }, - { - "Path": "HKLM\\SOFTWARE\\WOW6432Node\\Action1", - "Description": "Storing its configuration settings and other relevant information" - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { - "Description": "N/A", - "Domains": [ - "*.action1.com" - ], - "Ports": [ - 443 - ] - }, - { - "Description": "N/A", + "Description": "Known remote domains", "Domains": [ - "a1-backend-packages.s3.amazonaws.com" + "user_managed", + "github.com/Mikej81/WebRDP" ], - "Ports": [ - 443 - ] + "Ports": [] } ] }, "Detections": [ { - "Name": "Arbitrary code execution and remote sessions via Action1 RMM", - "Description": "Threat hunting rule for detecting the execution of arbitrary code and remote sessions via Action1 RMM", - "author": "@kostastsale", - "Link": "https://github.com/tsale/Sigma_rules/blob/ea87e4fc851207ca0f002ec043624f2b3bf1b2da/Threat%20Hunting%20Queries/Action1_RMM.yml" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_network_sigma.yml", + "Description": "Detects potential network activity of WebRDP RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_registry_sigma.yml", - "Description": "Detects potential registry activity of Action1 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/webrdp_processes_sigma.yml", + "Description": "Detects potential processes activity of WebRDP RMM tool" + } + ], + "References": [ + "github.com/Mikej81/WebRDP" + ], + "Acknowledgement": [] + }, + { + "Name": "BeyondTrust", + "Description": "BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "SuperOps", + "Description": "SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "superopsticket.exe", + "superops.exe" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.superopsbeta.com", + "superops.ai", + "serv.superopsalpha.com", + "*.superops.ai", + "*.superopsalpha.com" + ], + "Ports": [] + } + ] + }, + "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_network_sigma.yml", - "Description": "Detects potential network activity of Action1 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_network_sigma.yml", + "Description": "Detects potential network activity of SuperOps RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/action1_files_sigma.yml", - "Description": "Detects potential files activity of Action1 RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superops_processes_sigma.yml", + "Description": "Detects potential processes activity of SuperOps RMM tool" } ], "References": [ - "https://www.action1.com/documentation/firewall-configuration/", - "https://www.action1.com/documentation/", - "https://twitter.com/Kostastsale/status/1646256901506605063?s=20", - "https://ruler-project.github.io/ruler-project/RULER/remote/Action1/" + "https://support.superops.com/en/articles/6632028-how-to-download-and-deploy-the-agent" ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] + "Acknowledgement": [] }, { - "Name": "SuperPuTTY", - "Description": "SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemotePass", + "Description": "RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -12751,33 +12677,46 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Downloads\\SuperPuTTY\\*", - "*Downloads\\SuperPuTTY\\*", - "*\\superputty.exe", - "*\\SuperPuTTY\\*" + "remotepass-access.exe", + "rpaccess.exe", + "rpwhostscr.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "remotepass.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/superputty_processes_sigma.yml", - "Description": "Detects potential processes activity of SuperPuTTY RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_network_sigma.yml", + "Description": "Detects potential network activity of RemotePass RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remotepass_processes_sigma.yml", + "Description": "Detects potential processes activity of RemotePass RMM tool" } ], - "References": [], + "References": [ + "https://www.remotepass.com/rpaccess.html - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "Royal Apps", - "Description": "Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Itarian", + "Description": "Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -12792,8 +12731,16 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "royalserver.exe", - "royalts.exe" + "ITSMAgent.exe", + "RViewer.exe", + "ItsmRsp.exe", + "RAccess.exe", + "RmmService.exe", + "ITarianRemoteAccessSetup.exe", + "RDesktop.exe", + "ComodoRemoteControl.exe", + "ITSMService.exe", + "RHost.exe" ] }, "Artifacts": { @@ -12804,7 +12751,11 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed" + "mdmsupport.comodo.com", + "*.itsm-us1.comodo.com", + "*.cmdm.comodo.com", + "remoteaccess.itarian.com", + "servicedesk.itarian.com" ], "Ports": [] } @@ -12812,25 +12763,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_network_sigma.yml", - "Description": "Detects potential network activity of Royal Apps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_network_sigma.yml", + "Description": "Detects potential network activity of Itarian RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/royal_apps_processes_sigma.yml", - "Description": "Detects potential processes activity of Royal Apps RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itarian_processes_sigma.yml", + "Description": "Detects potential processes activity of Itarian RMM tool" } ], "References": [ - "https://www.royalapps.com/ts/win/download" + "https://help.itarian.com/topic-459-1-1005-14776-Appendix-1b---Endpoint-Manager-Services---IP-Nos,-Host-Names-and-Port-Details---US-Customers.html" ], "Acknowledgement": [] }, { - "Name": "Tanium Deploy", - "Description": "Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "PSEXEC", + "Description": "PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -12844,7 +12795,10 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "psexec.exe", + "psexecsvc.exe" + ] }, "Artifacts": { "Disk": [], @@ -12854,7 +12808,7 @@ { "Description": "Known remote domains", "Domains": [ - "tanium.com/products/tanium-deploy" + "user_managed" ], "Ports": [] } @@ -12862,19 +12816,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tanium_deploy_network_sigma.yml", - "Description": "Detects potential network activity of Tanium Deploy RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_network_sigma.yml", + "Description": "Detects potential network activity of PSEXEC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/psexec_processes_sigma.yml", + "Description": "Detects potential processes activity of PSEXEC RMM tool" } ], - "References": [], + "References": [ + "https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" + ], "Acknowledgement": [] }, { - "Name": "Zabbix Agent", - "Description": "Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level.io", + "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -12889,7 +12849,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "zabbix_agent*.exe" + "level-windows-amd64.exe", + "level.exe", + "level-remote-control-ffmpeg.exe" ] }, "Artifacts": { @@ -12900,8 +12862,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "zabbix.com" + "level.io", + "*.level.io" ], "Ports": [] } @@ -12909,25 +12871,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_network_sigma.yml", - "Description": "Detects potential network activity of Zabbix Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zabbix_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of Zabbix Agent RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" } ], "References": [ - "https://www.zabbix.com/documentation/current/en/manual/appendix/install/windows_agent" + "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" ], "Acknowledgement": [] }, { - "Name": "Weezo", - "Description": "Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ezHelp", + "Description": "ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -12942,9 +12904,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "weezohttpd.exe", - "weezo.exe", - "weezo setup*.exe" + "ezhelpclientmanager.exe", + "ezHelpManager.exe", + "ezhelpclient.exe" ] }, "Artifacts": { @@ -12955,10 +12917,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.weezo.me", - "weezo.net", - "*.weezo.net", - "weezo.en.softonic.com" + "*.ezhelp.co.kr", + "ezhelp.co.kr" ], "Ports": [] } @@ -12966,25 +12926,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_network_sigma.yml", - "Description": "Detects potential network activity of Weezo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_network_sigma.yml", + "Description": "Detects potential network activity of ezHelp RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/weezo_processes_sigma.yml", - "Description": "Detects potential processes activity of Weezo RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/ezhelp_processes_sigma.yml", + "Description": "Detects potential processes activity of ezHelp RMM tool" } ], "References": [ - "weezo.en.softonic.com" + "https://www.exhelp.co.kr" ], "Acknowledgement": [] }, { - "Name": "BeInSync", - "Description": "BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Kabuto", + "Description": "Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -12999,7 +12959,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Beinsync*.exe" + "Kabuto.App.Runner.exe" ] }, "Artifacts": { @@ -13010,8 +12970,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.beinsync.net", - "*.beinsync.com" + "*.kabuto.io", + "repairtechsolutions.com/kabuto/" ], "Ports": [] } @@ -13019,25 +12979,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_network_sigma.yml", - "Description": "Detects potential network activity of BeInSync RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml", + "Description": "Detects potential network activity of Kabuto RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beinsync_processes_sigma.yml", - "Description": "Detects potential processes activity of BeInSync RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml", + "Description": "Detects potential processes activity of Kabuto RMM tool" } ], "References": [ - "https://en.wikipedia.org/wiki/Phoenix_Technologies" + "https://www.repairtechsolutions.com/documentation/kabuto/" ], "Acknowledgement": [] }, { - "Name": "ScreenMeet", - "Description": "ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Synergy", + "Description": "Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -13051,10 +13011,7 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [ - "ScreenMeetSupport.exe", - "ScreenMeet.Support.exe" - ] + "InstallationPaths": [] }, "Artifacts": { "Disk": [], @@ -13064,8 +13021,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.screenmeet.com", - "*.scrn.mt" + "user_managed" ], "Ports": [] } @@ -13073,25 +13029,21 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_network_sigma.yml", - "Description": "Detects potential network activity of ScreenMeet RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/screenmeet_processes_sigma.yml", - "Description": "Detects potential processes activity of ScreenMeet RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/synergy_network_sigma.yml", + "Description": "Detects potential network activity of Synergy RMM tool" } ], "References": [ - "https://docs.screenmeet.com/docs/firewall-white-list" + "https://symless.com/synergy" ], "Acknowledgement": [] }, { - "Name": "MyIVO", - "Description": "MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ConnectWise", + "Description": "ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13106,45 +13058,26 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "myivomgr.exe", - "myivomanager.exe" + "C:\\Program Files (x86)\\ScreenConnect Client ()\\*", + "*\\ScreenConnect*Client*\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "myivo-server.software.informer.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml", - "Description": "Detects potential network activity of MyIVO RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml", - "Description": "Detects potential processes activity of MyIVO RMM tool" - } - ], - "References": [ - "myivo.com - DOA as of 2024" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "LabTech RMM (Now ConnectWise Automate)", - "Description": "LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "TigerVNC", + "Description": "TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -13159,9 +13092,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ltsvc.exe", - "ltsvcmon.exe", - "lttray.exe" + "tigervnc*.exe", + "winvnc4.exe", + "C:\\Program Files\\TightVNC\\*", + "*\\TightVNC\\*", + "*\\tvnserver.exe" ] }, "Artifacts": { @@ -13172,7 +13107,7 @@ { "Description": "Known remote domains", "Domains": [ - "connectwise.com" + "user_managed" ], "Ports": [] } @@ -13180,30 +13115,148 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__network_sigma.yml", - "Description": "Detects potential network activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_network_sigma.yml", + "Description": "Detects potential network activity of TigerVNC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/labtech_rmm__now_connectwise_automate__processes_sigma.yml", - "Description": "Detects potential processes activity of LabTech RMM (Now ConnectWise Automate) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tigervnc_processes_sigma.yml", + "Description": "Detects potential processes activity of TigerVNC RMM tool" } ], - "References": [], + "References": [ + "https://github.com/TigerVNC/tigervnc/releases" + ], "Acknowledgement": [] }, { - "Name": "Kabuto", - "Description": "Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "2/8/2024", + "Name": "GoToMyPC", + "Description": "GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.