From 09785b3538d09935851530a10914ab2e10c82525 Mon Sep 17 00:00:00 2001 From: Marco Pedrinazzi Date: Tue, 8 Oct 2024 16:13:12 +0200 Subject: [PATCH 1/6] carotdav network sigma --- detections/sigma/carotdav_network_sigma.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 detections/sigma/carotdav_network_sigma.yml diff --git a/detections/sigma/carotdav_network_sigma.yml b/detections/sigma/carotdav_network_sigma.yml new file mode 100644 index 00000000..6bb6ed5e --- /dev/null +++ b/detections/sigma/carotdav_network_sigma.yml @@ -0,0 +1,20 @@ +title: Potential CarotDAV RMM Tool Network Activity +logsource: + product: windows + category: network_connection +detection: + selection: + DestinationHostname|endswith: + - rei.to + condition: selection +id: 091936db-4ea7-4f85-b97b-513e65820630 +status: experimental +description: Detects potential network activity of CartotDAV RMM tool +author: Marco Pedrinazzi (@pedrinazziM) +date: 2024/10/08 +tags: +- attack.execution +- attack.t1219 +falsepositives: +- Legitimate use of CarotDAV +level: medium \ No newline at end of file From 5a432418037d2ea6094786c97e4e4a1d050dd9d8 Mon Sep 17 00:00:00 2001 From: Marco Pedrinazzi Date: Tue, 8 Oct 2024 16:16:03 +0200 Subject: [PATCH 2/6] Update carotdav.yaml --- yaml/carotdav.yaml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/yaml/carotdav.yaml b/yaml/carotdav.yaml index e98fbb8e..16df0e8c 100644 --- a/yaml/carotdav.yaml +++ b/yaml/carotdav.yaml @@ -3,7 +3,7 @@ Description: CarotDAV is a remote monitoring and management (RMM) tool. More inf will be added as it becomes available. Author: '' Created: '' -LastModified: '' +LastModified: 10/08/2024 Details: Website: '' PEMetadata: @@ -24,9 +24,15 @@ Artifacts: Disk: [] EventLog: [] Registry: [] - Network: [] + Network: + - Description: Known remote domains + Domains: + - rei.to Detections: - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml Description: Detects potential processes activity of CarotDAV RMM tool -References: [] +- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_network_sigma.yml + Description: Detects potential network activity of CarotDAV RMM tool +References: +- http://rei.to/carotdav_en.html Acknowledgement: [] From 43a006fe654910cd1790ea4252a1c884bb0a6c65 Mon Sep 17 00:00:00 2001 From: Marco Pedrinazzi Date: Tue, 8 Oct 2024 16:20:45 +0200 Subject: [PATCH 3/6] Update carotdav.yaml with port --- yaml/carotdav.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yaml/carotdav.yaml b/yaml/carotdav.yaml index 16df0e8c..dd667c78 100644 --- a/yaml/carotdav.yaml +++ b/yaml/carotdav.yaml @@ -28,6 +28,8 @@ Artifacts: - Description: Known remote domains Domains: - rei.to + Ports: + - 80 Detections: - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml Description: Detects potential processes activity of CarotDAV RMM tool From eb1c0fab763ba4b58dbde38c21fb25a4bb2a8253 Mon Sep 17 00:00:00 2001 From: Marco Pedrinazzi Date: Tue, 8 Oct 2024 16:29:16 +0200 Subject: [PATCH 4/6] Delete detections/sigma/carotdav_network_sigma.yml --- detections/sigma/carotdav_network_sigma.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 detections/sigma/carotdav_network_sigma.yml diff --git a/detections/sigma/carotdav_network_sigma.yml b/detections/sigma/carotdav_network_sigma.yml deleted file mode 100644 index 6bb6ed5e..00000000 --- a/detections/sigma/carotdav_network_sigma.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Potential CarotDAV RMM Tool Network Activity -logsource: - product: windows - category: network_connection -detection: - selection: - DestinationHostname|endswith: - - rei.to - condition: selection -id: 091936db-4ea7-4f85-b97b-513e65820630 -status: experimental -description: Detects potential network activity of CartotDAV RMM tool -author: Marco Pedrinazzi (@pedrinazziM) -date: 2024/10/08 -tags: -- attack.execution -- attack.t1219 -falsepositives: -- Legitimate use of CarotDAV -level: medium \ No newline at end of file From 71e8c684eb644fc192ec8078170b823caea06185 Mon Sep 17 00:00:00 2001 From: Marco Pedrinazzi Date: Tue, 8 Oct 2024 16:29:46 +0200 Subject: [PATCH 5/6] Update carotdav.yaml --- yaml/carotdav.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/yaml/carotdav.yaml b/yaml/carotdav.yaml index dd667c78..fa2b3c93 100644 --- a/yaml/carotdav.yaml +++ b/yaml/carotdav.yaml @@ -33,8 +33,6 @@ Artifacts: Detections: - Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml Description: Detects potential processes activity of CarotDAV RMM tool -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_network_sigma.yml - Description: Detects potential network activity of CarotDAV RMM tool References: - http://rei.to/carotdav_en.html Acknowledgement: [] From 6e548f7b88be22356268620c976d55082e01ae87 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 16 Nov 2024 00:56:06 +0100 Subject: [PATCH 6/6] Delete yaml/carotdav.yaml --- yaml/carotdav.yaml | 38 -------------------------------------- 1 file changed, 38 deletions(-) delete mode 100644 yaml/carotdav.yaml diff --git a/yaml/carotdav.yaml b/yaml/carotdav.yaml deleted file mode 100644 index fa2b3c93..00000000 --- a/yaml/carotdav.yaml +++ /dev/null @@ -1,38 +0,0 @@ -Name: CarotDAV -Description: CarotDAV is a remote monitoring and management (RMM) tool. More information - will be added as it becomes available. -Author: '' -Created: '' -LastModified: 10/08/2024 -Details: - Website: '' - PEMetadata: - Filename: '' - OriginalFileName: '' - Description: '' - Privileges: '' - Free: '' - Verification: '' - SupportedOS: [] - Capabilities: [] - Vulnerabilities: [] - InstallationPaths: - - C:\Program Files (x86)\Rei Software\CarotDAV\* - - '*\Rei Software\CarotDAV\*' - - '*\CarotDAV.exe' -Artifacts: - Disk: [] - EventLog: [] - Registry: [] - Network: - - Description: Known remote domains - Domains: - - rei.to - Ports: - - 80 -Detections: -- Sigma: https://github.com/magicsword-io/LOLRMM/blob/main/detections/sigma/carotdav_processes_sigma.yml - Description: Detects potential processes activity of CarotDAV RMM tool -References: -- http://rei.to/carotdav_en.html -Acknowledgement: []