\n", + "Author": "Nasreddine Bencherchali", + "Created": "2024-08-05", + "LastModified": "2024-08-05", "Details": { "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, + "PEMetadata": [ + { + "Filename": "AppCore.exe" + }, + { + "Filename": "g2comm.exe" + }, + { + "Filename": "g2file*.exe" + }, + { + "Filename": "g2fileh.exe" + }, + { + "Filename": "g2host.exe" + }, + { + "Filename": "g2m_download.exe" + }, + { + "Filename": "g2mainh.exe" + }, + { + "Filename": "G2MChat.exe" + }, + { + "Filename": "G2MCodecInstExtractor.exe" + }, + { + "Filename": "G2MComm.exe" + }, + { + "Filename": "G2MCoreInstExtractor.exe" + }, + { + "Filename": "G2MFeedback.exe" + }, + { + "Filename": "G2MHost.exee" + }, + { + "Filename": "G2MInstaller.exe" + }, + { + "Filename": "G2MInstallerExtractor.exe" + }, + { + "Filename": "G2MInstHigh.exe" + }, + { + "Filename": "G2MLauncher.exe" + }, + { + "Filename": "G2MMatchMaking.exe" + }, + { + "Filename": "G2MMaterials.exe" + }, + { + "Filename": "G2MPolling.exe" + }, + { + "Filename": "G2MQandA.exe" + }, + { + "Filename": "G2MRecorder.exe" + }, + { + "Filename": "G2MScrUtil64.exe" + }, + { + "Filename": "G2MSessionControl.exe" + }, + { + "Filename": "G2MStart.exe" + }, + { + "Filename": "G2MTesting.exe" + }, + { + "Filename": "G2MTranscoder.exe" + }, + { + "Filename": "G2MUI.exe" + }, + { + "Filename": "G2MUninstall.exe" + }, + { + "Filename": "g2mupload.exe" + }, + { + "Filename": "g2mvideoconference.exe" + }, + { + "Filename": "G2MView.exe" + }, + { + "Filename": "g2printh.exe" + }, + { + "Filename": "g2quick.exe" + }, + { + "Filename": "g2svc.exe" + }, + { + "Filename": "g2tray.exe" + }, + { + "Filename": "gopcsrv.exe" + }, + { + "Filename": "GoToScrUtils.exe" + }, + { + "Filename": "GoTo.exe", + "OriginalFileName": "", + "Description": "" + } + ], "Privileges": "", "Free": "", "Verification": "", @@ -13211,116 +13264,80 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "Kabuto.App.Runner.exe" + "C:\\Program Files (x86)\\GoToMyPC\\*" ] }, "Artifacts": { - "Disk": [], + "Disk": [ + { + "File": "%AppData%\\GoTo\\Logs\\goto.log", + "Description": "N/A", + "OS": "Windows" + } + ], "EventLog": [], - "Registry": [], + "Registry": [ + { + "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc", + "Description": "Configuration settings including registration email" + }, + { + "Path": "HKEY_LOCAL_MACHINE\\WOW6432Node\\Citrix\\GoToMyPc\\GuestInvite", + "Description": "Guest invites send to connect" + }, + { + "Path": "HKEY_CURRENT_USER\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", + "Description": "hostname of the computer making connections and location of transferred files" + }, + { + "Path": "HKEY_USERS\\\\SOFTWARE\\Citrix\\GoToMyPc\\FileTransfer\\history", + "Description": "hostname of the computer making connections and location of transferred files" + } + ], "Network": [ { - "Description": "Known remote domains", + "Description": "N/A", "Domains": [ - "*.kabuto.io", - "repairtechsolutions.com/kabuto/" + "*.GoToMyPC.com" ], - "Ports": [] + "Ports": [ + "N/A" + ] } ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_network_sigma.yml", - "Description": "Detects potential network activity of Kabuto RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_registry_sigma.yml", + "Description": "Detects potential registry activity of GoToMyPC RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/kabuto_processes_sigma.yml", - "Description": "Detects potential processes activity of Kabuto RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_network_sigma.yml", + "Description": "Detects potential network activity of GoToMyPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/gotomypc_files_sigma.yml", + "Description": "Detects potential files activity of GoToMyPC RMM tool" } ], "References": [ - "https://www.repairtechsolutions.com/documentation/kabuto/" + "https://support.logmeininc.com/gotomypc/help/what-are-the-optimal-firewall-configurations#", + "https://support.goto.com/training/help/how-do-i-configure-gototraining-to-work-with-firewalls", + "https://ruler-project.github.io/ruler-project/RULER/remote/Citrix%20GoToMyPC/" ], - "Acknowledgement": [] - }, - { - "Name": "FreeRDP", - "Description": "FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [], - "References": [], - "Acknowledgement": [] - }, - { - "Name": "ZOC", - "Description": "ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", - "Author": "", - "Created": "", - "LastModified": "", - "Details": { - "Website": "", - "PEMetadata": { - "Filename": "", - "OriginalFileName": "", - "Description": "" - }, - "Privileges": "", - "Free": "", - "Verification": "", - "SupportedOS": [], - "Capabilities": [], - "Vulnerabilities": [], - "InstallationPaths": [ - "C:\\Program Files\\ZOC8\\*", - "*\\ZOC?\\*", - "*\\zoc.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [] - }, - "Detections": [ + "Acknowledgement": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/zoc_processes_sigma.yml", - "Description": "Detects potential processes activity of ZOC RMM tool" + "Person": "Phill Moore", + "Handle": "@phillmoore" } - ], - "References": [], - "Acknowledgement": [] + ] }, { - "Name": "AliWangWang-remote-control", - "Description": "AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Laplink Everywhere", + "Description": "Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -13335,7 +13352,12 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "alitask.exe" + "laplink.exe", + "laplink-everywhere-setup*.exe", + "laplinkeverywhere.exe", + "llrcservice.exe", + "serverproxyservice.exe", + "OOSysAgent.exe" ] }, "Artifacts": { @@ -13346,7 +13368,9 @@ { "Description": "Known remote domains", "Domains": [ - "wangwang.taobao.com" + "everywhere.laplink.com", + "le.laplink.com", + "atled.syspectr.com" ], "Ports": [] } @@ -13354,25 +13378,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_network_sigma.yml", - "Description": "Detects potential network activity of AliWangWang-remote-control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_network_sigma.yml", + "Description": "Detects potential network activity of Laplink Everywhere RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/aliwangwang-remote-control_processes_sigma.yml", - "Description": "Detects potential processes activity of AliWangWang-remote-control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/laplink_everywhere_processes_sigma.yml", + "Description": "Detects potential processes activity of Laplink Everywhere RMM tool" } ], "References": [ - "https://github.com/KKomarov/AliWangWangEng/blob/master/chs.locale" + "https://everywhere.laplink.com/docs" ], "Acknowledgement": [] }, { - "Name": "Goverlan", - "Description": "Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syspectr", + "Description": "Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -13387,14 +13411,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "goverrmc.exe", - "govsrv*.exe", - "GovAgentInstallHelper.exe", - "GovAgentx64.exe", - "GovReachClient.exe", - "C:\\Program Files (x86)\\PJ Technologies\\GOVsrv\\*", - "*\\PJ Technologies\\GOVsrv\\*", - "*\\GovSrv.exe" + "oo-syspectr*.exe", + "OOSysAgent.exe" ] }, "Artifacts": { @@ -13405,8 +13423,8 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "goverlan.com" + "atled.syspectr.com", + "app.syspectr.com" ], "Ports": [] } @@ -13414,25 +13432,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_network_sigma.yml", - "Description": "Detects potential network activity of Goverlan RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_network_sigma.yml", + "Description": "Detects potential network activity of Syspectr RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/goverlan_processes_sigma.yml", - "Description": "Detects potential processes activity of Goverlan RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syspectr_processes_sigma.yml", + "Description": "Detects potential processes activity of Syspectr RMM tool" } ], "References": [ - "https://www.goverlan.com/pdf/Goverlan-Remote-Control-Software.pdf" + "https://www.syspectr.com/en/installation-in-a-network" ], "Acknowledgement": [] }, { - "Name": "Microsoft Quick Assist", - "Description": "Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remote Utilities", + "Description": "Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -13447,7 +13465,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "quickassist.exe" + "rutview.exe", + "rutserv.exe" ] }, "Artifacts": { @@ -13458,8 +13477,7 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "*.support.services.microsoft.com" + "*.internetid.ru" ], "Ports": [] } @@ -13467,25 +13485,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml", - "Description": "Detects potential network activity of Microsoft Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_network_sigma.yml", + "Description": "Detects potential network activity of Remote Utilities RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_utilities_processes_sigma.yml", + "Description": "Detects potential processes activity of Remote Utilities RMM tool" } ], "References": [ - "https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca" + "https://www.remoteutilities.com/download/" ], "Acknowledgement": [] }, { - "Name": "N-Able Advanced Monitoring Agent", - "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Remcos", + "Description": "Remcos is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13500,68 +13518,30 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "BASupSrvc.exe", - "winagent.exe", - "BASupApp.exe", - "BASupTSHelper.exe", - "Agent_*_RW.exe", - "BASEClient.exe", - "BASupSrvcCnfg.exe" + "remcos*.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.beanywhere.com ", - "systemmonitor.co.uk", - "*system-monitor.com", - "cloudbackup.management", - "*systemmonitor.co.uk", - "n-able.com", - "systemmonitor.us", - "*systemmonitor.eu.com", - "*.logicnow.com", - "*.swi-tc.com", - "*remote.management", - "systemmonitor.us.cdn.cloudflare.net", - "*cloudbackup.management", - "remote.management", - "logicnow.com", - "system-monitor.com", - "*systemmonitor.us", - "systemmonitor.eu.com", - "*.n-able.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", - "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", - "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" - } - ], - "References": [ - "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remcos_processes_sigma.yml", + "Description": "Detects potential processes activity of Remcos RMM tool" + } ], + "References": [], "Acknowledgement": [] }, { - "Name": "MyGreenPC", - "Description": "MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ISL Online", + "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/26/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -13576,7 +13556,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mygreenpc.exe" + "islalwaysonmonitor.exe", + "isllight.exe", + "isllightservice.exe", + "ISLLightClient.exe", + "C:\\Program Files (x86)\\ISL Online\\ISL Light*", + "*\\ISL Online\\ISL Light*", + "*\\ISLLight.exe" ] }, "Artifacts": { @@ -13587,7 +13573,8 @@ { "Description": "Known remote domains", "Domains": [ - "*mygreenpc.com" + "*.islonline.com", + "*.islonline.net" ], "Ports": [] } @@ -13595,22 +13582,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml", - "Description": "Detects potential network activity of MyGreenPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", + "Description": "Detects potential network activity of ISL Online RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml", - "Description": "Detects potential processes activity of MyGreenPC RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", + "Description": "Detects potential processes activity of ISL Online RMM tool" } ], "References": [ - "http://www.mygreenpc.com/" + "https://help.islonline.com/19818/165940" ], "Acknowledgement": [] }, { - "Name": "Syncthing", - "Description": "Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "DragonDisk", + "Description": "DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -13628,9 +13615,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", - "*Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", - "*\\Syncthing.exe" + "C:\\Program Files (x86)\\Almageste\\DragonDisk\\*", + "*\\Almageste\\DragonDisk\\*", + "*\\DragonDisk.exe" ] }, "Artifacts": { @@ -13641,19 +13628,50 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml", - "Description": "Detects potential processes activity of Syncthing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dragondisk_processes_sigma.yml", + "Description": "Detects potential processes activity of DragonDisk RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Chrome Remote Desktop", - "Description": "Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RealVNC", + "Description": "RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "Supremo", + "Description": "Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/13/2024", "Details": { "Website": "", "PEMetadata": { @@ -13668,11 +13686,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "remote_host.exe", - "remoting_host.exe", - "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*", - "*\\Google\\Chrome Remote Desktop\\*", - "*\\remoting_host.exe" + "supremo.exe", + "supremoservice.exe", + "supremosystem.exe", + "supremohelper.exe" ] }, "Artifacts": { @@ -13683,9 +13700,9 @@ { "Description": "Known remote domains", "Domains": [ - "*remotedesktop.google.com", - "*remotedesktop-pa.googleapis.com", - "remotedesktop.google.com" + "supremocontrol.com", + "*.supremocontrol.com", + "* .nanosystems.it" ], "Ports": [] } @@ -13693,25 +13710,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_network_sigma.yml", - "Description": "Detects potential network activity of Chrome Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_network_sigma.yml", + "Description": "Detects potential network activity of Supremo RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/chrome_remote_desktop_processes_sigma.yml", - "Description": "Detects potential processes activity of Chrome Remote Desktop RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/supremo_processes_sigma.yml", + "Description": "Detects potential processes activity of Supremo RMM tool" } ], "References": [ - "https://support.google.com/chrome/a/answer/2799701?hl=en" + "https://www.supremocontrol.com/frequently-asked-questions/" ], "Acknowledgement": [] }, { - "Name": "Remote Desktop Plus", - "Description": "Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist Agent Desktop Console", + "Description": "GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13726,41 +13743,23 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rdp.exe" + "C:\\*\\G2RDesktopConsole-x64.msi", + "*\\G2RDesktopConsole-x64.msi" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "donkz.nl" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_network_sigma.yml", - "Description": "Detects potential network activity of Remote Desktop Plus RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remote_desktop_plus_processes_sigma.yml", - "Description": "Detects potential processes activity of Remote Desktop Plus RMM tool" - } - ], - "References": [ - "https://www.donkz.nl/" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "NateOn-desktop sharing", - "Description": "NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "RemoteView", + "Description": "RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -13778,9 +13777,10 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "nateon*.exe", - "nateon.exe", - "nateonmain.exe" + "remoteview.exe", + "rv.exe", + "rvagent.exe", + "rvagtray.exe" ] }, "Artifacts": { @@ -13791,7 +13791,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.nate.com" + "*content.rview.com", + "*.rview.com", + "content.rview.com" ], "Ports": [] } @@ -13799,25 +13801,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_network_sigma.yml", - "Description": "Detects potential network activity of NateOn-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_network_sigma.yml", + "Description": "Detects potential network activity of RemoteView RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/nateon-desktop_sharing_processes_sigma.yml", - "Description": "Detects potential processes activity of NateOn-desktop sharing RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/remoteview_processes_sigma.yml", + "Description": "Detects potential processes activity of RemoteView RMM tool" } ], "References": [ - "http://rsupport.nate.com/rview/r8/main/index.aspx" + "https://help.rview.com/hc/en-us/articles/360005175994--RemoteView-Server-list-for-firewall" ], "Acknowledgement": [] }, { - "Name": "Barracuda", - "Description": "Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "VNC Connect", + "Description": "VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13831,41 +13833,27 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "C:\\Program Files\\RealVNC\\VNC Server\\*", + "*\\RealVNC\\VNC Server\\*" + ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.islonline.net", - "rmm.barracudamsp.com", - "barracudamsp.com" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/barracuda_network_sigma.yml", - "Description": "Detects potential network activity of Barracuda RMM tool" - } - ], - "References": [ - "https://help.islonline.com/19799/166125" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "CrossTec Remote Control", - "Description": "CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Syncthing", + "Description": "Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -13880,46 +13868,32 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "PCIVIDEO.EXE", - "supporttool.exe" + "C:\\Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", + "*Users\\*\\AppData\\Roaming\\SyncTrayzor\\*", + "*\\Syncthing.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "crosstecsoftware.com/remotecontrol" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml", - "Description": "Detects potential network activity of CrossTec Remote Control RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml", - "Description": "Detects potential processes activity of CrossTec Remote Control RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/syncthing_processes_sigma.yml", + "Description": "Detects potential processes activity of Syncthing RMM tool" } ], - "References": [ - "www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "DeskDay", - "Description": "DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "KHelpDesk", + "Description": "KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -13934,7 +13908,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ultimate_*.exe" + "KHelpDesk.exe" ] }, "Artifacts": { @@ -13945,8 +13919,7 @@ { "Description": "Known remote domains", "Domains": [ - "deskday.ai", - "app.deskday.ai" + "*.khelpdesk.com.br" ], "Ports": [] } @@ -13954,22 +13927,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_network_sigma.yml", - "Description": "Detects potential network activity of DeskDay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_network_sigma.yml", + "Description": "Detects potential network activity of KHelpDesk RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/deskday_processes_sigma.yml", - "Description": "Detects potential processes activity of DeskDay RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/khelpdesk_processes_sigma.yml", + "Description": "Detects potential processes activity of KHelpDesk RMM tool" } ], "References": [ - "https://support.deskday.ai/en/articles/8235973-installing-the-end-user-application-ultimate" + "https://www.khelpdesk.com.br/en-us" ], "Acknowledgement": [] }, { - "Name": "mRemoteNG", - "Description": "mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Netop Remote Control (Impero Connect)", + "Description": "Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -13987,42 +13960,27 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "mRemoteNG.exe", - "C:\\Program Files (x86)\\mRemoteNG\\*", - "*\\mRemoteNG\\*", - "*\\mRemoteNG.exe", - "c:\\Program Files (x86)%\\mRemoteNG", - "*%\\mRemoteNG", - "mRemoteNG-Installer-*.msi", - "*\\mRemoteNG.exe" + "nhostsvc.exe", + "nhstw32.exe", + "ngstw32.exe", + "Netop Ondemand.exe", + "nldrw32.exe", + "rmserverconsolemediator.exe", + "ImperoInit.exe", + "Connect.Backdrop.cloud*.exe", + "ImperoClientSVC.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\mRemoteNG.log", - "Description": "mRemoteNG log file", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\Roaming\\mRemoteNG\\confCons.xml", - "Description": "mRemoteNG configuration file", - "OS": "Windows" - }, - { - "File": "C:\\Users\\*\\AppData\\*\\mRemoteNG\\**10\\user.config", - "Description": "mRemoteNG user configuration file", - "OS": "Windows" - } - ], + "Disk": [], "EventLog": [], "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "mremoteng.org" + "*.connect.backdrop.cloud", + "*.netop.com" ], "Ports": [] } @@ -14030,26 +13988,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_network_sigma.yml", - "Description": "Detects potential network activity of mRemoteNG RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_files_sigma.yml", - "Description": "Detects potential files activity of mRemoteNG RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__network_sigma.yml", + "Description": "Detects potential network activity of Netop Remote Control (Impero Connect) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mremoteng_processes_sigma.yml", - "Description": "Detects potential processes activity of mRemoteNG RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netop_remote_control__impero_connect__processes_sigma.yml", + "Description": "Detects potential processes activity of Netop Remote Control (Impero Connect) RMM tool" } ], "References": [ - "https://github.com/mRemoteNG/mRemoteNG" + "https://kb.netop.com/article/firewall-and-proxy-server-considerations-when-using-netop-portal-communication-373.html" ], "Acknowledgement": [] }, { - "Name": "FreeNX", - "Description": "FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Bitvise SSH Server", + "Description": "Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14067,8 +14021,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\*\\nxplayer.exe", - "*\\nxplayer.exe" + "C:\\Program Files\\Bitvise SSH Server\\*", + "*\\Bitvise SSH Server\\*", + "*\\BvSshServer-Inst.exe" ] }, "Artifacts": { @@ -14079,19 +14034,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/freenx_processes_sigma.yml", - "Description": "Detects potential processes activity of FreeNX RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml", + "Description": "Detects potential processes activity of Bitvise SSH Server RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "NetSupport Manager", - "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Apple Remote Desktop", + "Description": "Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "2/24/2024", "Details": { "Website": "", "PEMetadata": { @@ -14106,9 +14061,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "pcictlui.exe", - "client32.exe", - "pcicfgui.exe" + "ARDAgent.app" ] }, "Artifacts": { @@ -14119,9 +14072,7 @@ { "Description": "Known remote domains", "Domains": [ - "geo.netsupportsoftware.com", - "netsupportmanager.com", - "*.netsupportmanager.com" + "user_managed" ], "Ports": [] } @@ -14129,22 +14080,52 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", - "Description": "Detects potential network activity of NetSupport Manager RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", - "Description": "Detects potential processes activity of NetSupport Manager RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/apple_remote_desktop_network_sigma.yml", + "Description": "Detects potential network activity of Apple Remote Desktop RMM tool" } ], "References": [ - "https://www.netsupportmanager.com/resources/" + "https://support.apple.com/guide/remote-desktop/install-and-set-up-remote-desktop-apdf49e03a4/mac" ], "Acknowledgement": [] }, { - "Name": "rdp2tcp", - "Description": "rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Chrome SSH Extension", + "Description": "Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "", + "Details": { + "Website": "", + "PEMetadata": { + "Filename": "", + "OriginalFileName": "", + "Description": "" + }, + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], + "InstallationPaths": [ + "C:\\Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*", + "*Users\\*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\iodihamcpbpeioajjeobimgagajmlibd*" + ] + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], + "Acknowledgement": [] + }, + { + "Name": "NetSupport Manager", + "Description": "NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -14162,8 +14143,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tdp2tcp.exe", - "rdp2tcp.py" + "pcictlui.exe", + "client32.exe", + "pcicfgui.exe" ] }, "Artifacts": { @@ -14174,8 +14156,9 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "github.com/V-E-O/rdp2tcp" + "geo.netsupportsoftware.com", + "netsupportmanager.com", + "*.netsupportmanager.com" ], "Ports": [] } @@ -14183,25 +14166,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_network_sigma.yml", - "Description": "Detects potential network activity of rdp2tcp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_network_sigma.yml", + "Description": "Detects potential network activity of NetSupport Manager RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rdp2tcp_processes_sigma.yml", - "Description": "Detects potential processes activity of rdp2tcp RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/netsupport_manager_processes_sigma.yml", + "Description": "Detects potential processes activity of NetSupport Manager RMM tool" } ], "References": [ - "github.com/V-E-O/rdp2tcp" + "https://www.netsupportmanager.com/resources/" ], "Acknowledgement": [] }, { - "Name": "ITSupport247 (ConnectWise)", - "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ESET Remote Administrator", + "Description": "ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/7/2024", "Details": { "Website": "", "PEMetadata": { @@ -14216,7 +14199,11 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "saazapsc.exe" + "era.exe", + "einstaller.exe", + "ezhelp*.exe", + "eratool.exe", + "ERAAgent.exe" ] }, "Artifacts": { @@ -14227,8 +14214,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.itsupport247.net", - "itsupport247.net" + "user_managed", + "eset.com/me/business/remote-management/remote-administrator/" ], "Ports": [] } @@ -14236,25 +14223,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", - "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_network_sigma.yml", + "Description": "Detects potential network activity of ESET Remote Administrator RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", - "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/eset_remote_administrator_processes_sigma.yml", + "Description": "Detects potential processes activity of ESET Remote Administrator RMM tool" } ], "References": [ - "https://control.itsupport247.net/" + "eset.com/me/business/remote-management/remote-administrator/" ], "Acknowledgement": [] }, { - "Name": "Pulseway", - "Description": "Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Yandex.Disk", + "Description": "Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14269,42 +14256,29 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "PCMonitorManager.exe", - "pcmonitorsrv.exe" + "C:\\Program Files (x86)\\Yandex\\*", + "*\\Yandex\\*", + "*\\YandexDisk2.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "pulseway.com" - ], - "Ports": [] - } - ] + "Network": [] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_network_sigma.yml", - "Description": "Detects potential network activity of Pulseway RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pulseway_processes_sigma.yml", - "Description": "Detects potential processes activity of Pulseway RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/yandex.disk_processes_sigma.yml", + "Description": "Detects potential processes activity of Yandex.Disk RMM tool" } ], - "References": [ - "https://intercom.help/pulseway/en/" - ], + "References": [], "Acknowledgement": [] }, { - "Name": "Naverisk", - "Description": "Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "N-Able Advanced Monitoring Agent", + "Description": "N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -14322,7 +14296,13 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "AgentSetup-*.exe" + "BASupSrvc.exe", + "winagent.exe", + "BASupApp.exe", + "BASupTSHelper.exe", + "Agent_*_RW.exe", + "BASEClient.exe", + "BASupSrvcCnfg.exe" ] }, "Artifacts": { @@ -14333,8 +14313,25 @@ { "Description": "Known remote domains", "Domains": [ - "user_managed", - "naverisk.com" + "*.beanywhere.com ", + "systemmonitor.co.uk", + "*system-monitor.com", + "cloudbackup.management", + "*systemmonitor.co.uk", + "n-able.com", + "systemmonitor.us", + "*systemmonitor.eu.com", + "*.logicnow.com", + "*.swi-tc.com", + "*remote.management", + "systemmonitor.us.cdn.cloudflare.net", + "*cloudbackup.management", + "remote.management", + "logicnow.com", + "system-monitor.com", + "*systemmonitor.us", + "systemmonitor.eu.com", + "*.n-able.com" ], "Ports": [] } @@ -14342,25 +14339,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_network_sigma.yml", - "Description": "Detects potential network activity of Naverisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_network_sigma.yml", + "Description": "Detects potential network activity of N-Able Advanced Monitoring Agent RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/naverisk_processes_sigma.yml", - "Description": "Detects potential processes activity of Naverisk RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/n-able_advanced_monitoring_agent_processes_sigma.yml", + "Description": "Detects potential processes activity of N-Able Advanced Monitoring Agent RMM tool" } ], "References": [ - "http://kb.naverisk.com/en/articles/2811223-deploying-naverisk-agents" + "https://documentation.n-able.com/takecontrol/troubleshooting/Content/kb/Take-Control-Standalone-Ports-and-Domains-Firewall-and-AV-Exclusions.htm" ], "Acknowledgement": [] }, { - "Name": "Total Software Deployment", - "Description": "Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MyIVO", + "Description": "MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/9/2024", "Details": { "Website": "", "PEMetadata": { @@ -14375,30 +14372,42 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\ProgramData\\Total Software Deployment\\*", - "*\\Total Software Deployment\\*", - "*\\tniwinagent.exe", - "*\\Tsdservice.exe" + "myivomgr.exe", + "myivomanager.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "myivo-server.software.informer.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/total_software_deployment_processes_sigma.yml", - "Description": "Detects potential processes activity of Total Software Deployment RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_network_sigma.yml", + "Description": "Detects potential network activity of MyIVO RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/myivo_processes_sigma.yml", + "Description": "Detects potential processes activity of MyIVO RMM tool" } ], - "References": [], + "References": [ + "myivo.com - DOA as of 2024" + ], "Acknowledgement": [] }, { - "Name": "ISL Online", - "Description": "ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ITSupport247 (ConnectWise)", + "Description": "ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -14416,13 +14425,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "islalwaysonmonitor.exe", - "isllight.exe", - "isllightservice.exe", - "ISLLightClient.exe", - "C:\\Program Files (x86)\\ISL Online\\ISL Light*", - "*\\ISL Online\\ISL Light*", - "*\\ISLLight.exe" + "saazapsc.exe" ] }, "Artifacts": { @@ -14433,8 +14436,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.islonline.com", - "*.islonline.net" + "*.itsupport247.net" ], "Ports": [] } @@ -14442,25 +14444,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_network_sigma.yml", - "Description": "Detects potential network activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__network_sigma.yml", + "Description": "Detects potential network activity of ITSupport247 (ConnectWise) RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/isl_online_processes_sigma.yml", - "Description": "Detects potential processes activity of ISL Online RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/itsupport247__connectwise__processes_sigma.yml", + "Description": "Detects potential processes activity of ITSupport247 (ConnectWise) RMM tool" } ], "References": [ - "https://help.islonline.com/19818/165940" + "https://control.itsupport247.net/" ], "Acknowledgement": [] }, { - "Name": "NinjaOne (formerly NinjaRMM)", - "Description": "NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "VNC", + "Description": "VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -14475,22 +14477,48 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "*ProgramData\\NinjaRMMAgent\\*" + "winvnc*.exe", + "vncserver.exe", + "winwvc.exe", + "winvncsc.exe", + "vncserverui.exe", + "vncviewer.exe", + "winvnc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "user_managed", + "realvnc.com/en/connect/download/vnc" + ], + "Ports": [] + } + ] }, - "Detections": [], - "References": [], + "Detections": [ + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_network_sigma.yml", + "Description": "Detects potential network activity of VNC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/vnc_processes_sigma.yml", + "Description": "Detects potential processes activity of VNC RMM tool" + } + ], + "References": [ + "https://realvnc.com/en/connect/download/vnc" + ], "Acknowledgement": [] }, { - "Name": "QQ IM-remote assistance", - "Description": "QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "ServerEye", + "Description": "ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/9/2024", @@ -14508,9 +14536,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "qq.exe", - "QQProtect.exe", - "qqpcmgr.exe" + "servereye*.exe", + "ServiceProxyLocalSys.exe" ] }, "Artifacts": { @@ -14521,10 +14548,7 @@ { "Description": "Known remote domains", "Domains": [ - "*.mdt.qq.com", - "*.desktop.qq.com", - "upload_data.qq.com", - "qq-messenger.en.softonic.com" + "*.server-eye.de" ], "Ports": [] } @@ -14532,25 +14556,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_network_sigma.yml", - "Description": "Detects potential network activity of QQ IM-remote assistance RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_network_sigma.yml", + "Description": "Detects potential network activity of ServerEye RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/qq_im-remote_assistance_processes_sigma.yml", - "Description": "Detects potential processes activity of QQ IM-remote assistance RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/servereye_processes_sigma.yml", + "Description": "Detects potential processes activity of ServerEye RMM tool" } ], "References": [ - "https://en.wikipedia.org/wiki/Tencent_QQ" + "https://www.servereye.de/wp-content/uploads/Anleitung-zur-Erstinstallation_aktuell.pdf" ], "Acknowledgement": [] }, { - "Name": "Microsoft RDP", - "Description": "Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Rapid7", + "Description": "Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/8/2024", + "LastModified": "2/14/2024", "Details": { "Website": "", "PEMetadata": { @@ -14565,34 +14589,47 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "termsrv.exe", - "mstsc.exe", - "Microsoft Remote Desktop" + "ir_agent.exe", + "rapid7_agent_core.exe", + "rapid7_endpoint_broker.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*.analytics.insight.rapid7.com", + "*.endpoint.ingress.rapid7.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_rdp_processes_sigma.yml", - "Description": "Detects potential processes activity of Microsoft RDP RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_network_sigma.yml", + "Description": "Detects potential network activity of Rapid7 RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rapid7_processes_sigma.yml", + "Description": "Detects potential processes activity of Rapid7 RMM tool" } ], "References": [ - "https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/windows" + "https://docs.rapid7.com/insightvm/configure-communications-with-the-insight-platform/" ], "Acknowledgement": [] }, { - "Name": "RuDesktop", - "Description": "RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GoToAssist (GoTo Resolve)", + "Description": "GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/9/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14607,43 +14644,24 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "rd.exe", - "rudesktop*.exe" + "C:\\ProgramFiles*\\GoTo Machine Installer\\*", + "*\\GoTo Machine Installer\\*", + "*\\GoTo\\*" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "*.rudesktop.ru", - "rudesktop.ru" - ], - "Ports": [] - } - ] + "Network": [] }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_network_sigma.yml", - "Description": "Detects potential network activity of RuDesktop RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/rudesktop_processes_sigma.yml", - "Description": "Detects potential processes activity of RuDesktop RMM tool" - } - ], - "References": [ - "https://rudesktop.ru" - ], + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "BeyondTrust (Bomgar)", - "Description": "BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "GetScreen", + "Description": "GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/7/2024", @@ -14661,11 +14679,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "bomgar-scc-*.exe", - "bomgar-scc.exe", - "bomgar-pac-*.exe", - "bomgar-pac.exe", - "bomgar-rdp.exe" + "GetScreen.exe", + "getscreen.exe" ] }, "Artifacts": { @@ -14676,9 +14691,9 @@ { "Description": "Known remote domains", "Domains": [ - "*.beyondtrustcloud.com", - "*.bomgarcloud.com", - "bomgarcloud.com" + "getscreen.me", + "GetScreen.me", + "*.getscreen.me" ], "Ports": [] } @@ -14686,25 +14701,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__network_sigma.yml", - "Description": "Detects potential network activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_network_sigma.yml", + "Description": "Detects potential network activity of GetScreen RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/beyondtrust__bomgar__processes_sigma.yml", - "Description": "Detects potential processes activity of BeyondTrust (Bomgar) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/getscreen_processes_sigma.yml", + "Description": "Detects potential processes activity of GetScreen RMM tool" } ], "References": [ - "https://www.beyondtrust.com/docs/remote-support/getting-started/deployment/cloud/network.htm" + "https://docs.getscreen.me/self-hosted/system-requirements/" ], "Acknowledgement": [] }, { - "Name": "TightVNC", - "Description": "TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MobaXterm", + "Description": "MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/14/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -14719,108 +14734,55 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "tvnviewer.exe", - "TightVNCViewerPortable*.exe", - "tvnserver.exe" - ] - }, - "Artifacts": { - "Disk": [], - "EventLog": [], - "Registry": [], - "Network": [ - { - "Description": "Known remote domains", - "Domains": [ - "user_managed", - "tightvnc.com" - ], - "Ports": [] - } + "C:\\*\\MobaXterm_installer_12.1.msi", + "*\\MobaXterm_installer_*.msi", + "*\\Mobatek\\MobaXterm\\*" ] - }, - "Detections": [ - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_network_sigma.yml", - "Description": "Detects potential network activity of TightVNC RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/tightvnc_processes_sigma.yml", - "Description": "Detects potential processes activity of TightVNC RMM tool" - } - ], - "References": [ - "https://www.tightvnc.com/doc/win/TightVNC_for_Windows-Installation_and_Getting_Started.pdf" - ], + }, + "Artifacts": { + "Disk": [], + "EventLog": [], + "Registry": [], + "Network": [] + }, + "Detections": [], + "References": [], "Acknowledgement": [] }, { - "Name": "MeshCentral", - "Description": "MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral to remotely manage computers. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.\n", - "Author": "@kostastsale", - "Created": "2024-09-20", - "LastModified": "2024-09-20", + "Name": "CrossTec Remote Control", + "Description": "CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Author": "", + "Created": "", + "LastModified": "2/7/2024", "Details": { - "Website": "https://meshcentral.com/", + "Website": "", "PEMetadata": { - "Filename": "MeshAgent.exe", + "Filename": "", "OriginalFileName": "", - "Description": "MeshCentral Background Service Agent" + "Description": "" }, - "Privileges": "SYSTEM", - "Free": "Yes", - "Verification": "N/A", - "SupportedOS": [ - "Windows", - "Linux", - "MacOS", - "FreeBSD" - ], - "Capabilities": [ - "Remote Desktop & Terminal", - "Remote File Access", - "Text and Voice Chat", - "Server File Storage", - "Real-time User interface", - "Port Forwarding" - ], - "Vulnerabilities": [ - "CVE-2024-26135" - ], + "Privileges": "", + "Free": "", + "Verification": "", + "SupportedOS": [], + "Capabilities": [], + "Vulnerabilities": [], "InstallationPaths": [ - "meshcentral*.exe", - "meshagent*.exe" + "PCIVIDEO.EXE", + "supporttool.exe" ] }, "Artifacts": { - "Disk": [ - { - "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.exe", - "Description": "Local MeshAgent service binary after installation", - "OS": "Windows" - }, - { - "File": "C:\\Program Files\\Mesh Agent\\MeshAgent.msh", - "Description": "Local MeshAgent service configuration file. Contains configuration settings including the MeshCentral server address, port, and other settings. If the MeshAgent is run without being installed, the configuration file is created in the same directory as the MeshAgent binary.", - "OS": "Windows" - } - ], - "EventLog": [ - { - "EventID": 7045, - "ProviderName": "Service Control Manager", - "LogFile": "System.evtx", - "ServiceName": "Mesh Agent background service", - "ImagePath": "\"C:\\\\Program Files\\\\Mesh Agent\\\\MeshAgent.exe\"", - "Description": "Service installation event as result of MeshAgent installation." - } - ], + "Disk": [], + "EventLog": [], + "Registry": [], "Network": [ { "Description": "Known remote domains", "Domains": [ "user_managed", - "meshcentral.com" + "crosstecsoftware.com/remotecontrol" ], "Ports": [] } @@ -14828,35 +14790,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_network_sigma.yml", - "Description": "Detects potential network activity of MeshCentral RMM tool" - }, - { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/meshcentral_processes_sigma.yml", - "Description": "Detects potential processes activity of MeshCentral RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_network_sigma.yml", + "Description": "Detects potential network activity of CrossTec Remote Control RMM tool" }, { - "Sigma": "https://github.com/tsale/Sigma_rules/blob/main/Threat%20Hunting%20Queries/proc_creation_windows_meshagent.yml", - "Description": "Detects MeshAgent Command Execution via MeshCentral" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/crosstec_remote_control_processes_sigma.yml", + "Description": "Detects potential processes activity of CrossTec Remote Control RMM tool" } ], "References": [ - "https://ylianst.github.io/MeshCentral/meshcentral/", - "https://github.com/Ylianst/MeshAgent" + "www.crosstecsoftware.com/supporthome.html - domain DOA 2/1/2024" ], - "Acknowledgement": [ - { - "Person": "Kostas", - "Handle": "@kostastsale" - } - ] + "Acknowledgement": [] }, { - "Name": "Dev Tunnels (aka Visual Studio Dev Tunnel)", - "Description": "Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Absolute (Computrace)", + "Description": "Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "6/18/2024", "Details": { "Website": "", "PEMetadata": { @@ -14870,7 +14822,13 @@ "SupportedOS": [], "Capabilities": [], "Vulnerabilities": [], - "InstallationPaths": [] + "InstallationPaths": [ + "rpcnet.exe", + "ctes.exe", + "ctespersitence.exe", + "cteshostsvc.exe", + "rpcld.exe" + ] }, "Artifacts": { "Disk": [], @@ -14880,7 +14838,8 @@ { "Description": "Known remote domains", "Domains": [ - "learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview" + "*search.namequery.com", + "*server.absolute.com" ], "Ports": [] } @@ -14888,16 +14847,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dev_tunnels__aka_visual_studio_dev_tunnel__network_sigma.yml", - "Description": "Detects potential network activity of Dev Tunnels (aka Visual Studio Dev Tunnel) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__network_sigma.yml", + "Description": "Detects potential network activity of Absolute (Computrace) RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/absolute__computrace__processes_sigma.yml", + "Description": "Detects potential processes activity of Absolute (Computrace) RMM tool" } ], - "References": [], + "References": [ + "https://community.absolute.com/s/article/Understanding-Absolutes-Endpoint-Agents-Rpcnet-CTES-and-search-namequery-com" + ], "Acknowledgement": [] }, { - "Name": "CarotDAV", - "Description": "CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Xshell", + "Description": "Xshell is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "", @@ -14915,9 +14880,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files (x86)\\Rei Software\\CarotDAV\\*", - "*\\Rei Software\\CarotDAV\\*", - "*\\CarotDAV.exe" + "C:\\Program Files (x86)\\NetSarang\\xShell\\*", + "*\\NetSarang\\xShell\\*", + "*\\xShell.exe" ] }, "Artifacts": { @@ -14928,19 +14893,19 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml", - "Description": "Detects potential processes activity of CarotDAV RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/xshell_processes_sigma.yml", + "Description": "Detects potential processes activity of Xshell RMM tool" } ], "References": [], "Acknowledgement": [] }, { - "Name": "Bitvise SSH Server", - "Description": "Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "MyGreenPC", + "Description": "MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "", + "LastModified": "2/26/2024", "Details": { "Website": "", "PEMetadata": { @@ -14955,32 +14920,44 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "C:\\Program Files\\Bitvise SSH Server\\*", - "*\\Bitvise SSH Server\\*", - "*\\BvSshServer-Inst.exe" + "mygreenpc.exe" ] }, "Artifacts": { "Disk": [], "EventLog": [], "Registry": [], - "Network": [] + "Network": [ + { + "Description": "Known remote domains", + "Domains": [ + "*mygreenpc.com" + ], + "Ports": [] + } + ] }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/bitvise_ssh_server_processes_sigma.yml", - "Description": "Detects potential processes activity of Bitvise SSH Server RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_network_sigma.yml", + "Description": "Detects potential network activity of MyGreenPC RMM tool" + }, + { + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/mygreenpc_processes_sigma.yml", + "Description": "Detects potential processes activity of MyGreenPC RMM tool" } ], - "References": [], + "References": [ + "http://www.mygreenpc.com/" + ], "Acknowledgement": [] }, { - "Name": "Pandora RC (eHorus)", - "Description": "Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Level.io", + "Description": "Level.io is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "2/8/2024", "Details": { "Website": "", "PEMetadata": { @@ -14995,8 +14972,9 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "ehorus standalone.exe", - "ehorus_agent.exe" + "level-windows-amd64.exe", + "level.exe", + "level-remote-control-ffmpeg.exe" ] }, "Artifacts": { @@ -15007,7 +14985,8 @@ { "Description": "Known remote domains", "Domains": [ - "portal.ehorus.com" + "level.io", + "*.level.io" ], "Ports": [] } @@ -15015,25 +14994,25 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__network_sigma.yml", - "Description": "Detects potential network activity of Pandora RC (eHorus) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_network_sigma.yml", + "Description": "Detects potential network activity of Level.io RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/pandora_rc__ehorus__processes_sigma.yml", - "Description": "Detects potential processes activity of Pandora RC (eHorus) RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/level.io_processes_sigma.yml", + "Description": "Detects potential processes activity of Level.io RMM tool" } ], "References": [ - "https://pandorafms.com/manual/!current/en/documentation/09_pandora_rc/01_pandora_rc_introduction" + "https://docs.level.io/1.0/admin-guides/troubleshooting-agent-issues" ], "Acknowledgement": [] }, { - "Name": "DW Service", - "Description": "DW Service is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Microsoft Quick Assist", + "Description": "Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", - "LastModified": "2/7/2024", + "LastModified": "", "Details": { "Website": "", "PEMetadata": { @@ -15048,9 +15027,7 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "dwagsvc.exe", - "dwagent.exe", - "dwagsvc.exe" + "quickassist.exe" ] }, "Artifacts": { @@ -15061,7 +15038,8 @@ { "Description": "Known remote domains", "Domains": [ - "*.dwservice.net" + "user_managed", + "*.support.services.microsoft.com" ], "Ports": [] } @@ -15069,22 +15047,22 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_network_sigma.yml", - "Description": "Detects potential network activity of DW Service RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_network_sigma.yml", + "Description": "Detects potential network activity of Microsoft Quick Assist RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/dw_service_processes_sigma.yml", - "Description": "Detects potential processes activity of DW Service RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/microsoft_quick_assist_processes_sigma.yml", + "Description": "Detects potential processes activity of Microsoft Quick Assist RMM tool" } ], "References": [ - "https://news.dwservice.net/dwservice-security-infrastructure/" + "https://support.microsoft.com/en-us/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca" ], "Acknowledgement": [] }, { - "Name": "Iperius Remote", - "Description": "Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", + "Name": "Manage Engine (Desktop Central)", + "Description": "Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information will be added as it becomes available.", "Author": "", "Created": "", "LastModified": "2/8/2024", @@ -15102,8 +15080,8 @@ "Capabilities": [], "Vulnerabilities": [], "InstallationPaths": [ - "iperius.exe", - "iperiusremote.exe" + "dcagentservice.exe", + "dcagentregister.exe" ] }, "Artifacts": { @@ -15114,10 +15092,12 @@ { "Description": "Known remote domains", "Domains": [ - "*.iperiusremote.com", - "*.iperius.com", - "*.iperius-rs.com", - "iperiusremote.com" + "desktopcentral.manageengine.com", + "desktopcentral.manageengine.com.eu", + "desktopcentral.manageengine.cn", + "*.dms.zoho.com", + "*.dms.zoho.com.eu", + "*.-dms.zoho.com.cn" ], "Ports": [] } @@ -15125,17 +15105,15 @@ }, "Detections": [ { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_network_sigma.yml", - "Description": "Detects potential network activity of Iperius Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_network_sigma.yml", + "Description": "Detects potential network activity of Desktop Central RMM tool" }, { - "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/iperius_remote_processes_sigma.yml", - "Description": "Detects potential processes activity of Iperius Remote RMM tool" + "Sigma": "https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/desktop_central_processes_sigma.yml", + "Description": "Detects potential processes activity of Desktop Central RMM tool" } ], - "References": [ - "https://www.iperiusremote.com/download-iperius-remote-desktop-windows.aspx" - ], + "References": [], "Acknowledgement": [] } ] \ No newline at end of file diff --git a/website/public/rmm_tools_table.csv b/website/public/rmm_tools_table.csv index a0e96b96..d107196c 100644 --- a/website/public/rmm_tools_table.csv +++ b/website/public/rmm_tools_table.csv @@ -1,272 +1,272 @@ Name,Category,Description,Author -[Rapid7](/rmm_tools/rapid7),,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[SunLogin](/rmm_tools/sunlogin),,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[GoToAssist Agent Desktop Console](/rmm_tools/gotoassist_agent_desktop_console),,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information ..., -[Kaseya (VSA)](/rmm_tools/kaseya__vsa_),,Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be a...,Nasreddine Bencherchali -[PuTTY Tray](/rmm_tools/putty_tray),,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[SysAid](/rmm_tools/sysaid),,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Domotz](/rmm_tools/domotz),,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[BeyondTrust](/rmm_tools/beyondtrust),,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Netop Remote Control (aka Impero Connect)](/rmm_tools/netop_remote_control__aka_impero_connect_),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More inf..., -[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., -[Jump Desktop](/rmm_tools/jump_desktop),,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[IntelliAdmin Remote Control](/rmm_tools/intelliadmin_remote_control),,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will ..., -[Chrome SSH Extension](/rmm_tools/chrome_ssh_extension),,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be adde..., -[ZeroTier](/rmm_tools/zerotier),,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Ericom AccessNow](/rmm_tools/ericom_accessnow),,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as..., -[RealVNC](/rmm_tools/realvnc),,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Pcnow](/rmm_tools/pcnow),,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[DesktopNow](/rmm_tools/desktopnow),,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Pocket Controller (Soti Xsight)](/rmm_tools/pocket_controller__soti_xsight_),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information w..., -[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., -[CentraStage (Now Datto)](/rmm_tools/centrastage__now_datto_),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be a..., -[Insync](/rmm_tools/insync),,Insync is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[LogMeIn rescue](/rmm_tools/logmein_rescue),,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as i..., +[LabTeach (Connectwise Automate)](/rmm_tools/labteach__connectwise_automate_),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information w..., +[Zabbix Agent](/rmm_tools/zabbix_agent),,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Senso.cloud](/rmm_tools/senso.cloud),,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[I'm InTouch](/rmm_tools/i'm_intouch),,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[RustDesk](/rmm_tools/rustdesk),,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [Electric AI (Kaseya)](/rmm_tools/electric_ai__kaseya_),,Electric AI (Kaseya) is a remote monitoring and management (RMM) tool. More information will be adde..., -[Adobe Connect](/rmm_tools/adobe_connect),,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it..., -[CloudFlare Tunnel](/rmm_tools/cloudflare_tunnel),,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added a..., -[mstsc](/rmm_tools/mstsc),,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Parallels Access](/rmm_tools/parallels_access),,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as..., -[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., -[Devolutions Remote Desktop Manager](/rmm_tools/devolutions_remote_desktop_manager),,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More informatio..., -[TigerVNC](/rmm_tools/tigervnc),,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Rocket Remote Desktop](/rmm_tools/rocket_remote_desktop),,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., -[NoteOn-desktop sharing](/rmm_tools/noteon-desktop_sharing),,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., -[HelpU](/rmm_tools/helpu),,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Splashtop Remote](/rmm_tools/splashtop_remote),,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as..., -[X2Go](/rmm_tools/x2go),,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[Pocket Controller](/rmm_tools/pocket_controller),,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added a..., -[Xshell](/rmm_tools/xshell),,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Bitvise SSH Client](/rmm_tools/bitvise_ssh_client),,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added ..., -[Royal Server](/rmm_tools/royal_server),,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Remote Manipulator System](/rmm_tools/remote_manipulator_system),,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be..., -[Manage Engine (Desktop Central)](/rmm_tools/manage_engine__desktop_central_),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information w..., -[Auvik](/rmm_tools/auvik),,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Basecamp](/rmm_tools/basecamp),,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Free Tools Launcher](/rmm_tools/free_tools_launcher),,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added..., -[AnyDesk](/rmm_tools/anydesk),RMM,AnyDesk is a popular remote desktop software that enables users to access and control a computer or ...,"Ali Alwashali, Nasreddine Bencherchali" -[AnyViewer](/rmm_tools/anyviewer),,AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it bec...,@kostastsale -[Level](/rmm_tools/level),,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ScreenConnect](/rmm_tools/screenconnect),,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it...,"Ali Alwashali, Nasreddine Bencherchali" -[SmartFTP](/rmm_tools/smartftp),,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[SpyAnywhere](/rmm_tools/spyanywhere),,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[NinjaRMM](/rmm_tools/ninjarmm),,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[CruzControl](/rmm_tools/cruzcontrol),,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[SimpleHelp](/rmm_tools/simplehelp),,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[ZOC](/rmm_tools/zoc),,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., +[Any Support](/rmm_tools/any_support),,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[PDQ Connect](/rmm_tools/pdq_connect),,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Pcnow](/rmm_tools/pcnow),,Pcnow is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Seetrol](/rmm_tools/seetrol),,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[CarotDAV](/rmm_tools/carotdav),,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Goverlan](/rmm_tools/goverlan),,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[OptiTune](/rmm_tools/optitune),,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [EMCO Remote Console](/rmm_tools/emco_remote_console),,EMCO Remote Console is a remote monitoring and management (RMM) tool. More information will be added..., -[ngrok](/rmm_tools/ngrok),,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Apple Remote Desktop](/rmm_tools/apple_remote_desktop),,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be adde..., -[Netviewer (GoToMeet)](/rmm_tools/netviewer__gotomeet_),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be adde..., -[NoMachine](/rmm_tools/nomachine),,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., +[Tailscale](/rmm_tools/tailscale),,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Pilixo](/rmm_tools/pilixo),,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Remote Desktop Manager (Devolutions)](/rmm_tools/remote_desktop_manager__devolutions_),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More informat..., +[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., +[Alpemix](/rmm_tools/alpemix),,Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali +[Auvik](/rmm_tools/auvik),,Auvik is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Tactical RMM](/rmm_tools/tactical_rmm),,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it ..., [MioNet (WD Anywhere Access)](/rmm_tools/mionet__wd_anywhere_access_),,MioNet (WD Anywhere Access) is a remote monitoring and management (RMM) tool. More information will ..., -[Splashtop](/rmm_tools/splashtop),,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it bec...,Nasreddine Bencherchali -[RAdmin](/rmm_tools/radmin),,RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it become...,Nasreddine Bencherchali -[LANDesk](/rmm_tools/landesk),,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[SuperOps](/rmm_tools/superops),,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Lite Manager](/rmm_tools/lite_manager),,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Supremo](/rmm_tools/supremo),,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Chicken (of the VNC)](/rmm_tools/chicken__of_the_vnc_),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be adde..., -[KHelpDesk](/rmm_tools/khelpdesk),,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[TurboMeeting](/rmm_tools/turbomeeting),,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[RPort](/rmm_tools/rport),,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[MioNet (Also known as WD Anywhere Access)](/rmm_tools/mionet__also_known_as_wd_anywhere_access_),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More inf..., -[OCS inventory](/rmm_tools/ocs_inventory),,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it..., -[RemotePass](/rmm_tools/remotepass),,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[GoToAssist (GoTo Resolve)](/rmm_tools/gotoassist__goto_resolve_),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be..., [Comodo RMM](/rmm_tools/comodo_rmm),,Comodo RMM is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[ShowMyPC](/rmm_tools/showmypc),,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ToDesk](/rmm_tools/todesk),,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[RunSmart](/rmm_tools/runsmart),,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[VNC Connect](/rmm_tools/vnc_connect),,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Echoware](/rmm_tools/echoware),,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Alpemix](/rmm_tools/alpemix),,Alpemix is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali -[Royal TS](/rmm_tools/royal_ts),,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[DragonDisk](/rmm_tools/dragondisk),,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Pcvisit](/rmm_tools/pcvisit),,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Connectwise Automate (LabTech)](/rmm_tools/connectwise_automate__labtech_),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information wi..., -[DameWare](/rmm_tools/dameware),,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Onionshare](/rmm_tools/onionshare),,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Tailscale](/rmm_tools/tailscale),,Tailscale is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Senso.cloud](/rmm_tools/senso.cloud),,Senso.cloud is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[UltraViewer](/rmm_tools/ultraviewer),,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[KickIdler](/rmm_tools/kickidler),,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Remmina](/rmm_tools/remmina),,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[eHorus](/rmm_tools/ehorus),,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Quick Assist](/rmm_tools/quick_assist),,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., -[KiTTY](/rmm_tools/kitty),,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[FleetDeck.io](/rmm_tools/fleetdeck.io),,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[TeleDesktop](/rmm_tools/teledesktop),,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Remote Utilities](/rmm_tools/remote_utilities),,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as..., -[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., +[Pocket Controller](/rmm_tools/pocket_controller),,Pocket Controller is a remote monitoring and management (RMM) tool. More information will be added a..., +[NordLocker](/rmm_tools/nordlocker),,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[OCS inventory](/rmm_tools/ocs_inventory),,OCS inventory is a remote monitoring and management (RMM) tool. More information will be added as it..., [GotoHTTP](/rmm_tools/gotohttp),,GotoHTTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[RemoteUtilities](/rmm_tools/remoteutilities),,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as ..., -[GoToMyPC](/rmm_tools/gotomypc),,GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco...,Nasreddine Bencherchali -[SmartCode Web VNC](/rmm_tools/smartcode_web_vnc),,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added a..., -[Seetrol](/rmm_tools/seetrol),,Seetrol is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[RDPView](/rmm_tools/rdpview),,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Zoho Assist](/rmm_tools/zoho_assist),,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Xpra](/rmm_tools/xpra),,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[DeskNets](/rmm_tools/desknets),,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[XRDP](/rmm_tools/xrdp),,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[ManageEngine](/rmm_tools/manageengine),,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Impero Connect](/rmm_tools/impero_connect),,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Remcos](/rmm_tools/remcos),,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[PDQ Connect](/rmm_tools/pdq_connect),,PDQ Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., [Terminals](/rmm_tools/terminals),,Terminals is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Syncro](/rmm_tools/syncro),,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[247ithelp.com (ConnectWise)](/rmm_tools/247ithelp.com__connectwise_),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will ..., -[Netviewer](/rmm_tools/netviewer),,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Syspectr](/rmm_tools/syspectr),,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[I'm InTouch](/rmm_tools/i'm_intouch),,I'm InTouch is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[ISL Light](/rmm_tools/isl_light),,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Mocha VNC Lite](/rmm_tools/mocha_vnc_lite),,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Ericom Connect](/rmm_tools/ericom_connect),,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Yandex.Disk](/rmm_tools/yandex.disk),,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[RPort](/rmm_tools/rport),,RPort is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[CentraStage (Now Datto)](/rmm_tools/centrastage__now_datto_),,CentraStage (Now Datto) is a remote monitoring and management (RMM) tool. More information will be a..., +[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., +[CruzControl](/rmm_tools/cruzcontrol),,CruzControl is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Mikogo](/rmm_tools/mikogo),,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[mRemoteNG](/rmm_tools/mremoteng),,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[LabTech RMM (Now ConnectWise Automate)](/rmm_tools/labtech_rmm__now_connectwise_automate_),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More inform..., +[ScreenMeet](/rmm_tools/screenmeet),,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[RES Automation Manager](/rmm_tools/res_automation_manager),,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be ad..., +[Anyplace Control](/rmm_tools/anyplace_control),,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as..., +[TightVNC](/rmm_tools/tightvnc),,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [LiteManager](/rmm_tools/litemanager),,LiteManager is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[BeAnyWhere](/rmm_tools/beanywhere),,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Sophos-Remote Management System](/rmm_tools/sophos-remote_management_system),,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information w..., +[ManageEngine](/rmm_tools/manageengine),,ManageEngine is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Splashtop Remote](/rmm_tools/splashtop_remote),,Splashtop Remote is a remote monitoring and management (RMM) tool. More information will be added as..., +[rdp2tcp](/rmm_tools/rdp2tcp),,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becom..., [Jump Cloud](/rmm_tools/jump_cloud),,Jump Cloud is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Remote Desktop Manager (Devolutions)](/rmm_tools/remote_desktop_manager__devolutions_),,Remote Desktop Manager (Devolutions) is a remote monitoring and management (RMM) tool. More informat..., -[AweRay](/rmm_tools/aweray),,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Remobo](/rmm_tools/remobo),,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[ESET Remote Administrator](/rmm_tools/eset_remote_administrator),,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be..., -[Ultra VNC](/rmm_tools/ultra_vnc),,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[pcAnywhere](/rmm_tools/pcanywhere),,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Remote.it](/rmm_tools/remote.it),,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[RuDesktop](/rmm_tools/rudesktop),,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[LogMeIn](/rmm_tools/logmein),,LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali +[SmartFTP](/rmm_tools/smartftp),,SmartFTP is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., +[Pocket Cloud (Wyse)](/rmm_tools/pocket_cloud__wyse_),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added..., [Guacamole](/rmm_tools/guacamole),,Guacamole is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Addigy](/rmm_tools/addigy),,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[AeroAdmin](/rmm_tools/aeroadmin),,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[LANDesk](/rmm_tools/landesk),,LANDesk is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[pcAnywhere](/rmm_tools/pcanywhere),,pcAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[mstsc](/rmm_tools/mstsc),,mstsc is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[FreeNX](/rmm_tools/freenx),,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[PSEXEC (Clone)](/rmm_tools/psexec__clone_),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as i..., +[SpyAnywhere](/rmm_tools/spyanywhere),,SpyAnywhere is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[MultCloud](/rmm_tools/multcloud),,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Visual Studio Dev Tunnel](/rmm_tools/visual_studio_dev_tunnel),,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be ..., +[Xpra](/rmm_tools/xpra),,Xpra is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[Royal Apps](/rmm_tools/royal_apps),,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[eHorus](/rmm_tools/ehorus),,eHorus is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[SuperPuTTY](/rmm_tools/superputty),,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[ZeroTier](/rmm_tools/zerotier),,ZeroTier is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Devolutions Remote Desktop Manager](/rmm_tools/devolutions_remote_desktop_manager),,Devolutions Remote Desktop Manager is a remote monitoring and management (RMM) tool. More informatio..., +[BeAnyWhere](/rmm_tools/beanywhere),,BeAnyWhere is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[WebEx (Remote Access)](/rmm_tools/webex__remote_access_),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be add..., +[AnyDesk](/rmm_tools/anydesk),RMM,AnyDesk is a popular remote desktop software that enables users to access and control a computer or ...,"Ali Alwashali, Nasreddine Bencherchali" +[Free Ping Tool](/rmm_tools/free_ping_tool),,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as i..., +[S3 Browser](/rmm_tools/s3_browser),,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[NinjaOne (formerly NinjaRMM)](/rmm_tools/ninjaone__formerly_ninjarmm_),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will..., +[Adobe Connect](/rmm_tools/adobe_connect),,Adobe Connect is a remote monitoring and management (RMM) tool. More information will be added as it..., +[RemotePC](/rmm_tools/remotepc),,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[LogMeIn rescue](/rmm_tools/logmein_rescue),,LogMeIn rescue is a remote monitoring and management (RMM) tool. More information will be added as i..., +[UltraViewer](/rmm_tools/ultraviewer),,UltraViewer is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Pandora RC (eHorus)](/rmm_tools/pandora_rc__ehorus_),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added..., +[IntelliAdmin Remote Control](/rmm_tools/intelliadmin_remote_control),,IntelliAdmin Remote Control is a remote monitoring and management (RMM) tool. More information will ..., +[MEGAsync](/rmm_tools/megasync),,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Encapto](/rmm_tools/encapto),,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[ShowMyPC](/rmm_tools/showmypc),,ShowMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Lite Manager](/rmm_tools/lite_manager),,Lite Manager is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Netop Remote Control (aka Impero Connect)](/rmm_tools/netop_remote_control__aka_impero_connect_),,Netop Remote Control (aka Impero Connect) is a remote monitoring and management (RMM) tool. More inf..., +[GoToAssist](/rmm_tools/gotoassist),,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Ericom Connect](/rmm_tools/ericom_connect),,Ericom Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., +[TeamViewer](/rmm_tools/teamviewer),,"TeamViewer is a remote monitoring and management (RMM) tool. +...","Nasreddine Bencherchali, Michael Haag" [Access Remote PC](/rmm_tools/access_remote_pc),,Access Remote PC is a remote monitoring and management (RMM) tool. More information will be added as..., -[Acronic Cyber Protect (Remotix)](/rmm_tools/acronic_cyber_protect__remotix_),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information w..., -[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., -[SkyFex](/rmm_tools/skyfex),,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[PSEXEC](/rmm_tools/psexec),,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become..., [SecureCRT](/rmm_tools/securecrt),,SecureCRT is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[VNC](/rmm_tools/vnc),,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., -[Panorama9](/rmm_tools/panorama9),,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[FixMe.it](/rmm_tools/fixme.it),,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[RES Automation Manager](/rmm_tools/res_automation_manager),,RES Automation Manager is a remote monitoring and management (RMM) tool. More information will be ad..., -[Atera](/rmm_tools/atera),,Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransom..., -[CrossLoop](/rmm_tools/crossloop),,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Tactical RMM](/rmm_tools/tactical_rmm),,Tactical RMM is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Fortra](/rmm_tools/fortra),,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Acronic Cyber Protect (Remotix)](/rmm_tools/acronic_cyber_protect__remotix_),,Acronic Cyber Protect (Remotix) is a remote monitoring and management (RMM) tool. More information w..., [Sorillus](/rmm_tools/sorillus),,Sorillus is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Barracuda](/rmm_tools/barracuda),,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[DeskDay](/rmm_tools/deskday),,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becom..., [RemoteCall](/rmm_tools/remotecall),,RemoteCall is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Laplink Everywhere](/rmm_tools/laplink_everywhere),,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added ..., -[MEGAsync](/rmm_tools/megasync),,MEGAsync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Neturo](/rmm_tools/neturo),,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Distant Desktop](/rmm_tools/distant_desktop),,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as ..., -[Anyplace Control](/rmm_tools/anyplace_control),,Anyplace Control is a remote monitoring and management (RMM) tool. More information will be added as..., -[JollysFastVNC](/rmm_tools/jollysfastvnc),,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it..., -[ExtraPuTTY](/rmm_tools/extraputty),,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[rdpwrap](/rmm_tools/rdpwrap),,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[N-ABLE Remote Access Software](/rmm_tools/n-able_remote_access_software),,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information wil..., +[Splashtop](/rmm_tools/splashtop),,Splashtop is a remote monitoring and management (RMM) tool. More information will be added as it bec...,Nasreddine Bencherchali +[ManageEngine RMM Central](/rmm_tools/manageengine_rmm_central),,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be ..., +[AeroAdmin](/rmm_tools/aeroadmin),,AeroAdmin is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[NoMachine](/rmm_tools/nomachine),,NoMachine is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[UltraVNC](/rmm_tools/ultravnc),,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Instant Housecall](/rmm_tools/instant_housecall),,Instant Housecall is a remote monitoring and management (RMM) tool. More information will be added a..., +[NinjaRMM](/rmm_tools/ninjarmm),,NinjaRMM is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[ngrok](/rmm_tools/ngrok),,ngrok is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Bitvise SSH Client](/rmm_tools/bitvise_ssh_client),,Bitvise SSH Client is a remote monitoring and management (RMM) tool. More information will be added ..., +[Chicken (of the VNC)](/rmm_tools/chicken__of_the_vnc_),,Chicken (of the VNC) is a remote monitoring and management (RMM) tool. More information will be adde..., +[SkyFex](/rmm_tools/skyfex),,SkyFex is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Ericom AccessNow](/rmm_tools/ericom_accessnow),,Ericom AccessNow is a remote monitoring and management (RMM) tool. More information will be added as..., +[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Royal Server](/rmm_tools/royal_server),,Royal Server is a remote monitoring and management (RMM) tool. More information will be added as it ..., [Solar-PuTTY](/rmm_tools/solar-putty),,Solar-PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[TeamViewer](/rmm_tools/teamviewer),,"TeamViewer is a remote monitoring and management (RMM) tool. -...","Nasreddine Bencherchali, Michael Haag" -[Itarian](/rmm_tools/itarian),,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Visual Studio Dev Tunnel](/rmm_tools/visual_studio_dev_tunnel),,Visual Studio Dev Tunnel is a remote monitoring and management (RMM) tool. More information will be ..., +[Duplicati](/rmm_tools/duplicati),,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Remote Desktop Plus](/rmm_tools/remote_desktop_plus),,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added..., [ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., -[LogMeIn](/rmm_tools/logmein),,LogMeIn is a remote monitoring and management (RMM) tool. More information will be added as it becom...,Nasreddine Bencherchali -[PuTTY](/rmm_tools/putty),,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[DesktopNow](/rmm_tools/desktopnow),,DesktopNow is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Remmina](/rmm_tools/remmina),,Remmina is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Distant Desktop](/rmm_tools/distant_desktop),,Distant Desktop is a remote monitoring and management (RMM) tool. More information will be added as ..., +[DameWare](/rmm_tools/dameware),,DameWare is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Level](/rmm_tools/level),,Level is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Insync](/rmm_tools/insync),,Insync is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Remote.it](/rmm_tools/remote.it),,Remote.it is a remote monitoring and management (RMM) tool. More information will be added as it bec..., [Netreo](/rmm_tools/netreo),,Netreo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Netop Remote Control (Impero Connect)](/rmm_tools/netop_remote_control__impero_connect_),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More informa..., -[Splashtop (Beta)](/rmm_tools/splashtop__beta_),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as..., +[NoteOn-desktop sharing](/rmm_tools/noteon-desktop_sharing),,NoteOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., +[Royal TS](/rmm_tools/royal_ts),,Royal TS is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[DeskNets](/rmm_tools/desknets),,DeskNets is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[QQ IM-remote assistance](/rmm_tools/qq_im-remote_assistance),,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be a..., +[PuTTY Tray](/rmm_tools/putty_tray),,PuTTY Tray is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[XRDP](/rmm_tools/xrdp),,XRDP is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., [FastViewer](/rmm_tools/fastviewer),,FastViewer is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[RustDesk](/rmm_tools/rustdesk),,RustDesk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[MobaXterm](/rmm_tools/mobaxterm),,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[GoToAssist](/rmm_tools/gotoassist),,GoToAssist is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Free Ping Tool](/rmm_tools/free_ping_tool),,Free Ping Tool is a remote monitoring and management (RMM) tool. More information will be added as i..., -[HelpBeam](/rmm_tools/helpbeam),,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Jump Desktop](/rmm_tools/jump_desktop),,Jump Desktop is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Ivanti Remote Control](/rmm_tools/ivanti_remote_control),,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be add..., +[BeInSync](/rmm_tools/beinsync),,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[NateOn-desktop sharing](/rmm_tools/nateon-desktop_sharing),,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., +[Xeox](/rmm_tools/xeox),,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[WinSCP](/rmm_tools/winscp),,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., [NTR Remote](/rmm_tools/ntr_remote),,NTR Remote is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[ServerEye](/rmm_tools/servereye),,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[WebRDP](/rmm_tools/webrdp),,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[TurboMeeting](/rmm_tools/turbomeeting),,TurboMeeting is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[RemoteUtilities](/rmm_tools/remoteutilities),,RemoteUtilities is a remote monitoring and management (RMM) tool. More information will be added as ..., +[Pulseway](/rmm_tools/pulseway),,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Panorama9](/rmm_tools/panorama9),,Panorama9 is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Atera](/rmm_tools/atera),,Atera is a remote monitoring and management (RMM) tool. It is used by threat actors to deploy ransom..., +[JollysFastVNC](/rmm_tools/jollysfastvnc),,JollysFastVNC is a remote monitoring and management (RMM) tool. More information will be added as it..., +[RunSmart](/rmm_tools/runsmart),,RunSmart is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Chrome Remote Desktop](/rmm_tools/chrome_remote_desktop),,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., +[Netviewer (GoToMeet)](/rmm_tools/netviewer__gotomeet_),,Netviewer (GoToMeet) is a remote monitoring and management (RMM) tool. More information will be adde..., +[Netviewer](/rmm_tools/netviewer),,Netviewer is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[ConnectWise Control](/rmm_tools/connectwise_control),,ConnectWise Control is a remote monitoring and management (RMM) tool. More information will be added..., +[ExtraPuTTY](/rmm_tools/extraputty),,ExtraPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[FleetDeck.io](/rmm_tools/fleetdeck.io),,FleetDeck.io is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[HelpU](/rmm_tools/helpu),,HelpU is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[ToDesk](/rmm_tools/todesk),,ToDesk is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[RAdmin](/rmm_tools/radmin),,RAdmin is a remote monitoring and management (RMM) tool. More information will be added as it become...,Nasreddine Bencherchali +[CrossLoop](/rmm_tools/crossloop),,CrossLoop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Centurion](/rmm_tools/centurion),,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[KickIdler](/rmm_tools/kickidler),,KickIdler is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Syncro](/rmm_tools/syncro),,Syncro is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[AweRay](/rmm_tools/aweray),,AweRay is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[SunLogin](/rmm_tools/sunlogin),,SunLogin is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Koofr](/rmm_tools/koofr),,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[SysAid](/rmm_tools/sysaid),,SysAid is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Neturo](/rmm_tools/neturo),,Neturo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[SmarTTY](/rmm_tools/smartty),,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Impero Connect](/rmm_tools/impero_connect),,Impero Connect is a remote monitoring and management (RMM) tool. More information will be added as i..., +[247ithelp.com (ConnectWise)](/rmm_tools/247ithelp.com__connectwise_),,247ithelp.com (ConnectWise) is a remote monitoring and management (RMM) tool. More information will ..., +[Remobo](/rmm_tools/remobo),,Remobo is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Free Tools Launcher](/rmm_tools/free_tools_launcher),,Free Tools Launcher is a remote monitoring and management (RMM) tool. More information will be added..., +[Echoware](/rmm_tools/echoware),,Echoware is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Zoho Assist](/rmm_tools/zoho_assist),,Zoho Assist is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[KiTTY](/rmm_tools/kitty),,KiTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[SimpleHelp](/rmm_tools/simplehelp),,SimpleHelp is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[CloudFlare Tunnel](/rmm_tools/cloudflare_tunnel),,CloudFlare Tunnel is a remote monitoring and management (RMM) tool. More information will be added a..., [GoTo Opener](/rmm_tools/goto_opener),,GoTo Opener is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[S3 Browser](/rmm_tools/s3_browser),,S3 Browser is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Any Support](/rmm_tools/any_support),,Any Support is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Pcvisit](/rmm_tools/pcvisit),,Pcvisit is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Mocha VNC Lite](/rmm_tools/mocha_vnc_lite),,Mocha VNC Lite is a remote monitoring and management (RMM) tool. More information will be added as i..., +[Laplink Gold](/rmm_tools/laplink_gold),,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[Iperius Remote](/rmm_tools/iperius_remote),,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as i..., [BeamYourScreen](/rmm_tools/beamyourscreen),,BeamYourScreen is a remote monitoring and management (RMM) tool. More information will be added as i..., -[Sophos-Remote Management System](/rmm_tools/sophos-remote_management_system),,Sophos-Remote Management System is a remote monitoring and management (RMM) tool. More information w..., -[PSEXEC (Clone)](/rmm_tools/psexec__clone_),,PSEXEC (Clone) is a remote monitoring and management (RMM) tool. More information will be added as i..., -[GetScreen](/rmm_tools/getscreen),,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[RemotePC](/rmm_tools/remotepc),,RemotePC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Tanium](/rmm_tools/tanium),,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[LabTeach (Connectwise Automate)](/rmm_tools/labteach__connectwise_automate_),,LabTeach (Connectwise Automate) is a remote monitoring and management (RMM) tool. More information w..., -[RemoteView](/rmm_tools/remoteview),,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[UltraVNC](/rmm_tools/ultravnc),,UltraVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[SmarTTY](/rmm_tools/smartty),,SmarTTY is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Absolute (Computrace)](/rmm_tools/absolute__computrace_),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be add..., +[TeleDesktop](/rmm_tools/teledesktop),,TeleDesktop is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[Parallels Access](/rmm_tools/parallels_access),,Parallels Access is a remote monitoring and management (RMM) tool. More information will be added as..., +[Basecamp](/rmm_tools/basecamp),,Basecamp is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Weezo](/rmm_tools/weezo),,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[X2Go](/rmm_tools/x2go),,X2Go is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., +[Dev Tunnels (aka Visual Studio Dev Tunnel)](/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More in..., +[Connectwise Automate (LabTech)](/rmm_tools/connectwise_automate__labtech_),,Connectwise Automate (LabTech) is a remote monitoring and management (RMM) tool. More information wi..., +[Splashtop (Beta)](/rmm_tools/splashtop__beta_),,Splashtop (Beta) is a remote monitoring and management (RMM) tool. More information will be added as..., +[Netop](/rmm_tools/netop),,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[Kaseya (VSA)](/rmm_tools/kaseya__vsa_),,Kaseya (VSA) aka Unigma is a remote monitoring and management (RMM) tool. More information will be a...,Nasreddine Bencherchali +[HelpBeam](/rmm_tools/helpbeam),,HelpBeam is a remote monitoring and management (RMM) tool. More information will be added as it beco..., [Quest KACE Agent (formerly Dell KACE)](/rmm_tools/quest_kace_agent__formerly_dell_kace_),,Quest KACE Agent (formerly Dell KACE) is a remote monitoring and management (RMM) tool. More informa..., [DeskShare](/rmm_tools/deskshare),,DeskShare is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Pocket Cloud (Wyse)](/rmm_tools/pocket_cloud__wyse_),,Pocket Cloud (Wyse) is a remote monitoring and management (RMM) tool. More information will be added..., -[Pilixo](/rmm_tools/pilixo),,Pilixo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[Mikogo](/rmm_tools/mikogo),,Mikogo is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[WebEx (Remote Access)](/rmm_tools/webex__remote_access_),,WebEx (Remote Access) is a remote monitoring and management (RMM) tool. More information will be add..., -[Koofr](/rmm_tools/koofr),,Koofr is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[Duplicati](/rmm_tools/duplicati),,Duplicati is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[ManageEngine RMM Central](/rmm_tools/manageengine_rmm_central),,ManageEngine RMM Central is a remote monitoring and management (RMM) tool. More information will be ..., -[WinSCP](/rmm_tools/winscp),,WinSCP is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[rdpwrap](/rmm_tools/rdpwrap),,rdpwrap is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Total Software Deployment](/rmm_tools/total_software_deployment),,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be..., +[PuTTY](/rmm_tools/putty),,PuTTY is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., +[RDPView](/rmm_tools/rdpview),,RDPView is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Fortra](/rmm_tools/fortra),,Fortra is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ISL Light](/rmm_tools/isl_light),,ISL Light is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Pocket Controller (Soti Xsight)](/rmm_tools/pocket_controller__soti_xsight_),,Pocket Controller (Soti Xsight) is a remote monitoring and management (RMM) tool. More information w..., [GatherPlace-desktop sharing](/rmm_tools/gatherplace-desktop_sharing),,GatherPlace-desktop sharing is a remote monitoring and management (RMM) tool. More information will ..., -[Laplink Gold](/rmm_tools/laplink_gold),,Laplink Gold is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Centurion](/rmm_tools/centurion),,Centurion is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Ivanti Remote Control](/rmm_tools/ivanti_remote_control),,Ivanti Remote Control is a remote monitoring and management (RMM) tool. More information will be add..., -[NordLocker](/rmm_tools/nordlocker),,NordLocker is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Xeox](/rmm_tools/xeox),,Xeox is a remote monitoring and management (RMM) tool. More information will be added as it becomes ..., -[ezHelp](/rmm_tools/ezhelp),,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Site24x7](/rmm_tools/site24x7),,Site24x7 is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral ...,@kostastsale +[MSP360](/rmm_tools/msp360),,MSP360 is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ScreenConnect](/rmm_tools/screenconnect),,ScreenConnect is a remote monitoring and management (RMM) tool. More information will be added as it...,"Ali Alwashali, Nasreddine Bencherchali" +[Microsoft TSC](/rmm_tools/microsoft_tsc),,Microsoft TSC is a remote monitoring and management (RMM) tool. More information will be added as it..., +[Tanium](/rmm_tools/tanium),,Tanium is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Ultra VNC](/rmm_tools/ultra_vnc),,Ultra VNC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Remote Manipulator System](/rmm_tools/remote_manipulator_system),,Remote Manipulator System is a remote monitoring and management (RMM) tool. More information will be..., +[Domotz](/rmm_tools/domotz),,Domotz is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[FixMe.it](/rmm_tools/fixme.it),,FixMe.it is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Tanium Deploy](/rmm_tools/tanium_deploy),,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it..., +[N-ABLE Remote Access Software](/rmm_tools/n-able_remote_access_software),,N-ABLE Remote Access Software is a remote monitoring and management (RMM) tool. More information wil..., +[Quick Assist](/rmm_tools/quick_assist),,Quick Assist is a remote monitoring and management (RMM) tool. More information will be added as it ..., +[AnyViewer](/rmm_tools/anyviewer),,AnyViewer is a remote monitoring and management (RMM) tool. More information will be added as it bec...,@kostastsale +[Naverisk](/rmm_tools/naverisk),,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Addigy](/rmm_tools/addigy),,Addigy is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Action1](/rmm_tools/action1),,Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute comma...,@kostastsale +[AliWangWang-remote-control](/rmm_tools/aliwangwang-remote-control),,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will b..., +[FreeRDP](/rmm_tools/freerdp),,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[MioNet (Also known as WD Anywhere Access)](/rmm_tools/mionet__also_known_as_wd_anywhere_access_),,MioNet (Also known as WD Anywhere Access) is a remote monitoring and management (RMM) tool. More inf..., +[SmartCode Web VNC](/rmm_tools/smartcode_web_vnc),,SmartCode Web VNC is a remote monitoring and management (RMM) tool. More information will be added a..., +[Onionshare](/rmm_tools/onionshare),,Onionshare is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Rocket Remote Desktop](/rmm_tools/rocket_remote_desktop),,Rocket Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., +[WebRDP](/rmm_tools/webrdp),,WebRDP is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[BeyondTrust](/rmm_tools/beyondtrust),,BeyondTrust is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[SuperOps](/rmm_tools/superops),,SuperOps is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[RemotePass](/rmm_tools/remotepass),,RemotePass is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[Itarian](/rmm_tools/itarian),,Itarian is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[PSEXEC](/rmm_tools/psexec),,PSEXEC is a remote monitoring and management (RMM) tool. More information will be added as it become..., [Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[MultCloud](/rmm_tools/multcloud),,MultCloud is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[ezHelp](/rmm_tools/ezhelp),,ezHelp is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[Kabuto](/rmm_tools/kabuto),,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it become..., [Synergy](/rmm_tools/synergy),,Synergy is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[OptiTune](/rmm_tools/optitune),,OptiTune is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Netop](/rmm_tools/netop),,Netop is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., [ConnectWise](/rmm_tools/connectwise),,ConnectWise is a remote monitoring and management (RMM) tool. More information will be added as it b..., -[Encapto](/rmm_tools/encapto),,Encapto is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[Action1](/rmm_tools/action1),,Action1 is a powerful Remote Monitoring and Management(RMM) tool that enables users to execute comma...,@kostastsale -[SuperPuTTY](/rmm_tools/superputty),,SuperPuTTY is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Royal Apps](/rmm_tools/royal_apps),,Royal Apps is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Tanium Deploy](/rmm_tools/tanium_deploy),,Tanium Deploy is a remote monitoring and management (RMM) tool. More information will be added as it..., -[Zabbix Agent](/rmm_tools/zabbix_agent),,Zabbix Agent is a remote monitoring and management (RMM) tool. More information will be added as it ..., -[Weezo](/rmm_tools/weezo),,Weezo is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[BeInSync](/rmm_tools/beinsync),,BeInSync is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[ScreenMeet](/rmm_tools/screenmeet),,ScreenMeet is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[MyIVO](/rmm_tools/myivo),,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., -[LabTech RMM (Now ConnectWise Automate)](/rmm_tools/labtech_rmm__now_connectwise_automate_),,LabTech RMM (Now ConnectWise Automate) is a remote monitoring and management (RMM) tool. More inform..., -[Kabuto](/rmm_tools/kabuto),,Kabuto is a remote monitoring and management (RMM) tool. More information will be added as it become..., -[FreeRDP](/rmm_tools/freerdp),,FreeRDP is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[ZOC](/rmm_tools/zoc),,ZOC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., -[AliWangWang-remote-control](/rmm_tools/aliwangwang-remote-control),,AliWangWang-remote-control is a remote monitoring and management (RMM) tool. More information will b..., -[Goverlan](/rmm_tools/goverlan),,Goverlan is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Microsoft Quick Assist](/rmm_tools/microsoft_quick_assist),,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be ad..., -[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., -[MyGreenPC](/rmm_tools/mygreenpc),,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[TigerVNC](/rmm_tools/tigervnc),,TigerVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[GoToMyPC](/rmm_tools/gotomypc),,GoToMyPC is a remote monitoring and management (RMM) tool. More information will be added as it beco...,Nasreddine Bencherchali +[Laplink Everywhere](/rmm_tools/laplink_everywhere),,Laplink Everywhere is a remote monitoring and management (RMM) tool. More information will be added ..., +[Syspectr](/rmm_tools/syspectr),,Syspectr is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Remote Utilities](/rmm_tools/remote_utilities),,Remote Utilities is a remote monitoring and management (RMM) tool. More information will be added as..., +[Remcos](/rmm_tools/remcos),,Remcos is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[DragonDisk](/rmm_tools/dragondisk),,DragonDisk is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[RealVNC](/rmm_tools/realvnc),,RealVNC is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[Supremo](/rmm_tools/supremo),,Supremo is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[GoToAssist Agent Desktop Console](/rmm_tools/gotoassist_agent_desktop_console),,GoToAssist Agent Desktop Console is a remote monitoring and management (RMM) tool. More information ..., +[RemoteView](/rmm_tools/remoteview),,RemoteView is a remote monitoring and management (RMM) tool. More information will be added as it be..., +[VNC Connect](/rmm_tools/vnc_connect),,VNC Connect is a remote monitoring and management (RMM) tool. More information will be added as it b..., [Syncthing](/rmm_tools/syncthing),,Syncthing is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[Chrome Remote Desktop](/rmm_tools/chrome_remote_desktop),,Chrome Remote Desktop is a remote monitoring and management (RMM) tool. More information will be add..., -[Remote Desktop Plus](/rmm_tools/remote_desktop_plus),,Remote Desktop Plus is a remote monitoring and management (RMM) tool. More information will be added..., -[NateOn-desktop sharing](/rmm_tools/nateon-desktop_sharing),,NateOn-desktop sharing is a remote monitoring and management (RMM) tool. More information will be ad..., -[Barracuda](/rmm_tools/barracuda),,Barracuda is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[CrossTec Remote Control](/rmm_tools/crosstec_remote_control),,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be a..., -[DeskDay](/rmm_tools/deskday),,DeskDay is a remote monitoring and management (RMM) tool. More information will be added as it becom..., -[mRemoteNG](/rmm_tools/mremoteng),,mRemoteNG is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[FreeNX](/rmm_tools/freenx),,FreeNX is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[KHelpDesk](/rmm_tools/khelpdesk),,KHelpDesk is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Netop Remote Control (Impero Connect)](/rmm_tools/netop_remote_control__impero_connect_),,Netop Remote Control (Impero Connect) is a remote monitoring and management (RMM) tool. More informa..., +[Bitvise SSH Server](/rmm_tools/bitvise_ssh_server),,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added ..., +[Apple Remote Desktop](/rmm_tools/apple_remote_desktop),,Apple Remote Desktop is a remote monitoring and management (RMM) tool. More information will be adde..., +[Chrome SSH Extension](/rmm_tools/chrome_ssh_extension),,Chrome SSH Extension is a remote monitoring and management (RMM) tool. More information will be adde..., [NetSupport Manager](/rmm_tools/netsupport_manager),,NetSupport Manager is a remote monitoring and management (RMM) tool. More information will be added ..., -[rdp2tcp](/rmm_tools/rdp2tcp),,rdp2tcp is a remote monitoring and management (RMM) tool. More information will be added as it becom..., +[ESET Remote Administrator](/rmm_tools/eset_remote_administrator),,ESET Remote Administrator is a remote monitoring and management (RMM) tool. More information will be..., +[Yandex.Disk](/rmm_tools/yandex.disk),,Yandex.Disk is a remote monitoring and management (RMM) tool. More information will be added as it b..., +[N-Able Advanced Monitoring Agent](/rmm_tools/n-able_advanced_monitoring_agent),,N-Able Advanced Monitoring Agent is a remote monitoring and management (RMM) tool. More information ..., +[MyIVO](/rmm_tools/myivo),,MyIVO is a remote monitoring and management (RMM) tool. More information will be added as it becomes..., [ITSupport247 (ConnectWise)](/rmm_tools/itsupport247__connectwise_),,ITSupport247 (ConnectWise) is a remote monitoring and management (RMM) tool. More information will b..., -[Pulseway](/rmm_tools/pulseway),,Pulseway is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Naverisk](/rmm_tools/naverisk),,Naverisk is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Total Software Deployment](/rmm_tools/total_software_deployment),,Total Software Deployment is a remote monitoring and management (RMM) tool. More information will be..., -[ISL Online](/rmm_tools/isl_online),,ISL Online is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[NinjaOne (formerly NinjaRMM)](/rmm_tools/ninjaone__formerly_ninjarmm_),,NinjaOne (formerly NinjaRMM) is a remote monitoring and management (RMM) tool. More information will..., -[QQ IM-remote assistance](/rmm_tools/qq_im-remote_assistance),,QQ IM-remote assistance is a remote monitoring and management (RMM) tool. More information will be a..., -[Microsoft RDP](/rmm_tools/microsoft_rdp),,Microsoft RDP is a remote monitoring and management (RMM) tool. More information will be added as it..., -[RuDesktop](/rmm_tools/rudesktop),,RuDesktop is a remote monitoring and management (RMM) tool. More information will be added as it bec..., -[BeyondTrust (Bomgar)](/rmm_tools/beyondtrust__bomgar_),,BeyondTrust (Bomgar) is a remote monitoring and management (RMM) tool. More information will be adde..., -[TightVNC](/rmm_tools/tightvnc),,TightVNC is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[MeshCentral](/rmm_tools/meshcentral),,MeshCentral is a remote monitoring and management (RMM) tool. MeshAgent used along with MeshCentral ...,@kostastsale -[Dev Tunnels (aka Visual Studio Dev Tunnel)](/rmm_tools/dev_tunnels__aka_visual_studio_dev_tunnel_),,Dev Tunnels (aka Visual Studio Dev Tunnel) is a remote monitoring and management (RMM) tool. More in..., -[CarotDAV](/rmm_tools/carotdav),,CarotDAV is a remote monitoring and management (RMM) tool. More information will be added as it beco..., -[Bitvise SSH Server](/rmm_tools/bitvise_ssh_server),,Bitvise SSH Server is a remote monitoring and management (RMM) tool. More information will be added ..., -[Pandora RC (eHorus)](/rmm_tools/pandora_rc__ehorus_),,Pandora RC (eHorus) is a remote monitoring and management (RMM) tool. More information will be added..., -[DW Service](/rmm_tools/dw_service),,DW Service is a remote monitoring and management (RMM) tool. More information will be added as it be..., -[Iperius Remote](/rmm_tools/iperius_remote),,Iperius Remote is a remote monitoring and management (RMM) tool. More information will be added as i..., +[VNC](/rmm_tools/vnc),,VNC is a remote monitoring and management (RMM) tool. More information will be added as it becomes a..., +[ServerEye](/rmm_tools/servereye),,ServerEye is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Rapid7](/rmm_tools/rapid7),,Rapid7 is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[GoToAssist (GoTo Resolve)](/rmm_tools/gotoassist__goto_resolve_),,GoToAssist (GoTo Resolve) is a remote monitoring and management (RMM) tool. More information will be..., +[GetScreen](/rmm_tools/getscreen),,GetScreen is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[MobaXterm](/rmm_tools/mobaxterm),,MobaXterm is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[CrossTec Remote Control](/rmm_tools/crosstec_remote_control),,CrossTec Remote Control is a remote monitoring and management (RMM) tool. More information will be a..., +[Absolute (Computrace)](/rmm_tools/absolute__computrace_),,Absolute (Computrace) is a remote monitoring and management (RMM) tool. More information will be add..., +[Xshell](/rmm_tools/xshell),,Xshell is a remote monitoring and management (RMM) tool. More information will be added as it become..., +[MyGreenPC](/rmm_tools/mygreenpc),,MyGreenPC is a remote monitoring and management (RMM) tool. More information will be added as it bec..., +[Level.io](/rmm_tools/level.io),,Level.io is a remote monitoring and management (RMM) tool. More information will be added as it beco..., +[Microsoft Quick Assist](/rmm_tools/microsoft_quick_assist),,Microsoft Quick Assist is a remote monitoring and management (RMM) tool. More information will be ad..., +[Manage Engine (Desktop Central)](/rmm_tools/manage_engine__desktop_central_),,Manage Engine (Desktop Central) is a remote monitoring and management (RMM) tool. More information w..., From cc9b51e7c479baf3a60da0132d5827c9ca3ab399 Mon Sep 17 00:00:00 2001 From: Aaron Date: Wed, 6 Nov 2024 05:36:02 -0600 Subject: [PATCH 4/6] updated application events for screenconnect --- yaml/screenconnect.yaml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/yaml/screenconnect.yaml b/yaml/screenconnect.yaml index a846aadf..ad58d6bc 100644 --- a/yaml/screenconnect.yaml +++ b/yaml/screenconnect.yaml @@ -57,16 +57,26 @@ Artifacts: Description: ScreenConnect client user configuration OS: Windows EventLog: - - EventID: 7045 - ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] - LogFile: Application.evtx - ServiceName: ScreenConnect Client () - Description: Service installation event as a result of ScreenConnect installation. - EventID: 20 - ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + LogFile: Application.evtx + ServiceName: ScreenConnect Client () + Description: Logs network information (e.g. connection created successfully, connection attempt failed) + - EventID: 100 + ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + LogFile: Application.evtx + ServiceName: ScreenConnect Client () + Description: User connected + - EventID: 101 + ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + LogFile: Application.evtx + ServiceName: ScreenConnect Client () + Description: User disconnected + - EventID: 200 + ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] LogFile: Application.evtx - ServiceName: ScreenConnect Client () - Description: Logs events such as successful or failed connections, and user logins. + ServiceName: ScreenConnect Client () + Description: Executed command on host Registry: [] Network: - Description: Known remote domains From 1a0ec3f81ddcad485cde5b4e11ae01e716a694ab Mon Sep 17 00:00:00 2001 From: acgabbert <55032726+acgabbert@users.noreply.github.com> Date: Sat, 9 Nov 2024 19:57:18 -0600 Subject: [PATCH 5/6] updated to single provider name for validation --- yaml/screenconnect.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/yaml/screenconnect.yaml b/yaml/screenconnect.yaml index ad58d6bc..ea8f7a60 100644 --- a/yaml/screenconnect.yaml +++ b/yaml/screenconnect.yaml @@ -58,22 +58,22 @@ Artifacts: OS: Windows EventLog: - EventID: 20 - ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + ProviderName: ScreenConnect LogFile: Application.evtx ServiceName: ScreenConnect Client () Description: Logs network information (e.g. connection created successfully, connection attempt failed) - EventID: 100 - ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + ProviderName: ScreenConnect LogFile: Application.evtx ServiceName: ScreenConnect Client () Description: User connected - EventID: 101 - ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + ProviderName: ScreenConnect LogFile: Application.evtx ServiceName: ScreenConnect Client () Description: User disconnected - EventID: 200 - ProviderName: ["ScreenConnect", "ScreenConnect Client ()"] + ProviderName: ScreenConnect LogFile: Application.evtx ServiceName: ScreenConnect Client () Description: Executed command on host From e9e9d287bcf768450b8f38e3f158ca6753cdb541 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 16 Nov 2024 01:04:22 +0100 Subject: [PATCH 6/6] Update screenconnect.yaml --- yaml/screenconnect.yaml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/yaml/screenconnect.yaml b/yaml/screenconnect.yaml index ea8f7a60..cbeb7329 100644 --- a/yaml/screenconnect.yaml +++ b/yaml/screenconnect.yaml @@ -3,7 +3,7 @@ Description: ScreenConnect is a remote monitoring and management (RMM) tool. Mor information will be added as it becomes available. Author: Ali Alwashali, Nasreddine Bencherchali Created: '2023-10-01' -LastModified: '2024-10-08' +LastModified: '2024-11-16' Details: Website: https://www.connectwise.com PEMetadata: @@ -33,9 +33,7 @@ Details: InstallationPaths: - C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe - Remote Workforce Client.exe - - '*\*\ScreenConnect.ClientService.exe' - C:\Program Files (x86)\ScreenConnect Client ()\* - - '*\ScreenConnect Client*\*' - '*\*\ScreenConnect.WindowsClient.exe' - screenconnect*.exe - screenconnect.windowsclient.exe @@ -60,23 +58,19 @@ Artifacts: - EventID: 20 ProviderName: ScreenConnect LogFile: Application.evtx - ServiceName: ScreenConnect Client () - Description: Logs network information (e.g. connection created successfully, connection attempt failed) + Data: Logs network information (e.g. connection created successfully, connection attempt failed) - EventID: 100 ProviderName: ScreenConnect LogFile: Application.evtx - ServiceName: ScreenConnect Client () - Description: User connected + Data: User connected - EventID: 101 ProviderName: ScreenConnect LogFile: Application.evtx - ServiceName: ScreenConnect Client () - Description: User disconnected + Data: User disconnected - EventID: 200 ProviderName: ScreenConnect LogFile: Application.evtx - ServiceName: ScreenConnect Client () - Description: Executed command on host + Data: Executed command on host Registry: [] Network: - Description: Known remote domains